combine_ovals.py from SCAP Security Guide ssg: [0, 1, 44], python: 3.7.2 5.11 2019-04-18T09:25:33 Banner for FTP Users SUSE Linux Enterprise 12 This setting will cause the system greeting banner to be used for FTP connections as well. Ensure root has a mail alias SUSE Linux Enterprise 12 Check if root has the correct mail alias. Ensure insecure_locks is disabled SUSE Linux Enterprise 12 Allowing insecure file locking could allow for sensitive data to be viewed or edited by an unauthorized user. Configure Time Service Maxpoll Interval SUSE Linux Enterprise 12 Configure the maxpoll setting in /etc/ntp.conf or chrony.conf to continuously poll the time source servers. No shosts.equiv file deployed on the system SUSE Linux Enterprise 12 There should not be any shosts.equiv files on the system. No .shosts file deployed on the system SUSE Linux Enterprise 12 There should not be any .shosts files on the system. Require Client SMB Packet Signing, if using mount.cifs SUSE Linux Enterprise 12 Require packet signing of clients who mount Samba shares using the mount.cifs program (e.g., those who specify shares in /etc/fstab). To do so, ensure that signing options (either sec=krb5i or sec=ntlmv2i) are used. SNMP default communities disabled SUSE Linux Enterprise 12 SNMP default communities must be removed. SNMP use newer protocols SUSE Linux Enterprise 12 SNMP version 1 and 2c must not be enabled. Disable Host-Based Authentication SUSE Linux Enterprise 12 SSH host-based authentication should be disabled. Disable Compression Or Set Compression to delayed SUSE Linux Enterprise 12 SSH should either have compression disabled or set to delayed. Disable Empty Passwords SUSE Linux Enterprise 12 Remote connections from accounts with empty passwords should be disabled (and dependencies are met) Disable SSH Support for Rhosts RSA Authentication SUSE Linux Enterprise 12 SSH can allow authentication through the obsolete rsh command through the use of the authenticating user's SSH keys. This should be disabled. Disable root Login via SSH SUSE Linux Enterprise 12 Root login via SSH should be disabled (and dependencies are met) Disable SSH Support for User Known Hosts SUSE Linux Enterprise 12 SSH can allow system users host-based authentication to connect to systems if a cache of the remote systems public keys are available. This should be disabled. Do Not Allow Users to Set Environment Options SUSE Linux Enterprise 12 PermitUserEnvironment should be disabled Enable SSH Server's Strict Mode SUSE Linux Enterprise 12 Enable StrictMode to check users home directory permissions and configurations. Enable a Warning Banner SUSE Linux Enterprise 12 SSH warning banner should be enabled (and dependencies are met) Enable X11 Forwarding SUSE Linux Enterprise 12 Enable X11Forwarding to encrypt X11 remote connections over SSH. Enable Print Last Log SUSE Linux Enterprise 12 Enable PrintLastLog to display user's last login time and date. Set OpenSSH Idle Timeout Interval SUSE Linux Enterprise 12 The SSH idle timeout interval should be set to an appropriate value. Set ClientAliveCountMax for User Logins SUSE Linux Enterprise 12 The SSH ClientAliveCountMax should be set to an appropriate value (and dependencies are met) Set OpenSSH LogLevel to INFO SUSE Linux Enterprise 12 The SSH LogLevel should be set to INFO. Set OpenSSH authentication attempt limit (MaxAuthTries) SUSE Linux Enterprise 12 The SSH MaxAuthTries should be set to an appropriate value. Use Only Approved Ciphers SUSE Linux Enterprise 12 Limit the ciphers to those which are FIPS-approved. Use Only FIPS MACs SUSE Linux Enterprise 12 Limit the Message Authentication Codes (MACs) to those which are FIPS-approved. Use Priviledge Separation SUSE Linux Enterprise 12 Use priviledge separation to cause the SSH process to drop root privileges when not needed. Set OpenSSH LogLevel to VERBOSE SUSE Linux Enterprise 12 The SSH LogLevel should be set to VERBOSE. Configure SSSD's Memory Cache to Expire SUSE Linux Enterprise 12 SSSD's memory cache should be configured to set to expire records after 1 day. Configure SSSD to Expire Offline Credentials SUSE Linux Enterprise 12 SSSD should be configured to expire offline credentials after 1 day. System Login Banner Compliance SUSE Linux Enterprise 12 The system login banner text should be set correctly. System Login Banner Compliance SUSE Linux Enterprise 12 The system login banner text should be set correctly. Enable GNOME3 Login Warning Banner SUSE Linux Enterprise 12 Enable the GNOME3 Login warning banner. Enable GUI Warning Banner SUSE Linux Enterprise 12 Enable the GUI warning banner. The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access to the local graphical user interface (GUI). SUSE Linux Enterprise 12 Display of a standardized and approved use notification before granting access to the SUSE operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System GUI Login Banner Compliance SUSE Linux Enterprise 12 The system login banner text should be set correctly. Set Last Login/Access Notification SUSE Linux Enterprise 12 Configure the system to notify users of last login/access using pam_lastlog. Set Last Login/Access Notification SUSE Linux Enterprise 12 Configure the system to notify users of last login/access using pam_lastlog. The PAM configuration should not be changed automatically SUSE Linux Enterprise 12 Verify the SUSE operating system is configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes. Limit Password Reuse SUSE Linux Enterprise 12 The passwords to remember should be set correctly. Lock out account after failed login attempts SUSE Linux Enterprise 12 The number of allowed failed logins should be set correctly. Lock out account after failed login attempts SUSE Linux Enterprise 12 The number of allowed failed logins should be set correctly. Set Password Strength Minimum Digit Characters SUSE Linux Enterprise 12 The pam_cracklib module's "dcredit=" parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many uppercase characters. Set Password Strength Minimum Different Characters SUSE Linux Enterprise 12 The pam_cracklib module's "difok" parameter controls requirements for usage of different characters during a password change. Set Password Strength Minimum Lowercase Characters SUSE Linux Enterprise 12 The pam_cracklib module's "lcredit=" parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. Set Password Minimum Length SUSE Linux Enterprise 12 The pam_cracklib module's "minlen=" parameter controls requirements for the minimum length of a password. Set Password Strength Minimum Special Characters SUSE Linux Enterprise 12 The pam_cracklib module's "ocredit=" parameter controls requirements for usage of special (or "other") characters in a password. When set to a negative number, any password will be required to contain that many special characters. Set Password Strength Minimum Uppercase Characters SUSE Linux Enterprise 12 The pam_cracklib module's "ucredit=" parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. Set SHA512 Password Hashing Algorithm in /etc/login.defs SUSE Linux Enterprise 12 The password hashing algorithm should be set correctly in /etc/login.defs. Set Password Hashing Algorithm in /etc/pam.d/system-auth SUSE Linux Enterprise 12 The password hashing algorithm should be set correctly in /etc/pam.d/system-auth. Set Password Hashing Minimum Rounds in /etc/login.defs SUSE Linux Enterprise 12 The password hashing minimum rounds should be set correctly in /etc/login.defs. Set Password Hashing Algorithm in /etc/pam.d/common-auth SUSE Linux Enterprise 12 The password hashing algorithm should be set correctly in /etc/pam.d/common-auth. Disable Ctrl-Alt-Del Reboot Activation SUSE Linux Enterprise 12 By default, the system will reboot when the Ctrl-Alt-Del key sequence is pressed. Ensure vlock Command is Installed SUSE Linux Enterprise 12 Check if the vlock command is installed. Install needed packages for smartcard use. SUSE Linux Enterprise 12 The required RPM packages must be installed. Enable Smart Card Login SUSE Linux Enterprise 12 Enable Smart Card logins Enable Smart Card Login in PAM SUSE Linux Enterprise 12 Enable Smart Card logins using PAM Enable Smart Card CA Checks SUSE Linux Enterprise 12 Enable Smart Card CA Checks Set All Accounts To Have Unique IDs SUSE Linux Enterprise 12 All accounts on the system should have unique IDs for proper accountability. Set Accounts to Expire Following Password Expiration SUSE Linux Enterprise 12 The accounts should be configured to expire automatically following password expiration. Set All Accounts To Have Unique Names SUSE Linux Enterprise 12 All accounts on the system should have unique names for proper accountability. Set Accounts to Expire Following Password Expiration SUSE Linux Enterprise 12 The accounts should be configured to expire automatically following password expiration. Set Accounts to Expire Following Password Expiration SUSE Linux Enterprise 12 The accounts should be configured to expire automatically following password expiration. Set Password Expiration Parameters SUSE Linux Enterprise 12 The maximum password age policy should meet minimum requirements. Set Password Expiration Parameters SUSE Linux Enterprise 12 The minimum password age policy should be set appropriately. Set Password Expiration Parameters SUSE Linux Enterprise 12 The password minimum length should be set appropriately. Set Password Expiration Parameters SUSE Linux Enterprise 12 The password expiration warning age should be set appropriately. All Password Hashes Shadowed SUSE Linux Enterprise 12 All password hashes should be shadowed. No nullok Option in PAM configuration SUSE Linux Enterprise 12 The PAM configuration should not contain the nullok option Verify No netrc Files Exist SUSE Linux Enterprise 12 The .netrc files contain login information used to auto-login into FTP servers and reside in the user's home directory. Any .netrc files should be removed. All Password Hashes Shadowed SUSE Linux Enterprise 12 All password hashes should be shadowed. UID 0 Belongs Only To Root SUSE Linux Enterprise 12 Only the root account should be assigned a user id of 0. Direct root Logins Not Allowed SUSE Linux Enterprise 12 Preventing direct root logins help ensure accountability for actions taken on the system using the root account. System Accounts Do Not Run a Shell SUSE Linux Enterprise 12 The root account is the only system account that should have a login shell. Restrict Serial Port Root Logins SUSE Linux Enterprise 12 Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the system using the root account. Restrict Virtual Console Root Logins SUSE Linux Enterprise 12 Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account. Ensure new users receive home directories SUSE Linux Enterprise 12 CREATE_HOME should be enabled Ensure that FAIL_DELAY is Configured in /etc/login.defs SUSE Linux Enterprise 12 The delay between failed authentication attempts should be set for all users specified in /etc/login.defs Set Maximum Number of Concurrent Login Sessions Per User SUSE Linux Enterprise 12 The maximum number of concurrent login sessions per user should meet minimum requirements. Set Interactive Session Timeout SUSE Linux Enterprise 12 Checks interactive shell timeout All Interactive Users Home Directories Must be Defined SUSE Linux Enterprise 12 Check for home directories of interactive users that currently do not have a home directory assigned. All Interactive Users Home Directories Must Exist SUSE Linux Enterprise 12 Check for home directories of interactive users that currently do not have a home directory assigned. Ensure All User Initialization Files Have Mode 0740 Or Less Permissive SUSE Linux Enterprise 12 Ensure All User Initialization Files Have Mode 0740 Or Less Permissive All Interactive User Home Directories Must Have mode 0750 Or Less Permissive SUSE Linux Enterprise 12 All Interactive Users Home Directories Must Have mode 0750 or Less Permissive. Proper Permissions User Home Directories SUSE Linux Enterprise 12 File permissions should be set correctly for the home directories for all user accounts. Write permissions are disabled for group and other in all directories in Root's Path SUSE Linux Enterprise 12 Check each directory in root's path and make use it does not grant write permission to group and other Ensure that Users Have Sensible Umask Values in /etc/login.defs SUSE Linux Enterprise 12 The default umask for all users specified in /etc/login.defs Audit User/Group Modification SUSE Linux Enterprise 12 Audit rules should detect modification to system files that hold information about users and groups. Audit User/Group Modification SUSE Linux Enterprise 12 Audit rules should detect modification to system files that hold information about users and groups. Audit User/Group Modification SUSE Linux Enterprise 12 Audit rules should detect modification to system files that hold information about users and groups. Audit User/Group Modification SUSE Linux Enterprise 12 Audit rules should detect modification to system files that hold information about users and groups. Audit User/Group Modification SUSE Linux Enterprise 12 Audit rules should detect modification to system files that hold information about users and groups. Audit User/Group Modification SUSE Linux Enterprise 12 Audit rules should detect modification to system files that hold information about users and groups. Verify /var/log/audit Ownership SUSE Linux Enterprise 12 Checks that all /var/log/audit files and directories are owned by the root user and group. Configure SUSE Linux Enterprise 12 checks for an audit rule for every suid binary Enable Syscall Auditing SUSE Linux Enterprise 12 Syscall auditing should not be disabled. Audit Kernel Module Loading and Unloading - delete_module SUSE Linux Enterprise 12 The audit rules should be configured to log information about kernel module loading and unloading. Audit Kernel Module Loading and Unloading - finit_module SUSE Linux Enterprise 12 The audit rules should be configured to log information about kernel module loading and unloading. Audit Kernel Module Loading and Unloading - init_module SUSE Linux Enterprise 12 The audit rules should be configured to log information about kernel module loading and unloading. Configure audispd Plugin Remote Server IP address or Hostname SUSE Linux Enterprise 12 remote_server setting in /etc/audisp/audisp-remote.conf is set to a certain IP address or hostname Configure audispd's Plugin disk_full_action When Disk Is Full SUSE Linux Enterprise 12 disk_full_action setting in /etc/audisp/audisp-remote.conf is set to an acceptable value Kerberos 5 Authentication and Encryption in Audit Event Multiplexor (audispd) Is Activated SUSE Linux Enterprise 12 enable_krb5 setting in /etc/audisp/audisp-remote.conf is set to 'yes' Configure audispd's Plugin network_failure_action On Network Failure SUSE Linux Enterprise 12 network_failure_action setting in /etc/audisp/audisp-remote.conf is set to an acceptable value The syslog Plugin Of the Audit Event Multiplexor (audispd) Is Activated SUSE Linux Enterprise 12 active setting in /etc/audisp/plugins.d/syslog.conf is set to 'yes' Auditd Action to Take When Disk Errors SUSE Linux Enterprise 12 disk_error_action setting in /etc/audit/auditd.conf is set to a certain action Auditd Action to Take When Disk Is Full SUSE Linux Enterprise 12 disk_full_action setting in /etc/audit/auditd.conf is set to a certain action Auditd Email Account to Notify Upon Action SUSE Linux Enterprise 12 action_mail_acct setting in /etc/audit/auditd.conf is set to a certain account Auditd Action to Take When Disk is Low on Space SUSE Linux Enterprise 12 admin_space_left_action setting in /etc/audit/auditd.conf is set to a certain action Auditd Maximum Log File Size SUSE Linux Enterprise 12 max_log_file setting in /etc/audit/auditd.conf is set to at least a certain value Auditd Action to Take When Maximum Log Size Reached SUSE Linux Enterprise 12 max_log_file_action setting in /etc/audit/auditd.conf is set to a certain action Auditd Maximum Number of Logs to Retain SUSE Linux Enterprise 12 num_logs setting in /etc/audit/auditd.conf is set to at least a certain value Configure auditd space_left on Low Disk Space SUSE Linux Enterprise 12 space_left setting in /etc/audit/auditd.conf is set to at least a certain value Auditd Action to Take When Disk Starting to Run Low on Space SUSE Linux Enterprise 12 space_left_action setting in /etc/audit/auditd.conf is set to a certain action Force IOMMU usage in GRUB2 SUSE Linux Enterprise 12 Look for argument iommu=force in the kernel line in /etc/default/grub. Set Boot Loader Password SUSE Linux Enterprise 12 The grub2 boot loader should have password protection enabled. Set the UEFI Boot Loader Password SUSE Linux Enterprise 12 The UEFI grub2 boot loader should have password protection enabled. Ensure RTC is using UTC as its time base SUSE Linux Enterprise 12 Time stamps generated by the operating system include date and time. Time is commonly expressed in UTC, a modern continuation of GMT, or local time with an offset from UTC. Ensure the logrotate utility performs the automatic rotation of log files on daily basis SUSE Linux Enterprise 12 The frequency of automatic log files rotation performed by the logrotate utility should be configured to run daily Send Logs to a Remote Loghost SUSE Linux Enterprise 12 Syslog logs should be sent to a remote loghost Disable the network sniffer SUSE Linux Enterprise 12 Disable the network sniffer Disable IPv6 Kernel Module Functionality via Disable Option SUSE Linux Enterprise 12 The disable option will allow the IPv6 module to be inserted, but prevent address assignment and activation of the network stack. Deactivate Wireless Interfaces SUSE Linux Enterprise 12 All wireless interfaces should be disabled. Enable DoS Protections in SuSEfirewall2 SUSE Linux Enterprise 12 Verify "SuSEfirewall2" is configured to protect the SUSE operating system against or limit the effects of DoS attacks. Verify that All World-Writable Directories Have Sticky Bits Set SUSE Linux Enterprise 12 The sticky bit should be set for all world-writable directories. Verify that System.map files are readable only by root SUSE Linux Enterprise 12 Checks that /boot/System.map-* are only readable by root. Find files unowned by a group SUSE Linux Enterprise 12 All files should be owned by a group Find files unowned by a user SUSE Linux Enterprise 12 All files should be owned by a user Find world writable directories not group-owned by an application group SUSE Linux Enterprise 12 All world writable directories should be groupowned by an application group. Verify Permissions and Ownership of Old Passwords File SUSE Linux Enterprise 12 Verify Permissions and Ownership of Old Passwords File Add nodev Option to Non-Root Local Partitions SUSE Linux Enterprise 12 The nodev mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices should exist in the /dev directory on the root partition or within chroot jails built for system services. All other locations should not allow character and block devices. Bind Mount /var/tmp To /tmp SUSE Linux Enterprise 12 The /var/tmp directory should be bind mounted to /tmp in order to consolidate temporary storage into one location protected by the same techniques as /tmp. Add 'nosuid' Option to NFS Mounts SUSE Linux Enterprise 12 The 'nosuid' mount option can be used to prevent execution of setuid programs in network mounts. Add 'noexec' Option to NFS Mounts SUSE Linux Enterprise 12 The 'noexec' mount option can be used to prevent execution of setuid programs in network mounts. Add nosuid Option to /home SUSE Linux Enterprise 12 The nosuid mount option can be used to prevent execution of setuid programs in /home. Verify that /var/log/messages is readable only by root SUSE Linux Enterprise 12 Checks that /var/log/messages is only readable by root. Partition for Home Directories Must Exist SUSE Linux Enterprise 12 Check for a separate partition for home directories of interactive users. Implement Local DB for DConf User Profile SUSE Linux Enterprise 12 The DConf User profile should have the local DB configured. Force dconf to use the textfiles instead of a binary DB SUSE Linux Enterprise 12 dconf should use text files instead of the binary database. Disable GDM Automatic Login SUSE Linux Enterprise 12 Disable the GNOME Display Manager (GDM) ability to allow users to automatically login. Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 SUSE Linux Enterprise 12 Disable the GNOME3 ctrl-alt-del reboot key sequence in GNOME3. FIPS 140-2 Certified Operating System SUSE Linux Enterprise 12 The operating system installed on the system is a certified operating system that meets FIPS 140-2 requirements. Package Antivirus Installed SUSE Linux Enterprise 12 Antivirus software should be installed. Package McAfeeVSEForLinux Installed SUSE Linux Enterprise 12 McAfee Antivirus software should be installed. Install the McAfee Runtime Libraries and Linux Agent SUSE Linux Enterprise 12 Install the McAfee Runtime Libraries (MFErt) and Linux Agent (MFEcma). McAfee AntiVirus Definitions Updated SUSE Linux Enterprise 12 Verify that McAfee AntiVirus definitions have been updated. Install the Asset Configuration Compliance Module (ACCM) SUSE Linux Enterprise 12 Install the Asset Configuration Compliance Module (ACCM). Install the Host Intrusion Prevention System (HIPS) Module SUSE Linux Enterprise 12 Install the McAfee Host Intrusion Prevention System (HIPS) Module if it is absolutely necessary. If SELinux is enabled, do not install or enable this module. Install the Policy Auditor (PA) Module SUSE Linux Enterprise 12 Install the Policy Auditor (PA) Module. Enable Dracut FIPS Module SUSE Linux Enterprise 12 fips module should be enabled in Dracut configuration Enable FIPS Mode SUSE Linux Enterprise 12 Check if FIPS mode is enabled on the system Kernel "crypto.fips_enabled" Parameter Runtime Check SUSE Linux Enterprise 12 The kernel "crypto.fips_enabled" parameter should be set to "1" in system runtime. Configure Periodic Execution of AIDE SUSE Linux Enterprise 12 By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. Configure Notification of Post-AIDE Scan Details SUSE Linux Enterprise 12 AIDE should notify appropriate personnel of the details of a scan after the scan has been run. Configure AIDE to Verify Access Control Lists (ACLs) SUSE Linux Enterprise 12 AIDE should be configured to verify Access Control Lists (ACLs). Configure AIDE to Verify Extended Attributes SUSE Linux Enterprise 12 AIDE should be configured to verify extended file attributes. Configure AIDE to Verify the Audit Tools SUSE Linux Enterprise 12 The SUSE operating system file integrity tool must be configured to protect the integrity of the audit tools. Only Authorized Local User Accounts Exist on Operating System SUSE Linux Enterprise 12 Besides the default operating system user, there should be no other users except the users that are authorized to exist locally on the operating system. Ensure !authenticate Is Not Used in Sudo SUSE Linux Enterprise 12 Checks sudo usage without authentication Ensure NOPASSWD Is Not Used in Sudo SUSE Linux Enterprise 12 Checks sudo usage without password Ensure Zypper Removes Previous Package Versions SUSE Linux Enterprise 12 The solver.upgradeRemoveDroppedPackages option should be used to ensure that old versions of software components are removed after updating. Ensure zypper gpgcheck Globally Activated SUSE Linux Enterprise 12 The gpgcheck option should be used to ensure that checking of an RPM package's signature always occurs prior to its installation. Disable the usb-storage Kernel Module SUSE Linux Enterprise 12 Make sure there is a blacklist entry for the usb-storage driver. Audit Discretionary Access Control Modification Events - mount SUSE Linux Enterprise 12 The changing of file permissions, attributes, mount points, and opening of files should be audited. Audit Discretionary Access Control Modification Events - umount SUSE Linux Enterprise 12 The changing of file permissions, attributes, mount points, and opening of files should be audited. Audit Discretionary Access Control Modification Events - umount2 SUSE Linux Enterprise 12 The changing of file permissions, attributes, mount points, and opening of files should be audited. Record Any Attempts to Run chacl SUSE Linux Enterprise 12 Audit rules about the information on the use of chacl is enabled. Record Any Attempts to Run chcon SUSE Linux Enterprise 12 Audit rules about the information on the use of chcon is enabled. Record Any Attempts to Run chmod SUSE Linux Enterprise 12 Audit rules about the information on the use of chmod is enabled. Record Any Attempts to Run crontab SUSE Linux Enterprise 12 Audit rules about the information on the use of crontab is enabled. Record Any Attempts to Run rm SUSE Linux Enterprise 12 Audit rules about the information on the use of rm is enabled. Record Any Attempts to Run setfacl SUSE Linux Enterprise 12 Audit rules about the information on the use of setfacl is enabled. Record Any Attempts to Run ssh-agent SUSE Linux Enterprise 12 Audit rules about the information on the use of ssh-agent is enabled. Record Attempts to Alter Login and Logout Events - faillog SUSE Linux Enterprise 12 Audit rules should be configured to log successful and unsuccessful login and logout events. Ensure auditd Collects Information on the Use of Privileged Commands - chage SUSE Linux Enterprise 12 Audit rules about the information on the use of chage is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - chfn SUSE Linux Enterprise 12 Audit rules about the information on the use of chfn is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - chsh SUSE Linux Enterprise 12 Audit rules about the information on the use of chsh is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd SUSE Linux Enterprise 12 Audit rules about the information on the use of gpasswd is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - insmod SUSE Linux Enterprise 12 Audit rules about the information on the use of insmod is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - kmod SUSE Linux Enterprise 12 Audit rules about the information on the use of kmod is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - modprobe SUSE Linux Enterprise 12 Audit rules about the information on the use of modprobe is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - newgrp SUSE Linux Enterprise 12 Audit rules about the information on the use of newgrp is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check SUSE Linux Enterprise 12 Audit rules about the information on the use of pam_timestamp_check is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - passmass SUSE Linux Enterprise 12 Audit rules about the information on the use of passmass is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - passwd SUSE Linux Enterprise 12 Audit rules about the information on the use of passwd is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - rmmod SUSE Linux Enterprise 12 Audit rules about the information on the use of rmmod is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - ssh_keysign SUSE Linux Enterprise 12 Audit rules about the information on the use of ssh_keysign is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - su SUSE Linux Enterprise 12 Audit rules about the information on the use of su is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - sudo SUSE Linux Enterprise 12 Audit rules about the information on the use of sudo is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit SUSE Linux Enterprise 12 Audit rules about the information on the use of sudoedit is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd SUSE Linux Enterprise 12 Audit rules about the information on the use of unix_chkpwd is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - usermod SUSE Linux Enterprise 12 Audit rules about the information on the use of usermod is enabled. Verify /etc/cron.allow Group Owner SUSE Linux Enterprise 12 This test makes sure that /etc/cron.allow is group owned by 0. Verify /etc/group Group Owner SUSE Linux Enterprise 12 This test makes sure that /etc/group is group owned by 0. Verify /etc/gshadow Group Owner SUSE Linux Enterprise 12 This test makes sure that /etc/gshadow is group owned by 0. Verify /etc/passwd Group Owner SUSE Linux Enterprise 12 This test makes sure that /etc/passwd is group owned by 0. Verify /etc/shadow Group Owner SUSE Linux Enterprise 12 This test makes sure that /etc/shadow is group owned by 0. Verify /boot/grub/grub.conf Group Owner SUSE Linux Enterprise 12 This test makes sure that /boot/grub/grub.conf is group owned by 0. Verify /etc/cron.allow Owner SUSE Linux Enterprise 12 This test makes sure that /etc/cron.allow is owned by 0. Verify /etc/group Owner SUSE Linux Enterprise 12 This test makes sure that /etc/group is owned by 0. Verify /etc/gshadow Owner SUSE Linux Enterprise 12 This test makes sure that /etc/gshadow is owned by 0. Verify /etc/passwd Owner SUSE Linux Enterprise 12 This test makes sure that /etc/passwd is owned by 0. Verify /etc/shadow Owner SUSE Linux Enterprise 12 This test makes sure that /etc/shadow is owned by 0. Verify /boot/grub/grub.conf Owner SUSE Linux Enterprise 12 This test makes sure that /boot/grub/grub.conf is owned by 0. Verify /etc/cron.allow Mode Permissions SUSE Linux Enterprise 12 This test makes sure that /etc/cron.allow has mode 0644. If the target file or directory has an extended ACL, then it will fail the mode check. Verify /etc/group Mode Permissions SUSE Linux Enterprise 12 This test makes sure that /etc/group has mode 0644. If the target file or directory has an extended ACL, then it will fail the mode check. Verify /etc/gshadow Mode Permissions SUSE Linux Enterprise 12 This test makes sure that /etc/gshadow has mode 0000. If the target file or directory has an extended ACL, then it will fail the mode check. Verify /etc/passwd Mode Permissions SUSE Linux Enterprise 12 This test makes sure that /etc/passwd has mode 0644. If the target file or directory has an extended ACL, then it will fail the mode check. Verify /etc/shadow Mode Permissions SUSE Linux Enterprise 12 This test makes sure that /etc/shadow has mode 0000. If the target file or directory has an extended ACL, then it will fail the mode check. Verify /boot/grub/grub.conf Mode Permissions SUSE Linux Enterprise 12 This test makes sure that /boot/grub/grub.conf has mode 0600. If the target file or directory has an extended ACL, then it will fail the mode check. Verify /etc/httpd/conf.d/^.*$ Mode Permissions SUSE Linux Enterprise 12 This test makes sure that /etc/httpd/conf.d/^.*$ has mode 0640. If the target file or directory has an extended ACL, then it will fail the mode check. Verify /etc/httpd/conf/^.*$ Mode Permissions SUSE Linux Enterprise 12 This test makes sure that /etc/httpd/conf/^.*$ has mode 0640. If the target file or directory has an extended ACL, then it will fail the mode check. Verify /etc/httpd/conf.modules.d/^.*$ Mode Permissions SUSE Linux Enterprise 12 This test makes sure that /etc/httpd/conf.modules.d/^.*$ has mode 0640. If the target file or directory has an extended ACL, then it will fail the mode check. Verify /etc/ssh/^.*_key$ Mode Permissions SUSE Linux Enterprise 12 This test makes sure that /etc/ssh/^.*_key$ has mode 0600. If the target file or directory has an extended ACL, then it will fail the mode check. Verify /etc/ssh/^.*.pub$ Mode Permissions SUSE Linux Enterprise 12 This test makes sure that /etc/ssh/^.*.pub$ has mode 0644. If the target file or directory has an extended ACL, then it will fail the mode check. Disable bluetooth Kernel Module SUSE Linux Enterprise 12 The kernel module bluetooth should be disabled. Disable cramfs Kernel Module SUSE Linux Enterprise 12 The kernel module cramfs should be disabled. Disable dccp Kernel Module SUSE Linux Enterprise 12 The kernel module dccp should be disabled. Disable freevxfs Kernel Module SUSE Linux Enterprise 12 The kernel module freevxfs should be disabled. Disable hfs Kernel Module SUSE Linux Enterprise 12 The kernel module hfs should be disabled. Disable hfsplus Kernel Module SUSE Linux Enterprise 12 The kernel module hfsplus should be disabled. Disable jffs2 Kernel Module SUSE Linux Enterprise 12 The kernel module jffs2 should be disabled. Disable sctp Kernel Module SUSE Linux Enterprise 12 The kernel module sctp should be disabled. Disable squashfs Kernel Module SUSE Linux Enterprise 12 The kernel module squashfs should be disabled. Disable udf Kernel Module SUSE Linux Enterprise 12 The kernel module udf should be disabled. Disable usb-storage Kernel Module SUSE Linux Enterprise 12 The kernel module usb-storage should be disabled. Add nodev Option to /dev/shm SUSE Linux Enterprise 12 /dev/shm should be mounted with mount option nodev. Add noexec Option to /dev/shm SUSE Linux Enterprise 12 /dev/shm should be mounted with mount option noexec. Add nosuid Option to /dev/shm SUSE Linux Enterprise 12 /dev/shm should be mounted with mount option nosuid. Add nodev Option to /home SUSE Linux Enterprise 12 /home should be mounted with mount option nodev. Add nosuid Option to /home SUSE Linux Enterprise 12 /home should be mounted with mount option nosuid. Add nodev Option to /tmp SUSE Linux Enterprise 12 /tmp should be mounted with mount option nodev. Add noexec Option to /tmp SUSE Linux Enterprise 12 /tmp should be mounted with mount option noexec. Add nosuid Option to /tmp SUSE Linux Enterprise 12 /tmp should be mounted with mount option nosuid. Add nodev Option to /var/tmp SUSE Linux Enterprise 12 /var/tmp should be mounted with mount option nodev. Add noexec Option to /var/tmp SUSE Linux Enterprise 12 /var/tmp should be mounted with mount option noexec. Add nosuid Option to /var/tmp SUSE Linux Enterprise 12 /var/tmp should be mounted with mount option nosuid. Package SuSEfirewall2 Installed SUSE Linux Enterprise 12 The RPM package SuSEfirewall2 should be installed. Package abrt Removed SUSE Linux Enterprise 12 The RPM package abrt should be removed. Package acpid Removed SUSE Linux Enterprise 12 The RPM package acpid should be removed. Package aide Installed SUSE Linux Enterprise 12 The RPM package aide should be installed. Package apparmor-parser Installed SUSE Linux Enterprise 12 The RPM package apparmor-parser should be installed. Package at Removed SUSE Linux Enterprise 12 The RPM package at should be removed. Package audit-audispd-plugins Installed SUSE Linux Enterprise 12 The RPM package audit-audispd-plugins should be installed. Package audit Installed SUSE Linux Enterprise 12 The RPM package audit should be installed. Package autofs Removed SUSE Linux Enterprise 12 The RPM package autofs should be removed. Package avahi Removed SUSE Linux Enterprise 12 The RPM package avahi should be removed. Package bind Removed SUSE Linux Enterprise 12 The RPM package bind should be removed. Package bluez Removed SUSE Linux Enterprise 12 The RPM package bluez should be removed. Package certmonger Removed SUSE Linux Enterprise 12 The RPM package certmonger should be removed. Package chrony Installed SUSE Linux Enterprise 12 The RPM package chrony should be installed. Package coolkey Installed SUSE Linux Enterprise 12 The RPM package coolkey should be installed. Package cronie Installed SUSE Linux Enterprise 12 The RPM package cronie should be installed. Package cups Removed SUSE Linux Enterprise 12 The RPM package cups should be removed. Package cyrus-sasl Removed SUSE Linux Enterprise 12 The RPM package cyrus-sasl should be removed. Package dbus Removed SUSE Linux Enterprise 12 The RPM package dbus should be removed. Package dconf Installed SUSE Linux Enterprise 12 The RPM package dconf should be installed. Package dhcp Removed SUSE Linux Enterprise 12 The RPM package dhcp should be removed. Package docker Installed SUSE Linux Enterprise 12 The RPM package docker should be installed. Package dovecot Removed SUSE Linux Enterprise 12 The RPM package dovecot should be removed. Package esc Installed SUSE Linux Enterprise 12 The RPM package esc should be installed. Package firewalld Installed SUSE Linux Enterprise 12 The RPM package firewalld should be installed. Package gdm Installed SUSE Linux Enterprise 12 The RPM package gdm should be installed. Package httpd Removed SUSE Linux Enterprise 12 The RPM package httpd should be removed. Package iputils Removed SUSE Linux Enterprise 12 The RPM package iputils should be removed. Package irqbalance Installed SUSE Linux Enterprise 12 The RPM package irqbalance should be installed. Package kbd Installed SUSE Linux Enterprise 12 The RPM package kbd should be installed. Package kernel-tools Removed SUSE Linux Enterprise 12 The RPM package kernel-tools should be removed. Package kexec-tools Removed SUSE Linux Enterprise 12 The RPM package kexec-tools should be removed. Package libcgroup-tools Removed SUSE Linux Enterprise 12 The RPM package libcgroup-tools should be removed. Package libcgroup Removed SUSE Linux Enterprise 12 The RPM package libcgroup should be removed. Package libreswan Installed SUSE Linux Enterprise 12 The RPM package libreswan should be installed. Package mdadm Removed SUSE Linux Enterprise 12 The RPM package mdadm should be removed. Package mozilla-nss-tools Installed SUSE Linux Enterprise 12 The RPM package mozilla-nss-tools should be installed. Package mozilla-nss Installed SUSE Linux Enterprise 12 The RPM package mozilla-nss should be installed. Package net-snmp Removed SUSE Linux Enterprise 12 The RPM package net-snmp should be removed. Package nfs-utils Removed SUSE Linux Enterprise 12 The RPM package nfs-utils should be removed. Package ntp Installed SUSE Linux Enterprise 12 The RPM package ntp should be installed. Package ntp Removed SUSE Linux Enterprise 12 The RPM package ntp should be removed. Package ntpdate Removed SUSE Linux Enterprise 12 The RPM package ntpdate should be removed. Package oddjob Removed SUSE Linux Enterprise 12 The RPM package oddjob should be removed. Package opensc Installed SUSE Linux Enterprise 12 The RPM package opensc should be installed. Package openssh Installed SUSE Linux Enterprise 12 The RPM package openssh should be installed. Package openssh Removed SUSE Linux Enterprise 12 The RPM package openssh should be removed. Package pam_apparmor Installed SUSE Linux Enterprise 12 The RPM package pam_apparmor should be installed. Package pam_pkcs11 Installed SUSE Linux Enterprise 12 The RPM package pam_pkcs11 should be installed. Package pcsc-ccid Installed SUSE Linux Enterprise 12 The RPM package pcsc-ccid should be installed. Package pcsc-lite Installed SUSE Linux Enterprise 12 The RPM package pcsc-lite should be installed. Package pcsc-tools Installed SUSE Linux Enterprise 12 The RPM package pcsc-tools should be installed. Package policycoreutils Installed SUSE Linux Enterprise 12 The RPM package policycoreutils should be installed. Package portreserve Removed SUSE Linux Enterprise 12 The RPM package portreserve should be removed. Package postfix Installed SUSE Linux Enterprise 12 The RPM package postfix should be installed. Package psacct Installed SUSE Linux Enterprise 12 The RPM package psacct should be installed. Package qpid-cpp-server Removed SUSE Linux Enterprise 12 The RPM package qpid-cpp-server should be removed. Package quagga Removed SUSE Linux Enterprise 12 The RPM package quagga should be removed. Package quota-nld Removed SUSE Linux Enterprise 12 The RPM package quota-nld should be removed. Package rhnsd Removed SUSE Linux Enterprise 12 The RPM package rhnsd should be removed. Package rsh-server Removed SUSE Linux Enterprise 12 The RPM package rsh-server should be removed. Package rsh Removed SUSE Linux Enterprise 12 The RPM package rsh should be removed. Package rsyslog Installed SUSE Linux Enterprise 12 The RPM package rsyslog should be installed. Package samba Removed SUSE Linux Enterprise 12 The RPM package samba should be removed. Package screen Installed SUSE Linux Enterprise 12 The RPM package screen should be installed. Package smartmontools Removed SUSE Linux Enterprise 12 The RPM package smartmontools should be removed. Package squid Removed SUSE Linux Enterprise 12 The RPM package squid should be removed. Package sssd Installed SUSE Linux Enterprise 12 The RPM package sssd should be installed. Package sssd Removed SUSE Linux Enterprise 12 The RPM package sssd should be removed. Package subscription-manager Removed SUSE Linux Enterprise 12 The RPM package subscription-manager should be removed. Package sysstat Removed SUSE Linux Enterprise 12 The RPM package sysstat should be removed. Package systemd Installed SUSE Linux Enterprise 12 The RPM package systemd should be installed. Package systemd Removed SUSE Linux Enterprise 12 The RPM package systemd should be removed. Package talk-server Removed SUSE Linux Enterprise 12 The RPM package talk-server should be removed. Package talk Removed SUSE Linux Enterprise 12 The RPM package talk should be removed. Package tcp_wrappers Installed SUSE Linux Enterprise 12 The RPM package tcp_wrappers should be installed. Package telnet-server Removed SUSE Linux Enterprise 12 The RPM package telnet-server should be removed. Package telnet Removed SUSE Linux Enterprise 12 The RPM package telnet should be removed. Package tftp-server Removed SUSE Linux Enterprise 12 The RPM package tftp-server should be removed. Package tftp Removed SUSE Linux Enterprise 12 The RPM package tftp should be removed. Package vlock Installed SUSE Linux Enterprise 12 The RPM package vlock should be installed. Package vsftpd Installed SUSE Linux Enterprise 12 The RPM package vsftpd should be installed. Package vsftpd Removed SUSE Linux Enterprise 12 The RPM package vsftpd should be removed. Package xinetd Installed SUSE Linux Enterprise 12 The RPM package xinetd should be installed. Package xinetd Removed SUSE Linux Enterprise 12 The RPM package xinetd should be removed. Package ypbind Removed SUSE Linux Enterprise 12 The RPM package ypbind should be removed. Package ypserv Removed SUSE Linux Enterprise 12 The RPM package ypserv should be removed. Ensure /var Located On Separate Partition SUSE Linux Enterprise 12 If stored locally, create a separate partition for /var. If /var will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at this time, and the mountpoint can instead be configured later. Ensure /var/log/audit Located On Separate Partition SUSE Linux Enterprise 12 If stored locally, create a separate partition for /var/log/audit. If /var/log/audit will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at this time, and the mountpoint can instead be configured later. Ensure Correct Mode, Owner, Group Owner for /etc/cron.allow SUSE Linux Enterprise 12 Checks for correct UNIX permissions on /etc/cron.allow. Ensure Correct Mode, Owner, Group Owner for /etc/group SUSE Linux Enterprise 12 Checks for correct UNIX permissions on /etc/group. Ensure Correct Mode, Owner, Group Owner for /etc/gshadow SUSE Linux Enterprise 12 Checks for correct UNIX permissions on /etc/gshadow. Ensure Correct Mode, Owner, Group Owner for /etc/passwd SUSE Linux Enterprise 12 Checks for correct UNIX permissions on /etc/passwd. Ensure Correct Mode, Owner, Group Owner for /etc/shadow SUSE Linux Enterprise 12 Checks for correct UNIX permissions on /etc/shadow. Ensure Correct Mode, Owner, Group Owner for /boot/grub/grub.conf SUSE Linux Enterprise 12 Checks for correct UNIX permissions on /boot/grub/grub.conf. Ensure Correct Mode, Owner, Group Owner for /etc/httpd/conf.d/^.*$ SUSE Linux Enterprise 12 Checks for correct UNIX permissions on /etc/httpd/conf.d/^.*$. Ensure Correct Mode, Owner, Group Owner for /etc/httpd/conf/^.*$ SUSE Linux Enterprise 12 Checks for correct UNIX permissions on /etc/httpd/conf/^.*$. Ensure Correct Mode, Owner, Group Owner for /etc/httpd/conf.modules.d/^.*$ SUSE Linux Enterprise 12 Checks for correct UNIX permissions on /etc/httpd/conf.modules.d/^.*$. Ensure Correct Mode, Owner, Group Owner for /etc/ssh/^.*_key$ SUSE Linux Enterprise 12 Checks for correct UNIX permissions on /etc/ssh/^.*_key$. Ensure Correct Mode, Owner, Group Owner for /etc/ssh/^.*.pub$ SUSE Linux Enterprise 12 Checks for correct UNIX permissions on /etc/ssh/^.*.pub$. Service SuSEfirewall2 Enabled SUSE Linux Enterprise 12 The SuSEfirewall2 service should be enabled if possible. Service abrtd Disabled SUSE Linux Enterprise 12 The abrtd service should be disabled if possible. Service acpid Disabled SUSE Linux Enterprise 12 The acpid service should be disabled if possible. Service apparmor Enabled SUSE Linux Enterprise 12 The apparmor service should be enabled if possible. Service atd Disabled SUSE Linux Enterprise 12 The atd service should be disabled if possible. Service auditd Enabled SUSE Linux Enterprise 12 The auditd service should be enabled if possible. Service autofs Disabled SUSE Linux Enterprise 12 The autofs service should be disabled if possible. Service avahi-daemon Disabled SUSE Linux Enterprise 12 The avahi-daemon service should be disabled if possible. Service bluetooth Disabled SUSE Linux Enterprise 12 The bluetooth service should be disabled if possible. Service certmonger Disabled SUSE Linux Enterprise 12 The certmonger service should be disabled if possible. Service cgconfig Disabled SUSE Linux Enterprise 12 The cgconfig service should be disabled if possible. Service cgred Disabled SUSE Linux Enterprise 12 The cgred service should be disabled if possible. Service chronyd Enabled SUSE Linux Enterprise 12 The chronyd service should be enabled if possible. Service cpupower Disabled SUSE Linux Enterprise 12 The cpupower service should be disabled if possible. Service crond Enabled SUSE Linux Enterprise 12 The crond service should be enabled if possible. Service cups Disabled SUSE Linux Enterprise 12 The cups service should be disabled if possible. Service debug-shell Disabled SUSE Linux Enterprise 12 The debug-shell service should be disabled if possible. Service dhcpd Disabled SUSE Linux Enterprise 12 The dhcpd service should be disabled if possible. Service docker Enabled SUSE Linux Enterprise 12 The docker service should be enabled if possible. Service dovecot Disabled SUSE Linux Enterprise 12 The dovecot service should be disabled if possible. Service firewalld Enabled SUSE Linux Enterprise 12 The firewalld service should be enabled if possible. Service httpd Disabled SUSE Linux Enterprise 12 The httpd service should be disabled if possible. Service irqbalance Enabled SUSE Linux Enterprise 12 The irqbalance service should be enabled if possible. Service kdump Disabled SUSE Linux Enterprise 12 The kdump service should be disabled if possible. Service mdmonitor Disabled SUSE Linux Enterprise 12 The mdmonitor service should be disabled if possible. Service messagebus Disabled SUSE Linux Enterprise 12 The messagebus service should be disabled if possible. Service named Disabled SUSE Linux Enterprise 12 The named service should be disabled if possible. Service nfs Disabled SUSE Linux Enterprise 12 The nfs service should be disabled if possible. Service nfslock Disabled SUSE Linux Enterprise 12 The nfslock service should be disabled if possible. Service ntpd Disabled SUSE Linux Enterprise 12 The ntpd service should be disabled if possible. Service ntpd Enabled SUSE Linux Enterprise 12 The ntpd service should be enabled if possible. Service ntpdate Disabled SUSE Linux Enterprise 12 The ntpdate service should be disabled if possible. Service oddjobd Disabled SUSE Linux Enterprise 12 The oddjobd service should be disabled if possible. Service pcscd Enabled SUSE Linux Enterprise 12 The pcscd service should be enabled if possible. Service portreserve Disabled SUSE Linux Enterprise 12 The portreserve service should be disabled if possible. Service postfix Enabled SUSE Linux Enterprise 12 The postfix service should be enabled if possible. Service psacct Enabled SUSE Linux Enterprise 12 The psacct service should be enabled if possible. Service qpidd Disabled SUSE Linux Enterprise 12 The qpidd service should be disabled if possible. Service quota_nld Disabled SUSE Linux Enterprise 12 The quota_nld service should be disabled if possible. Service rdisc Disabled SUSE Linux Enterprise 12 The rdisc service should be disabled if possible. Service rexec Disabled SUSE Linux Enterprise 12 The rexec service should be disabled if possible. Service rhnsd Disabled SUSE Linux Enterprise 12 The rhnsd service should be disabled if possible. Service rhsmcertd Disabled SUSE Linux Enterprise 12 The rhsmcertd service should be disabled if possible. Service rlogin Disabled SUSE Linux Enterprise 12 The rlogin service should be disabled if possible. Service rpcbind Disabled SUSE Linux Enterprise 12 The rpcbind service should be disabled if possible. Service rpcgssd Disabled SUSE Linux Enterprise 12 The rpcgssd service should be disabled if possible. Service rpcidmapd Disabled SUSE Linux Enterprise 12 The rpcidmapd service should be disabled if possible. Service rpcsvcgssd Disabled SUSE Linux Enterprise 12 The rpcsvcgssd service should be disabled if possible. Service rsh Disabled SUSE Linux Enterprise 12 The rsh service should be disabled if possible. Service rsyslog Enabled SUSE Linux Enterprise 12 The rsyslog service should be enabled if possible. Service saslauthd Disabled SUSE Linux Enterprise 12 The saslauthd service should be disabled if possible. Service smartd Disabled SUSE Linux Enterprise 12 The smartd service should be disabled if possible. Service smb Disabled SUSE Linux Enterprise 12 The smb service should be disabled if possible. Service snmpd Disabled SUSE Linux Enterprise 12 The snmpd service should be disabled if possible. Service squid Disabled SUSE Linux Enterprise 12 The squid service should be disabled if possible. Service sshd Disabled SUSE Linux Enterprise 12 The sshd service should be disabled if possible. Service sshd Enabled SUSE Linux Enterprise 12 The sshd service should be enabled if possible. Service sssd Disabled SUSE Linux Enterprise 12 The sssd service should be disabled if possible. Service sssd Enabled SUSE Linux Enterprise 12 The sssd service should be enabled if possible. Service sysstat Disabled SUSE Linux Enterprise 12 The sysstat service should be disabled if possible. Service telnet Disabled SUSE Linux Enterprise 12 The telnet service should be disabled if possible. Service tftp Disabled SUSE Linux Enterprise 12 The tftp service should be disabled if possible. Service vsftpd Disabled SUSE Linux Enterprise 12 The vsftpd service should be disabled if possible. Service xinetd Disabled SUSE Linux Enterprise 12 The xinetd service should be disabled if possible. Service ypbind Disabled SUSE Linux Enterprise 12 The ypbind service should be disabled if possible. Service zebra Disabled SUSE Linux Enterprise 12 The zebra service should be disabled if possible. Kernel "fs.suid_dumpable" Parameter Configuration and Runtime Check SUSE Linux Enterprise 12 The "fs.suid_dumpable" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "kernel.kptr_restrict" Parameter Configuration and Runtime Check SUSE Linux Enterprise 12 The "kernel.kptr_restrict" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "kernel.randomize_va_space" Parameter Configuration and Runtime Check SUSE Linux Enterprise 12 The "kernel.randomize_va_space" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.conf.all.accept_redirects" Parameter Configuration and Runtime Check SUSE Linux Enterprise 12 The "net.ipv4.conf.all.accept_redirects" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.conf.all.accept_source_route" Parameter Configuration and Runtime Check SUSE Linux Enterprise 12 The "net.ipv4.conf.all.accept_source_route" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.conf.all.log_martians" Parameter Configuration and Runtime Check SUSE Linux Enterprise 12 The "net.ipv4.conf.all.log_martians" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.conf.all.rp_filter" Parameter Configuration and Runtime Check SUSE Linux Enterprise 12 The "net.ipv4.conf.all.rp_filter" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.conf.all.secure_redirects" Parameter Configuration and Runtime Check SUSE Linux Enterprise 12 The "net.ipv4.conf.all.secure_redirects" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.conf.all.send_redirects" Parameter Configuration and Runtime Check SUSE Linux Enterprise 12 The "net.ipv4.conf.all.send_redirects" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.conf.default.accept_redirects" Parameter Configuration and Runtime Check SUSE Linux Enterprise 12 The "net.ipv4.conf.default.accept_redirects" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.conf.default.accept_source_route" Parameter Configuration and Runtime Check SUSE Linux Enterprise 12 The "net.ipv4.conf.default.accept_source_route" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.conf.default.log_martians" Parameter Configuration and Runtime Check SUSE Linux Enterprise 12 The "net.ipv4.conf.default.log_martians" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.conf.default.rp_filter" Parameter Configuration and Runtime Check SUSE Linux Enterprise 12 The "net.ipv4.conf.default.rp_filter" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.conf.default.secure_redirects" Parameter Configuration and Runtime Check SUSE Linux Enterprise 12 The "net.ipv4.conf.default.secure_redirects" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.conf.default.send_redirects" Parameter Configuration and Runtime Check SUSE Linux Enterprise 12 The "net.ipv4.conf.default.send_redirects" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.icmp_echo_ignore_broadcasts" Parameter Configuration and Runtime Check SUSE Linux Enterprise 12 The "net.ipv4.icmp_echo_ignore_broadcasts" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.icmp_ignore_bogus_error_responses" Parameter Configuration and Runtime Check SUSE Linux Enterprise 12 The "net.ipv4.icmp_ignore_bogus_error_responses" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.ip_forward" Parameter Configuration and Runtime Check SUSE Linux Enterprise 12 The "net.ipv4.ip_forward" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv4.tcp_syncookies" Parameter Configuration and Runtime Check SUSE Linux Enterprise 12 The "net.ipv4.tcp_syncookies" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv6.conf.all.accept_ra" Parameter Configuration and Runtime Check SUSE Linux Enterprise 12 The "net.ipv6.conf.all.accept_ra" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv6.conf.all.accept_redirects" Parameter Configuration and Runtime Check SUSE Linux Enterprise 12 The "net.ipv6.conf.all.accept_redirects" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv6.conf.all.accept_source_route" Parameter Configuration and Runtime Check SUSE Linux Enterprise 12 The "net.ipv6.conf.all.accept_source_route" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv6.conf.all.disable_ipv6" Parameter Configuration and Runtime Check SUSE Linux Enterprise 12 The "net.ipv6.conf.all.disable_ipv6" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv6.conf.all.forwarding" Parameter Configuration and Runtime Check SUSE Linux Enterprise 12 The "net.ipv6.conf.all.forwarding" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv6.conf.default.accept_ra" Parameter Configuration and Runtime Check SUSE Linux Enterprise 12 The "net.ipv6.conf.default.accept_ra" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv6.conf.default.accept_redirects" Parameter Configuration and Runtime Check SUSE Linux Enterprise 12 The "net.ipv6.conf.default.accept_redirects" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "net.ipv6.conf.default.accept_source_route" Parameter Configuration and Runtime Check SUSE Linux Enterprise 12 The "net.ipv6.conf.default.accept_source_route" kernel parameter should be set to the appropriate value in both system configuration and system runtime. Kernel "fs.suid_dumpable" Parameter Runtime Check SUSE Linux Enterprise 12 The kernel "fs.suid_dumpable" parameter should be set to "0" in system runtime. Kernel "kernel.kptr_restrict" Parameter Runtime Check SUSE Linux Enterprise 12 The kernel "kernel.kptr_restrict" parameter should be set to "1" in system runtime. Kernel "kernel.randomize_va_space" Parameter Runtime Check SUSE Linux Enterprise 12 The kernel "kernel.randomize_va_space" parameter should be set to "2" in system runtime. Kernel "net.ipv4.conf.all.accept_redirects" Parameter Runtime Check SUSE Linux Enterprise 12 The kernel "net.ipv4.conf.all.accept_redirects" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv4.conf.all.accept_source_route" Parameter Runtime Check SUSE Linux Enterprise 12 The kernel "net.ipv4.conf.all.accept_source_route" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv4.conf.all.log_martians" Parameter Runtime Check SUSE Linux Enterprise 12 The kernel "net.ipv4.conf.all.log_martians" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv4.conf.all.rp_filter" Parameter Runtime Check SUSE Linux Enterprise 12 The kernel "net.ipv4.conf.all.rp_filter" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv4.conf.all.secure_redirects" Parameter Runtime Check SUSE Linux Enterprise 12 The kernel "net.ipv4.conf.all.secure_redirects" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv4.conf.all.send_redirects" Parameter Runtime Check SUSE Linux Enterprise 12 The kernel "net.ipv4.conf.all.send_redirects" parameter should be set to "0" in system runtime. Kernel "net.ipv4.conf.default.accept_redirects" Parameter Runtime Check SUSE Linux Enterprise 12 The kernel "net.ipv4.conf.default.accept_redirects" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv4.conf.default.accept_source_route" Parameter Runtime Check SUSE Linux Enterprise 12 The kernel "net.ipv4.conf.default.accept_source_route" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv4.conf.default.log_martians" Parameter Runtime Check SUSE Linux Enterprise 12 The kernel "net.ipv4.conf.default.log_martians" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv4.conf.default.rp_filter" Parameter Runtime Check SUSE Linux Enterprise 12 The kernel "net.ipv4.conf.default.rp_filter" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv4.conf.default.secure_redirects" Parameter Runtime Check SUSE Linux Enterprise 12 The kernel "net.ipv4.conf.default.secure_redirects" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv4.conf.default.send_redirects" Parameter Runtime Check SUSE Linux Enterprise 12 The kernel "net.ipv4.conf.default.send_redirects" parameter should be set to "0" in system runtime. Kernel "net.ipv4.icmp_echo_ignore_broadcasts" Parameter Runtime Check SUSE Linux Enterprise 12 The kernel "net.ipv4.icmp_echo_ignore_broadcasts" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv4.icmp_ignore_bogus_error_responses" Parameter Runtime Check SUSE Linux Enterprise 12 The kernel "net.ipv4.icmp_ignore_bogus_error_responses" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv4.ip_forward" Parameter Runtime Check SUSE Linux Enterprise 12 The kernel "net.ipv4.ip_forward" parameter should be set to "0" in system runtime. Kernel "net.ipv4.tcp_syncookies" Parameter Runtime Check SUSE Linux Enterprise 12 The kernel "net.ipv4.tcp_syncookies" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv6.conf.all.accept_ra" Parameter Runtime Check SUSE Linux Enterprise 12 The kernel "net.ipv6.conf.all.accept_ra" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv6.conf.all.accept_redirects" Parameter Runtime Check SUSE Linux Enterprise 12 The kernel "net.ipv6.conf.all.accept_redirects" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv6.conf.all.accept_source_route" Parameter Runtime Check SUSE Linux Enterprise 12 The kernel "net.ipv6.conf.all.accept_source_route" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv6.conf.all.disable_ipv6" Parameter Runtime Check SUSE Linux Enterprise 12 The kernel "net.ipv6.conf.all.disable_ipv6" parameter should be set to "1" in system runtime. Kernel "net.ipv6.conf.all.forwarding" Parameter Runtime Check SUSE Linux Enterprise 12 The kernel "net.ipv6.conf.all.forwarding" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv6.conf.default.accept_ra" Parameter Runtime Check SUSE Linux Enterprise 12 The kernel "net.ipv6.conf.default.accept_ra" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv6.conf.default.accept_redirects" Parameter Runtime Check SUSE Linux Enterprise 12 The kernel "net.ipv6.conf.default.accept_redirects" parameter should be set to the appropriate value in system runtime. Kernel "net.ipv6.conf.default.accept_source_route" Parameter Runtime Check SUSE Linux Enterprise 12 The kernel "net.ipv6.conf.default.accept_source_route" parameter should be set to the appropriate value in system runtime. Kernel "fs.suid_dumpable" Parameter Configuration Check SUSE Linux Enterprise 12 The kernel "fs.suid_dumpable" parameter should be set to "0" in the system configuration. Kernel "kernel.kptr_restrict" Parameter Configuration Check SUSE Linux Enterprise 12 The kernel "kernel.kptr_restrict" parameter should be set to "1" in the system configuration. Kernel "kernel.randomize_va_space" Parameter Configuration Check SUSE Linux Enterprise 12 The kernel "kernel.randomize_va_space" parameter should be set to "2" in the system configuration. Kernel "net.ipv4.conf.all.accept_redirects" Parameter Configuration Check SUSE Linux Enterprise 12 The kernel "net.ipv4.conf.all.accept_redirects" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv4.conf.all.accept_source_route" Parameter Configuration Check SUSE Linux Enterprise 12 The kernel "net.ipv4.conf.all.accept_source_route" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv4.conf.all.log_martians" Parameter Configuration Check SUSE Linux Enterprise 12 The kernel "net.ipv4.conf.all.log_martians" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv4.conf.all.rp_filter" Parameter Configuration Check SUSE Linux Enterprise 12 The kernel "net.ipv4.conf.all.rp_filter" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv4.conf.all.secure_redirects" Parameter Configuration Check SUSE Linux Enterprise 12 The kernel "net.ipv4.conf.all.secure_redirects" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv4.conf.all.send_redirects" Parameter Configuration Check SUSE Linux Enterprise 12 The kernel "net.ipv4.conf.all.send_redirects" parameter should be set to "0" in the system configuration. Kernel "net.ipv4.conf.default.accept_redirects" Parameter Configuration Check SUSE Linux Enterprise 12 The kernel "net.ipv4.conf.default.accept_redirects" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv4.conf.default.accept_source_route" Parameter Configuration Check SUSE Linux Enterprise 12 The kernel "net.ipv4.conf.default.accept_source_route" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv4.conf.default.log_martians" Parameter Configuration Check SUSE Linux Enterprise 12 The kernel "net.ipv4.conf.default.log_martians" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv4.conf.default.rp_filter" Parameter Configuration Check SUSE Linux Enterprise 12 The kernel "net.ipv4.conf.default.rp_filter" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv4.conf.default.secure_redirects" Parameter Configuration Check SUSE Linux Enterprise 12 The kernel "net.ipv4.conf.default.secure_redirects" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv4.conf.default.send_redirects" Parameter Configuration Check SUSE Linux Enterprise 12 The kernel "net.ipv4.conf.default.send_redirects" parameter should be set to "0" in the system configuration. Kernel "net.ipv4.icmp_echo_ignore_broadcasts" Parameter Configuration Check SUSE Linux Enterprise 12 The kernel "net.ipv4.icmp_echo_ignore_broadcasts" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv4.icmp_ignore_bogus_error_responses" Parameter Configuration Check SUSE Linux Enterprise 12 The kernel "net.ipv4.icmp_ignore_bogus_error_responses" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv4.ip_forward" Parameter Configuration Check SUSE Linux Enterprise 12 The kernel "net.ipv4.ip_forward" parameter should be set to "0" in the system configuration. Kernel "net.ipv4.tcp_syncookies" Parameter Configuration Check SUSE Linux Enterprise 12 The kernel "net.ipv4.tcp_syncookies" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv6.conf.all.accept_ra" Parameter Configuration Check SUSE Linux Enterprise 12 The kernel "net.ipv6.conf.all.accept_ra" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv6.conf.all.accept_redirects" Parameter Configuration Check SUSE Linux Enterprise 12 The kernel "net.ipv6.conf.all.accept_redirects" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv6.conf.all.accept_source_route" Parameter Configuration Check SUSE Linux Enterprise 12 The kernel "net.ipv6.conf.all.accept_source_route" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv6.conf.all.disable_ipv6" Parameter Configuration Check SUSE Linux Enterprise 12 The kernel "net.ipv6.conf.all.disable_ipv6" parameter should be set to "1" in the system configuration. Kernel "net.ipv6.conf.all.forwarding" Parameter Configuration Check SUSE Linux Enterprise 12 The kernel "net.ipv6.conf.all.forwarding" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv6.conf.default.accept_ra" Parameter Configuration Check SUSE Linux Enterprise 12 The kernel "net.ipv6.conf.default.accept_ra" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv6.conf.default.accept_redirects" Parameter Configuration Check SUSE Linux Enterprise 12 The kernel "net.ipv6.conf.default.accept_redirects" parameter should be set to the appropriate value in the system configuration. Kernel "net.ipv6.conf.default.accept_source_route" Parameter Configuration Check SUSE Linux Enterprise 12 The kernel "net.ipv6.conf.default.accept_source_route" parameter should be set to the appropriate value in the system configuration. Record Any Attempts to Run semanage SUSE Linux Enterprise 12 Test if auditctl is in use for audit rules. Record Any Attempts to Run semanage SUSE Linux Enterprise 12 Test if augenrules is enabled for audit rules. 'log_group' Not Set To 'root' In /etc/audit/auditd.conf SUSE Linux Enterprise 12 Verify 'log_group' is not set to 'root' in /etc/audit/auditd.conf. GRUB_CMDLINE_LINUX_DEFAULT existance check SUSE Linux Enterprise 12 Check if GRUB_CMDLINE_LINUX_DEFAULT exists in /etc/default/grub. Install McAfee Host-Based Intrusion Detection Software (HBSS) SUSE Linux Enterprise 12 McAfee Host-Based Intrusion Detection Software (HBSS) software should be installed. CentOS 6 SUSE Linux Enterprise 12 The operating system installed on the system is CentOS 6 CentOS 7 SUSE Linux Enterprise 12 The operating system installed on the system is CentOS 7 CentOS 8 SUSE Linux Enterprise 12 The operating system installed on the system is CentOS 8 Debian 8 SUSE Linux Enterprise 12 The operating system installed on the system is Debian 8 Installed operating system is Fedora SUSE Linux Enterprise 12 The operating system installed on the system is Fedora Oracle Linux 6 SUSE Linux Enterprise 12 The operating system installed on the system is Oracle Linux 6 Oracle Linux 7 SUSE Linux Enterprise 12 The operating system installed on the system is Oracle Linux 7 Oracle Linux 8 SUSE Linux Enterprise 12 The operating system installed on the system is Oracle Linux 8 openSUSE SUSE Linux Enterprise 12 The operating system installed on the system is openSUSE. openSUSE Leap 15 SUSE Linux Enterprise 12 The operating system installed on the system is openSUSE Leap 15. openSUSE Leap 42 SUSE Linux Enterprise 12 The operating system installed on the system is openSUSE Leap 42. Installed operating system is part of the Unix family SUSE Linux Enterprise 12 The operating system installed on the system is part of the Unix OS family Red Hat Enterprise Linux 6 SUSE Linux Enterprise 12 The operating system installed on the system is Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 SUSE Linux Enterprise 12 The operating system installed on the system is Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 SUSE Linux Enterprise 12 The operating system installed on the system is Red Hat Enterprise Linux 8 Red Hat Virtualization 4 SUSE Linux Enterprise 12 The operating system installed on the system is Red Hat Virtualization Host 4 or Red Hat Enterprise Host. Scientific Linux 6 SUSE Linux Enterprise 12 The operating system installed on the system is Scientific Linux 6 Scientific Linux 7 SUSE Linux Enterprise 12 The operating system installed on the system is Scientific Linux 7 Scientific Linux 8 SUSE Linux Enterprise 12 The operating system installed on the system is Scientific Linux 8 SUSE Linux Enterprise 11 SUSE Linux Enterprise 12 The operating system installed on the system is SUSE Linux Enterprise 11. SUSE Linux Enterprise 12 SUSE Linux Enterprise 12 The operating system installed on the system is SUSE Linux Enterprise 12. Ubuntu SUSE Linux Enterprise 12 The operating system installed is an Ubuntu System Ubuntu 1404 SUSE Linux Enterprise 12 The operating system installed on the system is Ubuntu 1404 Ubuntu 1604 SUSE Linux Enterprise 12 The operating system installed on the system is Ubuntu 1604 Ubuntu 1804 SUSE Linux Enterprise 12 The operating system installed on the system is Ubuntu 1804 WRLinux SUSE Linux Enterprise 12 The operating system installed on the system is Wind River Linux Red Hat OpenShift Container Platform SUSE Linux Enterprise 12 The application installed installed on the system is OpenShift 3. Red Hat OpenStack Platform SUSE Linux Enterprise 12 The application installed installed on the system is Red Hat OpenStack Platform 13. Red Hat Virtualization 4 SUSE Linux Enterprise 12 The application installed installed on the system is Red Hat Virtualization 4. Package libuser is installed SUSE Linux Enterprise 12 Checks if package libuser is installed. Package nss-pam-ldapd is installed SUSE Linux Enterprise 12 Checks if package nss-pam-ldapd is installed. Package pam is installed SUSE Linux Enterprise 12 Checks if package pam is installed. Package shadow-utils is installed SUSE Linux Enterprise 12 Checks if package shadow-utils is installed. Package systemd is installed SUSE Linux Enterprise 12 Checks if package systemd is installed. Package yum or zypper is installed SUSE Linux Enterprise 12 Checks if package yum or zypper is installed. Package yum is installed SUSE Linux Enterprise 12 Checks if package yum is installed. Check if the scan target is a container SUSE Linux Enterprise 12 Check for presence of files characterizing container filesystems. Check if the scan target is a machine SUSE Linux Enterprise 12 Check for absence of files characterizing container filesystems. SSHD is not required to be installed or requirement not set SUSE Linux Enterprise 12 If SSHD is not required, we check it is not installed. If SSH requirement is unset, we are good. SSHD is required to be installed or requirement not set SUSE Linux Enterprise 12 If SSHD is required, we check it is installed. If SSH requirement is unset, we are good. It doesn't matter if sshd is installed or not SUSE Linux Enterprise 12 Test if value sshd_required is 0. OpenSSH Server is 7.4 or newer SUSE Linux Enterprise 12 Check if version of OpenSSH Server is equal or higher than 7.4 Verify The SSSD Configuration File Exists SUSE Linux Enterprise 12 The /etc/sssd/sssd.conf file should exist if it is in use. Kernel Runtime Parameter IPv6 Check SUSE Linux Enterprise 12 Disables IPv6 for all network interfaces. Test for 64-bit Architecture SUSE Linux Enterprise 12 Generic test for 64-bit architectures to be used by other tests Test for aarch_64 Architecture SUSE Linux Enterprise 12 Generic test for aarch_64 architecture to be used by other tests Test for PPC and PPCLE Architecture SUSE Linux Enterprise 12 Generic test for PPC PPC64LE architecture to be used by other tests Test for x86 Architecture SUSE Linux Enterprise 12 Generic test for x86 architecture to be used by other tests Test for x86_64 Architecture SUSE Linux Enterprise 12 Generic test for x86_64 architecture to be used by other tests Value of 'var_accounts_user_umask' variable represented as octal number SUSE Linux Enterprise 12 Value of 'var_accounts_user_umask' variable represented as octal number Audit Discretionary Access Control Modification Events - chmod SUSE Linux Enterprise 12 The changing of file permissions, attributes, mount points, and opening of files should be audited. Audit Discretionary Access Control Modification Events - chown SUSE Linux Enterprise 12 The changing of file permissions, attributes, mount points, and opening of files should be audited. Audit Discretionary Access Control Modification Events - fchmod SUSE Linux Enterprise 12 The changing of file permissions, attributes, mount points, and opening of files should be audited. Audit Discretionary Access Control Modification Events - fchmodat SUSE Linux Enterprise 12 The changing of file permissions, attributes, mount points, and opening of files should be audited. Audit Discretionary Access Control Modification Events - fchown SUSE Linux Enterprise 12 The changing of file permissions, attributes, mount points, and opening of files should be audited. Audit Discretionary Access Control Modification Events - fchownat SUSE Linux Enterprise 12 The changing of file permissions, attributes, mount points, and opening of files should be audited. Audit Discretionary Access Control Modification Events - fremovexattr SUSE Linux Enterprise 12 The changing of file permissions, attributes, mount points, and opening of files should be audited. Audit Discretionary Access Control Modification Events - fsetxattr SUSE Linux Enterprise 12 The changing of file permissions, attributes, mount points, and opening of files should be audited. Audit Discretionary Access Control Modification Events - lchown SUSE Linux Enterprise 12 The changing of file permissions, attributes, mount points, and opening of files should be audited. Audit Discretionary Access Control Modification Events - lremovexattr SUSE Linux Enterprise 12 The changing of file permissions, attributes, mount points, and opening of files should be audited. Audit Discretionary Access Control Modification Events - lsetxattr SUSE Linux Enterprise 12 The changing of file permissions, attributes, mount points, and opening of files should be audited. Audit Discretionary Access Control Modification Events - removexattr SUSE Linux Enterprise 12 The changing of file permissions, attributes, mount points, and opening of files should be audited. Audit Discretionary Access Control Modification Events - setxattr SUSE Linux Enterprise 12 The changing of file permissions, attributes, mount points, and opening of files should be audited. Record Any Attempts to Run restorecon SUSE Linux Enterprise 12 Audit rules about the information on the use of restorecon is enabled. Record Any Attempts to Run semanage SUSE Linux Enterprise 12 Audit rules about the information on the use of semanage is enabled. Record Any Attempts to Run setfiles SUSE Linux Enterprise 12 Audit rules about the information on the use of setfiles is enabled. Record Any Attempts to Run setsebool SUSE Linux Enterprise 12 Audit rules about the information on the use of setsebool is enabled. Record Any Attempts to Run seunshare SUSE Linux Enterprise 12 Audit rules about the information on the use of seunshare is enabled. Record Attempts to Alter Login and Logout Events - faillock SUSE Linux Enterprise 12 Audit rules should be configured to log successful and unsuccessful login and logout events. Record Attempts to Alter Login and Logout Events - lastlog SUSE Linux Enterprise 12 Audit rules should be configured to log successful and unsuccessful login and logout events. Record Attempts to Alter Login and Logout Events - tallylog SUSE Linux Enterprise 12 Audit rules should be configured to log successful and unsuccessful login and logout events. Ensure auditd Collects Information on the Use of Privileged Commands - at SUSE Linux Enterprise 12 Audit rules about the information on the use of at is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - crontab SUSE Linux Enterprise 12 Audit rules about the information on the use of crontab is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - mount SUSE Linux Enterprise 12 Audit rules about the information on the use of mount is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - newgidmap SUSE Linux Enterprise 12 Audit rules about the information on the use of newgidmap is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - newuidmap SUSE Linux Enterprise 12 Audit rules about the information on the use of newuidmap is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - postdrop SUSE Linux Enterprise 12 Audit rules about the information on the use of postdrop is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - postqueue SUSE Linux Enterprise 12 Audit rules about the information on the use of postqueue is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown SUSE Linux Enterprise 12 Audit rules about the information on the use of pt_chown is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - umount SUSE Linux Enterprise 12 Audit rules about the information on the use of umount is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - userhelper SUSE Linux Enterprise 12 Audit rules about the information on the use of userhelper is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - usernetctl SUSE Linux Enterprise 12 Audit rules about the information on the use of usernetctl is enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - chmod SUSE Linux Enterprise 12 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - chown SUSE Linux Enterprise 12 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - creat SUSE Linux Enterprise 12 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - fchmod SUSE Linux Enterprise 12 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - fchmodat SUSE Linux Enterprise 12 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - fchown SUSE Linux Enterprise 12 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - fchownat SUSE Linux Enterprise 12 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - fremovexattr SUSE Linux Enterprise 12 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - fsetxattr SUSE Linux Enterprise 12 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - ftruncate SUSE Linux Enterprise 12 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - lchown SUSE Linux Enterprise 12 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - lremovexattr SUSE Linux Enterprise 12 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - lsetxattr SUSE Linux Enterprise 12 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - open SUSE Linux Enterprise 12 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - open_by_handle_at SUSE Linux Enterprise 12 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - openat SUSE Linux Enterprise 12 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - removexattr SUSE Linux Enterprise 12 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - rename SUSE Linux Enterprise 12 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - renameat SUSE Linux Enterprise 12 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - setxattr SUSE Linux Enterprise 12 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - truncate SUSE Linux Enterprise 12 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - unlink SUSE Linux Enterprise 12 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - unlinkat SUSE Linux Enterprise 12 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Mount Remote Filesystems with nodev SUSE Linux Enterprise 12 The nodev option should be enabled for all NFS mounts in /etc/fstab. Mount Remote Filesystems with noexec SUSE Linux Enterprise 12 The noexec option should be enabled for all NFS mounts in /etc/fstab. Mount Remote Filesystems with nosuid SUSE Linux Enterprise 12 The nosuid option should be enabled for all NFS mounts in /etc/fstab. Package nss-pam-ldapd Removed SUSE Linux Enterprise 12 The RPM package nss-pam-ldapd should be removed. Package samba-common Installed SUSE Linux Enterprise 12 The RPM package samba-common should be installed. /etc/vsftpd.conf ^[\s]*banner_file=/etc/issue[\s]*$ 1 /etc/aliases ^(?:[rR][oO][oO][tT]|"[rR][oO][oO][tT]")\s*:\s*(.+)$ 1 /etc/exports ^(.*?(\binsecure_locks\b)[^$]*)$ 1 /etc/ntp.conf ^server[\s]+[\S]+.*maxpoll[\s]+(\d+) 1 /etc/chrony.conf ^server[\s]+[\S]+.*maxpoll[\s]+(\d+) 1 /etc/ntp.conf ^server[\s]+[\S]+[\s]+(.*) 1 /etc/chrony.conf ^server[\s]+[\S]+[\s]+(.*) 1 / shosts.equiv / .shosts /etc/fstab ^[\s]*[\S]+[\s]+[\S]+[\s]+cifs[\s]+([\S]+) 1 /etc/mtab ^[\s]*[\S]+[\s]+[\S]+[\s]+cifs[\s]+([\S]+) 1 /etc/snmp/snmpd.conf ^[\s]*(com2se|rocommunity|rwcommunity|createUser).*(public|private) 1 /etc/snmp/snmpd.conf ^[\s]*(com2se|rocommunity|rwcommunity) 1 /etc/ssh/sshd_config ^[\s]*(?i)HostbasedAuthentication(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)Compression(?-i)[\s]+(no|delayed)[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)PermitEmptyPasswords(?-i)[\s]+no[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)RhostsRSAAuthentication(?-i)[\s]+no[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)PermitRootLogin(?-i)[\s]+no[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)IgnoreUserKnownHosts(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)PermitUserEnvironment(?-i)[\s]+no[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)StrictModes(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)Banner(?-i)[\s]+/etc/issue[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)X11Forwarding(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)PrintLastLog(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)ClientAliveCountMax[\s]+([\d]+)[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)LogLevel(?-i)[\s]+INFO[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)MaxAuthTries[\s]+(\d+)[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)Ciphers(?-i)[\s]+((aes128-ctr|aes192-ctr|aes256-ctr),?)+[\s]*(?:|(?:#.*))?$ 1 oval:ssg-var_sshd_config_macs:var:1 /etc/ssh/sshd_config ^[\s]*(?i)MACs(?-i)[\s]+([\w,-@]+)+[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)UsePrivilegeSeparation(?-i)[\s]+(\w+)[\s]*(?:|(?:#.*))?$ 1 /etc/ssh/sshd_config ^[\s]*(?i)LogLevel(?-i)[\s]+VERBOSE[\s]*(?:|(?:#.*))?$ 1 /etc/sssd/sssd.conf ^[\s]*\[nss](?:[^\n\[]*\n+)+?[\s]*memcache_timeout[\s]*=[\s]*(\d+)$ 1 /etc/sssd/sssd.conf ^[\s]*\[pam](?:[^\n\[]*\n+)+?[\s]*offline_credentials_expiration[\s]*=[\s]*1$ 1 /etc/issue 1 /etc/motd 1 /etc/dconf/db/gdm.d/ ^.*$ ^\[org/gnome/login-screen]([^\n]*\n+)+?banner-message-enable=true$ 1 /etc/dconf/db/gdm.d/locks/ ^.*$ ^/org/gnome/login-screen/banner-message-enable$ 1 /etc/dconf/db/gdm.d/locks/ ^.*$ ^/org/gnome/login-screen/banner-message-text$ 1 /etc/dconf/db/gdm.d/ ^.*$ ^banner-message-text=[\s]*'*(.*?)'$ 1 /etc/gdm/Xsession /etc/gdm/Xsession \A#!/bin/sh\n\s*if ! zenity --text-info(\\\n|(?!\n)\s)+--title "Consent"(\\\n|(?!\n)\s)+--filename=/etc/gdm/banner(\\\n|(?!\n)\s)+--no-markup(\\\n|(?!\n)\s)+--checkbox="Accept." 10 10; then\s+sleep 1[;\n]\s*exit 1[;\n]\s*fi\s 1 /etc/gdm/banner 1 /etc/gdm/banner /etc/pam.d/login ^\s*session\s+(required|requisite)?\s+pam_lastlog.so[\s\w\d\=]+showfailed(\s|$) 1 /etc/pam.d/login ^\s*session\s+(required|requisite)?\s+pam_lastlog.so[\s\w\d\=]+silent(\s|$) 1 /etc/pam.d/common-auth ^\s*auth(?:(?!\n)\s)+required(?:(?!\n)\s)+pam_faildelay.so(?:(?!\n)\s[^\n]+)?(?!\n)\sdelay=([0-9]+)(?:\s|$) 1 /etc/pam.d ^common-.*$ /etc/pam.d/common-password ^\s*password(?:(?!\n)\s)+requisite(?:(?!\n)\s)+pam_pwhistory.so(?:(?!\n)\s[^\n]+)?(?!\n)\suse_authtok(\s|$) 1 /etc/pam.d/common-password ^\s*password(?:(?!\n)\s)+requisite(?:(?!\n)\s)+pam_pwhistory.so(?:(?!\n)\s[^\n]+)?(?!\n)\sremember=([0-9]+)(?:\s|$) 1 /etc/pam.d/system-auth [\n][\s]*auth[\s]+\[.*default=([0-9]+).*\][\s]+pam_unix\.so 1 /etc/pam.d/system-auth 1 /etc/pam.d/password-auth [\n][\s]*auth[\s]+\[[^\]]*default=([0-9]+)[^\]]*\][\s]+pam_unix\.so 1 /etc/pam.d/password-auth 1 /etc/pam.d/system-auth [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+[^\n]*silent[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[^\n]+pam_unix\.so[^\n]*[\n] 1 /etc/pam.d/system-auth [\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[[^\]]*default=ignore[^\]]*\]))[^\n]+pam_unix\.so(?:.*[\n])*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[^\n]+deny=([0-9]+) 1 /etc/pam.d/system-auth [\n][\s]*account[\s]+required[\s]+pam_faillock\.so[^\n]*[\n][\s]*account[\s]+required[\s]+pam_unix\.so[^\n]*[\n] 1 /etc/pam.d/password-auth [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+[^\n]*silent[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[^\n]+pam_unix\.so[^\n]*[\n] 1 /etc/pam.d/password-auth [\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[[^\]]*default=ignore[[^\]]*\]))[\s]+pam_unix\.so(?:.*[\n])*[^\n]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*deny=([0-9]+) 1 /etc/pam.d/password-auth [\n][\s]*account[\s]+required[\s]+pam_faillock\.so[^\n]*[\n][\s]*account[\s]+required[\s]+pam_unix\.so[^\n]*[\n] 1 /etc/pam.d/common-auth ^\s*auth(?:(?!\n)\s)+required(?:(?!\n)\s)+pam_tally2.so((?:(?!\n)\s)?[^\n]+)?(?:(?!\n)\s)deny=[123](\s|$) 1 /etc/pam.d/common-account ^\s*account(?:(?!\n)\s)+required(?:(?!\n)\s)+pam_tally2.so((?:(?!\n)\s)?[^\n]+)?(?:(?!\n)\s)deny=[123](\s|$) 1 /etc/pam.d/common-password ^\s*password(?:(?!\n)\s)+requisite(?:(?!\n)\s)+pam_cracklib.so((?!\n)\s[^\n]+)?(?!\n)\s+dcredit=-1(\s|$) 1 /etc/pam.d/common-password ^\s*password(?:(?!\n)\s)+requisite(?:(?!\n)\s)+pam_cracklib.so(?:(?!\n)\s[^\n]+)?(?!\n)\s+difok=(\d+)(?:\s|$) 1 /etc/pam.d/common-password ^\s*password(?:(?!\n)\s)+requisite(?:(?!\n)\s)+pam_cracklib.so((?!\n)\s[^\n]+)?(?!\n)\s+lcredit=-1(\s|$) 1 /etc/pam.d/common-password ^\s*password(?:(?!\n)\s)+requisite(?:(?!\n)\s)+pam_cracklib.so(?:(?!\n)\s[^\n]+)?(?!\n)\s+minlen=(\d+)(?:\s|$) 1 /etc/pam.d/common-password ^\s*password(?:(?!\n)\s)+requisite(?:(?!\n)\s)+pam_cracklib.so((?!\n)\s[^\n]+)?(?!\n)\s+ocredit=-1(\s|$) 1 /etc/pam.d/common-password ^\s*password(?:(?!\n)\s)+requisite(?:(?!\n)\s)+pam_cracklib.so((?!\n)\s[^\n]+)?(?!\n)\s+ucredit=-1(\s|$) 1 /etc/login.defs .*\n[^#]*(ENCRYPT_METHOD\s+\w+)\s*\n 1 oval:ssg-variable_last_encrypt_method_instance_value:var:1 /etc/pam.d/common-password ^[\s]*password[\s]+(?:(?:required)|(?:sufficient))[\s]+pam_unix\.so[\s]+.*sha512.*$ 1 /etc/login.defs .*\n[^#]*(SHA_CRYPT_MIN_ROUNDS\s+\w+)\s*\n 1 oval:ssg-variable_last_sha_crypt_min_rounds_instance_value:var:1 /etc/login.defs .*\n[^#]*(SHA_CRYPT_MAX_ROUNDS\s+\w+)\s*\n 1 oval:ssg-variable_last_sha_crypt_max_rounds_instance_value:var:1 /etc/login.defs ^[^#]*SHA_CRYPT_M(IN|AX)_ROUNDS\s 1 /etc/pam.d/common-auth ^\s*auth(?:(?!\n)\s)+required(?:(?!\n)\s)+pam_unix.so((?!\n)\s[^\n]+)?(?!\n)\ssha512(\s|$) 1 /etc/systemd/system/ctrl-alt-del.target /etc/pam_pkcs11/pam_pkcs11.conf ^[\s]*cert_policy[ ]=(.*)$ 1 /etc/pam.d/common-auth ^\s*auth\s+(?:sufficient|required)\s+pam_pkcs11.so(?:\s|$) 1 /etc/pam_pkcs11/pam_pkcs11.conf ^[\s]*cert_policy[ ]=\s*(.*);$ 1 .* oval:ssg-variable_count_of_all_uids:var:1 /etc/default/useradd ^INACTIVE=\s*(\d+)$ 1 /etc/passwd ^([^:]+):.*$ 1 oval:ssg-variable_count_of_all_usernames_from_etc_passwd:var:1 .* oval:ssg-state_account_passwords_minimum_lifetime:ste:1 .* /etc/login.defs .*\n[^#]*(PASS_MAX_DAYS\s+\d+)\s*\n 1 oval:ssg-variable_last_pass_max_days_instance_value:var:1 /etc/login.defs .*\n[^#]*(PASS_MIN_DAYS\s+\d+)\s*\n 1 oval:ssg-variable_last_pass_min_days_instance_value:var:1 /etc/login.defs .*\n[^#]*(PASS_MIN_LEN\s+\d+)\s*\n 1 oval:ssg-variable_last_pass_min_len_instance_value:var:1 /etc/login.defs .*\n[^#]*(PASS_WARN_AGE\s+\d+)\s*\n 1 oval:ssg-variable_last_pass_warn_age_instance_value:var:1 .* /etc/pam.d .* \s*nullok\s* 1 /home ^\.netrc$ .* oval:ssg-state_accounts_password_all_shadowed_has_no_password:ste:1 oval:ssg-state_accounts_password_all_shadowed_sha512:ste:1 /etc/passwd ^(?!root:)[^:]*:[^:]*:0 1 /etc/securetty ^.*$ 1 /etc/securetty ^$ 1 /etc/login.defs .*\n(?!#|SYS_)(UID_MIN[\s]+[\d]+)\s*\n 1 /etc/login.defs .*\n[^#]*(SYS_UID_MIN[\s]+[\d]+)\s*\n 1 /etc/login.defs .*\n[^#]*(SYS_UID_MAX[\s]+[\d]+)\s*\n 1 /etc/passwd ^(?!root).*:x:([\d]+):[\d]+:[^:]*:[^:]*:(?!\/sbin\/nologin|\/bin\/sync|\/sbin\/shutdown|\/sbin\/halt).*$ 1 oval:ssg-variable_default_range_quad_expr:var:1 oval:ssg-variable_reserved_range_quad_expr:var:1 oval:ssg-variable_dynalloc_range_quad_expr:var:1 /etc/securetty ^ttyS[0-9]+$ 1 /etc/securetty ^vc/[0-9]+$ 1 /etc/login.defs ^[\s]*(?i)CREATE_HOME(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$ 1 /etc/login.defs ^[\s]*(?i)FAIL_DELAY(?-i)[\s]+([^#\s]*) 1 /etc/security/limits.conf ^[\s]*\*[\s]+(?:(?:hard)|(?:-))[\s]+maxlogins[\s]+(\d+)\s*$ 1 /etc/security/limits.d ^.*\.conf$ ^[\s]*\*[\s]+(?:(?:hard)|(?:-))[\s]+maxlogins[\s]+(\d+)\s*$ 1 /etc/security/limits.d ^.*\.conf$ ^[\s]*\*[\s]+(?:(?:hard)|(?:-))[\s]+maxlogins 1 /etc/profile ^[\s]*TMOUT=(\d+)[\s]*$ 1 /etc/profile.d ^.*\.sh$ ^[\s]*TMOUT=(\d+)[\s]*$ 1 .* oval:ssg-state_user_interactive_home_defined_is_interactive_user:ste:1 .* oval:ssg-state_user_interactive_home_exists_is_interactive_user:ste:1 oval:ssg-var_user_interactive_home_exists_home_directory_list:var:1 oval:ssg-state_user_interactive_home_exists_is_dir:ste:1 .* oval:ssg-state_file_permissions_user_init_files_is_interactive_user:ste:1 ^\. .* oval:ssg-state_file_permissions_home_directories_is_interactive_user:ste:1 /home oval:ssg-state_home_dirs_home_itself:ste:1 oval:ssg-state_home_dirs_wrong_perm:ste:1 PATH oval:ssg-state_accounts_root_path_dirs_wrong_perms:ste:1 oval:ssg-state_accounts_root_path_dirs_symlink:ste:1 /etc/login.defs ^[\s]*UMASK[\s]+([^#\s]*) 1 oval:ssg-var_etc_login_defs_umask_as_number:var:1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/etc/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s+]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/etc/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/etc/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/etc/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/etc/security/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/security/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/etc/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s+]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/etc/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/etc/security/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/security/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/etc/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/etc/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 /var/log/audit oval:ssg-state_owner_not_root_root_var_log_audit:ste:1 /var/log/audit ^.*$ oval:ssg-state_owner_not_root_root_var_log_audit:ste:1 /var/log/audit oval:ssg-state_owner_not_root_var_log_audit-non_root:ste:1 /var/log/audit ^.*$ oval:ssg-state_owner_not_root_var_log_audit-non_root:ste:1 / ^ oval:ssg-state_is_not_executable:ste:1 oval:ssg-state_has_no_sxid_bit:ste:1 oval:ssg-state_is_regular_file:ste:1 /etc/audit/audit.rules ^(?:\s*(?:-w |-F path=)(\S+) (?:-p |-F perm=)(?:xwa|wxa|wax|xaw|axw|awx) (?:-k |-F key=)\w+\s*|(.).+)$ 1 /etc/audit/rules.d \.rules$ ^(?:\s*(?:-w |-F path=)(\S+) (?:-p |-F perm=)(?:xwa|wxa|wax|xaw|axw|awx) (?:-k |-F key=)\w+\s*|(.).+)$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+task,never[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+task,never[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audisp/audisp-remote.conf ^[ ]*remote_server[ ]+=[ ]+(\S+)[ ]*$ 1 /etc/audisp/audisp-remote.conf ^[ ]*disk_full_action[ ]+=[ ]+(\S+)[ ]*$ 1 /etc/audisp/audisp-remote.conf ^[ ]*enable_krb5[ ]+=[ ]+yes[ ]*$ 1 /etc/audisp/audisp-remote.conf ^[ ]*network_failure_action[ ]+=[ ]+(\S+)[ ]*$ 1 /etc/audisp/plugins.d/syslog.conf ^[ ]*active[ ]+=[ ]+yes[ ]*$ 1 /etc/audit/auditd.conf ^[ ]*disk_error_action[ ]+=[ ]+(\S+)[ ]*$ 1 /etc/audit/auditd.conf ^[ ]*disk_full_action[ ]+=[ ]+(\S+)[ ]*$ 1 /etc/audit/auditd.conf ^[ ]*action_mail_acct[ ]+=[ ]+(\S+)[ ]*$ 1 /etc/audit/auditd.conf ^[ ]*admin_space_left_action[ ]+=[ ]+(\S+)[ ]*$ 1 /etc/audit/auditd.conf ^[ ]*max_log_file[ ]+=[ ]+(\d+)[ ]*$ 1 /etc/audit/auditd.conf ^[ ]*max_log_file_action[ ]+=[ ]+(\S+)[ ]*$ 1 /etc/audit/auditd.conf ^[ ]*num_logs[ ]+=[ ]+(\d+)[ ]*$ 1 /etc/audit/auditd.conf ^[\s]*space_left[\s]+=[\s]+(\d+)[\s]*$ 1 /etc/audit/auditd.conf ^[ ]*space_left_action[ ]+=[ ]+(\S+)[ ]*$ 1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX="(.*)"$ 1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$ 1 /boot/grub2/grub.cfg ^[\s]*set[\s]+superusers=\"(?i)(?!root|admin|administrator)(?-i).*\"$ 1 /boot/grub2/user.cfg ^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$ 1 /boot/grub2/grub.cfg ^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$ 1 /sys/firmware/efi ^/boot/efi/EFI/(redhat|fedora)/grub.cfg$ ^[\s]*set[\s]+superusers=\"(?i)(?!root|admin|administrator)(?-i).*\"$ 1 ^/boot/efi/EFI/(redhat|fedora)/user.cfg$ ^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$ 1 ^/boot/efi/EFI/(redhat|fedora|sles)/grub.cfg$ ^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$ 1 /etc/adjtime ^UTC$ 1 /etc/logrotate.conf (?:daily)*.*(?=[\n][\s]*daily)(.*)$ 1 oval:ssg-state_another_rotate_interval_after_daily:ste:1 /etc/cron.daily/logrotate ^[\s]*/usr/sbin/logrotate[\s\S]*/etc/logrotate.conf$ 1 /etc/rsyslog.conf ^\*\.\*[\s]+(?:@|\:omrelp\:) 1 /etc/rsyslog.d .* ^\*\.\*[\s]+(?:@|\:omrelp\:) 1 ^.*$ oval:ssg-state_promisc:ste:1 /etc/modprobe.d ^.*\.conf$ ^\s*options\s+ipv6\s+.*disable=1.*$ 1 /proc/net/wireless ^\s*[-\w]+: 1 /etc/sysconfig/SuSEfirewall2 ^\s*(?:export\s+)?FW_SERVICES_ACCEPT_EXT=(?:"([^"]+)"|'([^']+)')\s*$ 1 / oval:ssg-state_world_writable_and_not_sticky:ste:1 /boot ^System\.map.*$ / .* oval:ssg-state_file_permissions_ungroupowned:ste:1 /etc/group ^[^:]+:[^:]*:([\d]+):[^:]*$ 1 .* / oval:ssg-file_permissions_unowned_userid_list_match:ste:1 / oval:ssg-state_is_world_writable:ste:1 /etc/security/opasswd ^/\w.*$ oval:ssg-state_local_nodev:ste:1 /etc/fstab ^[\s]*/tmp[\s]+/var/tmp[\s]+.*bind.*$ 1 ^/var/tmp$ /etc/mtab ^[\s]*/tmp[\s]+/var/tmp[\s]+.*bind.*$ 1 ^/tmp$ ^.*$ oval:ssg-state_nfs_nosuid_is_nfs:ste:1 ^.*$ oval:ssg-state_nfs_noexec_is_nfs:ste:1 .* oval:ssg-state_home_nosuid_is_interactive_user:ste:1 ^.*$ oval:ssg-state_home_nosuid_contains_home:ste:1 /var/log/messages ^ oval:ssg-state_user_interactive_home_partition_exists_is_interactive_user:ste:1 oval:ssg-state_user_interactive_home_partition_exists_is_not_nobody:ste:1 oval:ssg-var_user_interactive_home_parent_dirs:var:1 /etc/dconf/profile/gdm ^user-db:user\nsystem-db:gdm$ 1 /etc/dconf/profile/user ^(.*)$ 1 /etc/gdm/custom.conf ^\[daemon]([^\n]*\n+)+?AutomaticLoginEnable=[Ff]alse$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/settings-daemon/plugins/media-keys]([^\n]*\n+)+?logout=\s*''$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/settings-daemon/plugins/media-keys/logout$ 1 McAfeeVSEForLinux MFErt MFEcma /opt/NAI/LinuxShield/engine/dat ^.*\.dat$ oval:ssg-variable_mcafee_dat_files_mtime:var:1 /opt/McAfee/accm/bin accm MFEhiplsm /opt/McAfee/auditengine/bin auditmanager /etc/dracut.conf.d/40-fips.conf ^\s*add_dracutmodules\+="\s*(\w*)\s*"\s*(?:|(?:#.*))?$ 1 oval:ssg-var_system_crypto_policy:var:1 crypto.fips_enabled /etc/crontab ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*\*)|@(hourly|daily|weekly|monthly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$ 1 /etc/cron.d ^.*$ ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*\*)|@(hourly|daily|weekly|monthly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$ 1 /var/spool/cron/root ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*\*)|@(hourly|daily|weekly|monthly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$ 1 ^/etc/cron.(daily|weekly|monthly)$ ^.*$ ^\s*/usr/sbin/aide[\s]*\-\-check.*$ 1 /etc/crontab ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$ 1 /var/spool/cron/root ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$ 1 ^/etc/cron.(d|daily|weekly|monthly)$ ^.*$ ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$ 1 /etc/aide.conf ^(?!ALLXTRAHASHES|verbose)[A-Za-z]*[\s]*=[\s]*([a-z0-9\+-]*)$ 1 /etc/aide.conf ^(?!ALLXTRAHASHES)[A-Za-z]*[\s]*=[\s]*([a-z0-9\+]*)$ 1 /etc/aide.conf ^\/usr\/sbin\/auditctl\s+([^\n]+)$ 1 /etc/aide.conf ^/usr/sbin/auditd\s+([^\n]+)$ 1 /etc/aide.conf ^/usr/sbin/ausearch\s+([^\n]+)$ 1 /etc/aide.conf ^/usr/sbin/aureport\s+([^\n]+)$ 1 /etc/aide.conf ^/usr/sbin/autrace\s+([^\n]+)$ 1 /etc/aide.conf ^/usr/sbin/audispd\s+([^\n]+)$ 1 /etc/aide.conf ^/usr/sbin/augenrules\s+([^\n]+)$ 1 /etc/passwd ^([a-zA-Z0-9_.-]+?): 1 oval:ssg-state_default_os_user:ste:1 /etc/sudoers ^(?!#).*[\s]+\!authenticate.*$ 1 /etc/sudoers.d ^.*$ ^(?!#).*[\s]+\!authenticate.*$ 1 /etc/sudoers ^(?!#).*[\s]+NOPASSWD[\s]*\:.*$ 1 /etc/sudoers.d ^.*$ ^(?!#).*[\s]+NOPASSWD[\s]*\:.*$ 1 /etc/zypp/zypp.conf ^solver.upgradeRemoveDroppedPackages\s*=\s*true\s*$ 1 /etc/zypp/zypp.conf ^\s*gpgcheck\s*= 1 /etc/zypp/zypp.conf ^\s*gpgcheck\s*=\s*(1|on|yes|true)\s*$ 1 /etc/zypp/zypp.conf ^\s*repo_gpgcheck\s*= 1 /etc/zypp/zypp.conf ^\s*repo_gpgcheck\s*=\s*(1|on|yes|true)\s*$ 1 /etc/zypp/zypp.conf ^\s*pkg_gpgcheck\s*= 1 /etc/zypp/zypp.conf ^\s*pkg_gpgcheck\s*=\s*(1|on|yes|true)\s*$ 1 /etc/modprobe.d ^ ^blacklist usb-storage$ 1 /etc/modprobe.conf ^blacklist usb-storage$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+umount[\s]+|([\s]+|[,])umount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+umount[\s]+|([\s]+|[,])umount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+umount[\s]+|([\s]+|[,])umount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+umount[\s]+|([\s]+|[,])umount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+umount2[\s]+|([\s]+|[,])umount2([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+umount2[\s]+|([\s]+|[,])umount2([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+umount2[\s]+|([\s]+|[,])umount2([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+umount2[\s]+|([\s]+|[,])umount2([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chacl[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chacl[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+\/usr\/bin\/chacl[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 /etc/audit/rules.d \.rules$ ^[\s]*-w[\s]+\/usr\/bin\/chacl[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chcon[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chcon[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+\/usr\/bin\/chcon[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 /etc/audit/rules.d \.rules$ ^[\s]*-w[\s]+\/usr\/bin\/chcon[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chmod[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chmod[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+\/usr\/bin\/chmod[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 /etc/audit/rules.d \.rules$ ^[\s]*-w[\s]+\/usr\/bin\/chmod[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/crontab[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/crontab[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+\/usr\/bin\/crontab[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 /etc/audit/rules.d \.rules$ ^[\s]*-w[\s]+\/usr\/bin\/crontab[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/rm[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/rm[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+\/usr\/bin\/rm[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 /etc/audit/rules.d \.rules$ ^[\s]*-w[\s]+\/usr\/bin\/rm[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/setfacl[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/setfacl[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+\/usr\/bin\/setfacl[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 /etc/audit/rules.d \.rules$ ^[\s]*-w[\s]+\/usr\/bin\/setfacl[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/ssh-agent[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/ssh-agent[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+\/usr\/bin\/ssh-agent[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 /etc/audit/rules.d \.rules$ ^[\s]*-w[\s]+\/usr\/bin\/ssh-agent[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w\s+\/var\/log\/faillog\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 /etc/audit/audit.rules ^\-w\s+\/var\/log\/faillog\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chage[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chage[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+\/usr\/bin\/chage[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 /etc/audit/rules.d \.rules$ ^[\s]*-w[\s]+\/usr\/bin\/chage[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chfn[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chfn[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+\/usr\/bin\/chfn[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 /etc/audit/rules.d \.rules$ ^[\s]*-w[\s]+\/usr\/bin\/chfn[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chsh[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chsh[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+\/usr\/bin\/chsh[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 /etc/audit/rules.d \.rules$ ^[\s]*-w[\s]+\/usr\/bin\/chsh[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/gpasswd[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/gpasswd[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+\/usr\/bin\/gpasswd[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 /etc/audit/rules.d \.rules$ ^[\s]*-w[\s]+\/usr\/bin\/gpasswd[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/sbin\/insmod[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/sbin\/insmod[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+\/sbin\/insmod[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 /etc/audit/rules.d \.rules$ ^[\s]*-w[\s]+\/sbin\/insmod[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/kmod[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/kmod[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+\/usr\/bin\/kmod[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 /etc/audit/rules.d \.rules$ ^[\s]*-w[\s]+\/usr\/bin\/kmod[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/sbin\/modprobe[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/sbin\/modprobe[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+\/sbin\/modprobe[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 /etc/audit/rules.d \.rules$ ^[\s]*-w[\s]+\/sbin\/modprobe[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newgrp[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newgrp[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+\/usr\/bin\/newgrp[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 /etc/audit/rules.d \.rules$ ^[\s]*-w[\s]+\/usr\/bin\/newgrp[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/sbin\/pam_timestamp_check[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/sbin\/pam_timestamp_check[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+\/sbin\/pam_timestamp_check[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 /etc/audit/rules.d \.rules$ ^[\s]*-w[\s]+\/sbin\/pam_timestamp_check[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/passmass[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/passmass[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+\/usr\/bin\/passmass[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 /etc/audit/rules.d \.rules$ ^[\s]*-w[\s]+\/usr\/bin\/passmass[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/passwd[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/passwd[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+\/usr\/bin\/passwd[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 /etc/audit/rules.d \.rules$ ^[\s]*-w[\s]+\/usr\/bin\/passwd[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/sbin\/rmmod[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/sbin\/rmmod[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+\/sbin\/rmmod[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 /etc/audit/rules.d \.rules$ ^[\s]*-w[\s]+\/sbin\/rmmod[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/lib\/ssh\/ssh-keysign[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/lib\/ssh\/ssh-keysign[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+\/usr\/lib\/ssh\/ssh-keysign[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 /etc/audit/rules.d \.rules$ ^[\s]*-w[\s]+\/usr\/lib\/ssh\/ssh-keysign[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/su[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/su[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+\/usr\/bin\/su[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 /etc/audit/rules.d \.rules$ ^[\s]*-w[\s]+\/usr\/bin\/su[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudo[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudo[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+\/usr\/bin\/sudo[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 /etc/audit/rules.d \.rules$ ^[\s]*-w[\s]+\/usr\/bin\/sudo[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudoedit[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudoedit[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+\/usr\/bin\/sudoedit[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 /etc/audit/rules.d \.rules$ ^[\s]*-w[\s]+\/usr\/bin\/sudoedit[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/sbin\/unix_chkpwd[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/sbin\/unix_chkpwd[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+\/sbin\/unix_chkpwd[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 /etc/audit/rules.d \.rules$ ^[\s]*-w[\s]+\/sbin\/unix_chkpwd[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/usermod[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/usermod[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+\/usr\/sbin\/usermod[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 /etc/audit/rules.d \.rules$ ^[\s]*-w[\s]+\/usr\/sbin\/usermod[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 /etc cron.allow /etc group /etc gshadow /etc passwd /etc shadow /boot/grub grub.conf /etc cron.allow /etc group /etc gshadow /etc passwd /etc shadow /boot/grub grub.conf /etc cron.allow /etc group /etc gshadow /etc passwd /etc shadow /boot/grub grub.conf /etc/httpd/conf.d ^.*$ /etc/httpd/conf ^.*$ /etc/httpd/conf.modules.d ^.*$ /etc/ssh ^.*_key$ /etc/ssh ^.*.pub$ /etc/modprobe.d ^.*\.conf$ ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.conf ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ 1 /etc/modules-load.d ^.*\.conf$ ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ 1 /run/modules-load.d ^.*\.conf$ ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ 1 /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ 1 /run/modprobe.d ^.*\.conf$ ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ 1 /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.d ^.*\.conf$ ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.conf ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ 1 /etc/modules-load.d ^.*\.conf$ ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ 1 /run/modules-load.d ^.*\.conf$ ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ 1 /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ 1 /run/modprobe.d ^.*\.conf$ ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ 1 /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.d ^.*\.conf$ ^\s*install\s+dccp\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.conf ^\s*install\s+dccp\s+(/bin/false|/bin/true)$ 1 /etc/modules-load.d ^.*\.conf$ ^\s*install\s+dccp\s+(/bin/false|/bin/true)$ 1 /run/modules-load.d ^.*\.conf$ ^\s*install\s+dccp\s+(/bin/false|/bin/true)$ 1 /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+dccp\s+(/bin/false|/bin/true)$ 1 /run/modprobe.d ^.*\.conf$ ^\s*install\s+dccp\s+(/bin/false|/bin/true)$ 1 /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+dccp\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.d ^.*\.conf$ ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.conf ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ 1 /etc/modules-load.d ^.*\.conf$ ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ 1 /run/modules-load.d ^.*\.conf$ ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ 1 /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ 1 /run/modprobe.d ^.*\.conf$ ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ 1 /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.d ^.*\.conf$ ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.conf ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ 1 /etc/modules-load.d ^.*\.conf$ ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ 1 /run/modules-load.d ^.*\.conf$ ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ 1 /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ 1 /run/modprobe.d ^.*\.conf$ ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ 1 /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.d ^.*\.conf$ ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.conf ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ 1 /etc/modules-load.d ^.*\.conf$ ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ 1 /run/modules-load.d ^.*\.conf$ ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ 1 /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ 1 /run/modprobe.d ^.*\.conf$ ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ 1 /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.d ^.*\.conf$ ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.conf ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ 1 /etc/modules-load.d ^.*\.conf$ ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ 1 /run/modules-load.d ^.*\.conf$ ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ 1 /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ 1 /run/modprobe.d ^.*\.conf$ ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ 1 /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.d ^.*\.conf$ ^\s*install\s+sctp\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.conf ^\s*install\s+sctp\s+(/bin/false|/bin/true)$ 1 /etc/modules-load.d ^.*\.conf$ ^\s*install\s+sctp\s+(/bin/false|/bin/true)$ 1 /run/modules-load.d ^.*\.conf$ ^\s*install\s+sctp\s+(/bin/false|/bin/true)$ 1 /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+sctp\s+(/bin/false|/bin/true)$ 1 /run/modprobe.d ^.*\.conf$ ^\s*install\s+sctp\s+(/bin/false|/bin/true)$ 1 /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+sctp\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.d ^.*\.conf$ ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.conf ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ 1 /etc/modules-load.d ^.*\.conf$ ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ 1 /run/modules-load.d ^.*\.conf$ ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ 1 /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ 1 /run/modprobe.d ^.*\.conf$ ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ 1 /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.d ^.*\.conf$ ^\s*install\s+udf\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.conf ^\s*install\s+udf\s+(/bin/false|/bin/true)$ 1 /etc/modules-load.d ^.*\.conf$ ^\s*install\s+udf\s+(/bin/false|/bin/true)$ 1 /run/modules-load.d ^.*\.conf$ ^\s*install\s+udf\s+(/bin/false|/bin/true)$ 1 /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+udf\s+(/bin/false|/bin/true)$ 1 /run/modprobe.d ^.*\.conf$ ^\s*install\s+udf\s+(/bin/false|/bin/true)$ 1 /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+udf\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.d ^.*\.conf$ ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.conf ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ 1 /etc/modules-load.d ^.*\.conf$ ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ 1 /run/modules-load.d ^.*\.conf$ ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ 1 /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ 1 /run/modprobe.d ^.*\.conf$ ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ 1 /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ 1 /dev/shm /dev/shm /dev/shm /home /home /tmp /tmp /tmp /var/tmp /var/tmp /var/tmp SuSEfirewall2 abrt acpid aide apparmor-parser at audit-audispd-plugins audit autofs avahi bind bluez certmonger chrony coolkey cronie cups cyrus-sasl dbus dconf dhcp docker dovecot esc firewalld gdm httpd iputils irqbalance kbd kernel-tools kexec-tools libcgroup-tools libcgroup libreswan mdadm mozilla-nss-tools mozilla-nss net-snmp nfs-utils ntp ntp ntpdate oddjob opensc openssh openssh pam_apparmor pam_pkcs11 pcsc-ccid pcsc-lite pcsc-tools policycoreutils portreserve postfix psacct qpid-cpp-server quagga quota-nld rhnsd rsh-server rsh rsyslog samba screen smartmontools squid sssd sssd subscription-manager sysstat systemd systemd talk-server talk tcp_wrappers telnet-server telnet tftp-server tftp vlock vsftpd vsftpd xinetd xinetd ypbind ypserv /var /var/log/audit multi-user.target multi-user.target SuSEfirewall2\.(socket|service) ActiveState multi-user.target multi-user.target abrtd\.(service|socket) ActiveState multi-user.target multi-user.target acpid\.(service|socket) ActiveState multi-user.target multi-user.target apparmor\.(socket|service) ActiveState multi-user.target multi-user.target atd\.(service|socket) ActiveState multi-user.target multi-user.target auditd\.(socket|service) ActiveState multi-user.target multi-user.target autofs\.(service|socket) ActiveState multi-user.target multi-user.target avahi-daemon\.(service|socket) ActiveState multi-user.target multi-user.target bluetooth\.(service|socket) ActiveState multi-user.target multi-user.target certmonger\.(service|socket) ActiveState multi-user.target multi-user.target cgconfig\.(service|socket) ActiveState multi-user.target multi-user.target cgred\.(service|socket) ActiveState multi-user.target multi-user.target chronyd\.(socket|service) ActiveState multi-user.target multi-user.target cpupower\.(service|socket) ActiveState multi-user.target multi-user.target crond\.(socket|service) ActiveState multi-user.target multi-user.target cups\.(service|socket) ActiveState multi-user.target multi-user.target debug-shell\.(service|socket) ActiveState multi-user.target multi-user.target dhcpd\.(service|socket) ActiveState multi-user.target multi-user.target docker\.(socket|service) ActiveState multi-user.target multi-user.target dovecot\.(service|socket) ActiveState multi-user.target multi-user.target firewalld\.(socket|service) ActiveState multi-user.target multi-user.target httpd\.(service|socket) ActiveState multi-user.target multi-user.target irqbalance\.(socket|service) ActiveState multi-user.target multi-user.target kdump\.(service|socket) ActiveState multi-user.target multi-user.target mdmonitor\.(service|socket) ActiveState multi-user.target multi-user.target messagebus\.(service|socket) ActiveState multi-user.target multi-user.target named\.(service|socket) ActiveState multi-user.target multi-user.target nfs\.(service|socket) ActiveState multi-user.target multi-user.target nfslock\.(service|socket) ActiveState multi-user.target multi-user.target ntpd\.(service|socket) ActiveState multi-user.target multi-user.target ntpd\.(socket|service) ActiveState multi-user.target multi-user.target ntpdate\.(service|socket) ActiveState multi-user.target multi-user.target oddjobd\.(service|socket) ActiveState multi-user.target multi-user.target pcscd\.(socket|service) ActiveState multi-user.target multi-user.target portreserve\.(service|socket) ActiveState multi-user.target multi-user.target postfix\.(socket|service) ActiveState multi-user.target multi-user.target psacct\.(socket|service) ActiveState multi-user.target multi-user.target qpidd\.(service|socket) ActiveState multi-user.target multi-user.target quota_nld\.(service|socket) ActiveState multi-user.target multi-user.target rdisc\.(service|socket) ActiveState multi-user.target multi-user.target rexec\.(service|socket) ActiveState multi-user.target multi-user.target rhnsd\.(service|socket) ActiveState multi-user.target multi-user.target rhsmcertd\.(service|socket) ActiveState multi-user.target multi-user.target rlogin\.(service|socket) ActiveState multi-user.target multi-user.target rpcbind\.(service|socket) ActiveState multi-user.target multi-user.target rpcgssd\.(service|socket) ActiveState multi-user.target multi-user.target rpcidmapd\.(service|socket) ActiveState multi-user.target multi-user.target rpcsvcgssd\.(service|socket) ActiveState multi-user.target multi-user.target rsh\.(service|socket) ActiveState multi-user.target multi-user.target rsyslog\.(socket|service) ActiveState multi-user.target multi-user.target saslauthd\.(service|socket) ActiveState multi-user.target multi-user.target smartd\.(service|socket) ActiveState multi-user.target multi-user.target smb\.(service|socket) ActiveState multi-user.target multi-user.target snmpd\.(service|socket) ActiveState multi-user.target multi-user.target squid\.(service|socket) ActiveState multi-user.target multi-user.target sshd\.(service|socket) ActiveState multi-user.target multi-user.target sshd\.(socket|service) ActiveState multi-user.target multi-user.target sssd\.(service|socket) ActiveState multi-user.target multi-user.target sssd\.(socket|service) ActiveState multi-user.target multi-user.target sysstat\.(service|socket) ActiveState multi-user.target multi-user.target telnet\.(service|socket) ActiveState multi-user.target multi-user.target tftp\.(service|socket) ActiveState multi-user.target multi-user.target vsftpd\.(service|socket) ActiveState multi-user.target multi-user.target xinetd\.(service|socket) ActiveState multi-user.target multi-user.target ypbind\.(service|socket) ActiveState multi-user.target multi-user.target zebra\.(service|socket) ActiveState fs.suid_dumpable kernel.kptr_restrict kernel.randomize_va_space net.ipv4.conf.all.accept_redirects net.ipv4.conf.all.accept_source_route net.ipv4.conf.all.log_martians net.ipv4.conf.all.rp_filter net.ipv4.conf.all.secure_redirects net.ipv4.conf.all.send_redirects net.ipv4.conf.default.accept_redirects net.ipv4.conf.default.accept_source_route net.ipv4.conf.default.log_martians net.ipv4.conf.default.rp_filter net.ipv4.conf.default.secure_redirects net.ipv4.conf.default.send_redirects net.ipv4.icmp_echo_ignore_broadcasts net.ipv4.icmp_ignore_bogus_error_responses net.ipv4.ip_forward net.ipv4.tcp_syncookies net.ipv6.conf.all.accept_ra net.ipv6.conf.all.accept_redirects net.ipv6.conf.all.accept_source_route net.ipv6.conf.all.disable_ipv6 net.ipv6.conf.all.forwarding net.ipv6.conf.default.accept_ra net.ipv6.conf.default.accept_redirects net.ipv6.conf.default.accept_source_route /etc/sysctl.conf ^[\s]*fs.suid_dumpable[\s]*=[\s]*0[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*fs.suid_dumpable[\s]*=[\s]*0[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*fs.suid_dumpable[\s]*=[\s]*0[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*fs.suid_dumpable[\s]*=[\s]*0[\s]*$ 1 /etc/sysctl.conf ^[\s]*kernel.kptr_restrict[\s]*=[\s]*1[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*kernel.kptr_restrict[\s]*=[\s]*1[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*kernel.kptr_restrict[\s]*=[\s]*1[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*kernel.kptr_restrict[\s]*=[\s]*1[\s]*$ 1 /etc/sysctl.conf ^[\s]*kernel.randomize_va_space[\s]*=[\s]*2[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*kernel.randomize_va_space[\s]*=[\s]*2[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*kernel.randomize_va_space[\s]*=[\s]*2[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*kernel.randomize_va_space[\s]*=[\s]*2[\s]*$ 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf ^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*0[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*0[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*0[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*0[\s]*$ 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.conf.default.log_martians[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.log_martians[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.log_martians[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.log_martians[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf ^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*0[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*0[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*0[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*0[\s]*$ 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf ^[\s]*net.ipv4.ip_forward[\s]*=[\s]*0[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.ip_forward[\s]*=[\s]*0[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.ip_forward[\s]*=[\s]*0[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.ip_forward[\s]*=[\s]*0[\s]*$ 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.tcp_syncookies[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.tcp_syncookies[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.tcp_syncookies[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.tcp_syncookies[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv6.conf.all.forwarding[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.forwarding[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.forwarding[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.forwarding[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1 /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/augenrules.*$ 1 /etc/audit/auditd.conf ^[ ]*log_group[ ]+=[ ]+root[ ]*$ 1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX_DEFAULT=.*$ 1 centos-release centos-release centos-release /etc/debian_version /etc/debian_version ^8.[0-9]+$ 1 fedora-release /etc/system-release-cpe ^cpe:\/o:fedoraproject:fedora:[\d]+$ 1 oraclelinux-release oraclelinux-release oraclelinux-release openSUSE-release openSUSE-release openSUSE-release redhat-release-client redhat-release-workstation redhat-release-server redhat-release-computenode redhat-release-client redhat-release-workstation redhat-release-server redhat-release-computenode redhat-release-virtualization-host /etc/redhat-release ^Red Hat Enterprise Linux release (\d)\.\d+$ 1 redhat-release redhat-release-virtualization-host /etc/redhat-release ^Red Hat Enterprise Linux release (\d)\.\d+$ 1 sl-release sl-release sl-release sled-release sles-release sled-release sles-release SLES_SAP-release /etc/lsb-release /etc/lsb-release ^DISTRIB_ID=Ubuntu$ 1 /etc/lsb-release ^DISTRIB_CODENAME=trusty$ 1 /etc/lsb-release ^DISTRIB_CODENAME=xenial$ 1 /etc/lsb-release ^DISTRIB_CODENAME=bionic$ 1 /etc/wrlinux-release atomic-openshift atomic-openshift-node atomic-openshift-hyperkube rhosp-release rhvm-appliance libuser nss-pam-ldapd pam shadow-utils systemd yum zypper yum /.dockerenv /run/.containerenv oval:ssg-sshd_required:var:1 oval:ssg-sshd_required:var:1 oval:ssg-sshd_required:var:1 openssh-server openssh-server /etc/sssd/sssd.conf oval:ssg-var_accounts_user_umask_umask_as_number:var:1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/restorecon[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/restorecon[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+\/usr\/sbin\/restorecon[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 /etc/audit/rules.d \.rules$ ^[\s]*-w[\s]+\/usr\/sbin\/restorecon[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/semanage[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/semanage[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+\/usr\/sbin\/semanage[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 /etc/audit/rules.d \.rules$ ^[\s]*-w[\s]+\/usr\/sbin\/semanage[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setfiles[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setfiles[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+\/usr\/sbin\/setfiles[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 /etc/audit/rules.d \.rules$ ^[\s]*-w[\s]+\/usr\/sbin\/setfiles[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setsebool[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setsebool[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+\/usr\/sbin\/setsebool[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 /etc/audit/rules.d \.rules$ ^[\s]*-w[\s]+\/usr\/sbin\/setsebool[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/seunshare[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/seunshare[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+\/usr\/sbin\/seunshare[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 /etc/audit/rules.d \.rules$ ^[\s]*-w[\s]+\/usr\/sbin\/seunshare[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w\s+\/var\/run\/faillock\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 /etc/audit/audit.rules ^\-w\s+\/var\/run\/faillock\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w\s+\/var\/log\/lastlog\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 /etc/audit/audit.rules ^\-w\s+\/var\/log\/lastlog\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w\s+\/var\/log\/tallylog\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 /etc/audit/audit.rules ^\-w\s+\/var\/log\/tallylog\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/at[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/at[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+\/usr\/bin\/at[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 /etc/audit/rules.d \.rules$ ^[\s]*-w[\s]+\/usr\/bin\/at[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/crontab[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/crontab[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+\/usr\/bin\/crontab[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 /etc/audit/rules.d \.rules$ ^[\s]*-w[\s]+\/usr\/bin\/crontab[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/mount[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/mount[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+\/usr\/bin\/mount[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 /etc/audit/rules.d \.rules$ ^[\s]*-w[\s]+\/usr\/bin\/mount[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newgidmap[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newgidmap[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+\/usr\/bin\/newgidmap[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 /etc/audit/rules.d \.rules$ ^[\s]*-w[\s]+\/usr\/bin\/newgidmap[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newuidmap[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newuidmap[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+\/usr\/bin\/newuidmap[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 /etc/audit/rules.d \.rules$ ^[\s]*-w[\s]+\/usr\/bin\/newuidmap[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/postdrop[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/postdrop[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+\/usr\/sbin\/postdrop[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 /etc/audit/rules.d \.rules$ ^[\s]*-w[\s]+\/usr\/sbin\/postdrop[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/postqueue[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/postqueue[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+\/usr\/sbin\/postqueue[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 /etc/audit/rules.d \.rules$ ^[\s]*-w[\s]+\/usr\/sbin\/postqueue[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/libexec\/pt_chown[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/libexec\/pt_chown[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+\/usr\/libexec\/pt_chown[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 /etc/audit/rules.d \.rules$ ^[\s]*-w[\s]+\/usr\/libexec\/pt_chown[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/umount[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/umount[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+\/usr\/bin\/umount[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 /etc/audit/rules.d \.rules$ ^[\s]*-w[\s]+\/usr\/bin\/umount[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/userhelper[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/userhelper[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+\/usr\/sbin\/userhelper[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 /etc/audit/rules.d \.rules$ ^[\s]*-w[\s]+\/usr\/sbin\/userhelper[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/usernetctl[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/usernetctl[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+\/usr\/sbin\/usernetctl[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 /etc/audit/rules.d \.rules$ ^[\s]*-w[\s]+\/usr\/sbin\/usernetctl[\s]+-p[\s]+[\S]*x[\S]*[\s]+-k[\s]+[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/fstab ^\s*\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+(.*)$ 0 /etc/fstab ^\s*\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+.*$ 0 /etc/fstab ^\s*\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+(.*)$ 0 /etc/fstab ^\s*\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+.*$ 0 /etc/fstab ^\s*\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+(.*)$ 0 /etc/fstab ^\s*\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+.*$ 0 nss-pam-ldapd samba-common maxpoll \d+ 2 sec=(krb5i|ntlmv2i) 0 0 true true true false true true false true true true true regular SHA512 5000 /etc/systemd/system/ctrl-alt-del.target /dev/null ^.*ocsp_on.*$ (^|,\s*)ca(\s*,|$) -1 0 x|\* ^(!|!!|\*)$ SHA-512 0 0 0 1000 ^/. 1000 directory 1000 false false false false false 1000 false false false false /home true true true true true true true true true symbolic link 0 0 0 0 false false false false false regular ^(?:single|syslog|halt)$ ^(?:single|syslog|halt)$ ^.*iommu=force.*$ }[^{]+[\n][\s]*(weekly|monthly|yearly)|[\n][\s]*(weekly|monthly|yearly)[^}]+{ PROMISC (^| )0/0,tcp,22,,([^ $]+,)?hitcount=\d+(,|$) (^| )0/0,tcp,22,,([^ $]+,)?blockseconds=\d+(,|$) false true 0 false false false false false false false false false false true 1000 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 ^/dev/.*$ nodev ^nfs\d?$ nosuid ^nfs\d?$ noexec 1000 nosuid 0 0 false false false false false false false false false 1000 65534 service-db:keyfile/user fips FIPS 1 ^.*acl.*$ ^.*xattrs.*$ p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 ^root$ 0 0 0 0 0 0 0 0 0 0 0 0 false false false true true false true false false true false false false false false true true false true false false true false false false false false false false false false false false false false false false false false true true false true false false true false false false false false false false false false false false false false false false false false true true false false false false false false false false false false true true false true false false false false false false false false true true false true false false false false false false false false true true false true false false false false false false false false true true false false false false false false false false false false true true false true false false true false false nodev noexec nosuid nodev nosuid nodev noexec nosuid nodev noexec nosuid SuSEfirewall2.service SuSEfirewall2.socket active abrtd.service abrtd.socket inactive acpid.service acpid.socket inactive apparmor.service apparmor.socket active atd.service atd.socket inactive auditd.service auditd.socket active autofs.service autofs.socket inactive avahi-daemon.service avahi-daemon.socket inactive bluetooth.service bluetooth.socket inactive certmonger.service certmonger.socket inactive cgconfig.service cgconfig.socket inactive cgred.service cgred.socket inactive chronyd.service chronyd.socket active cpupower.service cpupower.socket inactive crond.service crond.socket active cups.service cups.socket inactive debug-shell.service debug-shell.socket inactive dhcpd.service dhcpd.socket inactive docker.service docker.socket active dovecot.service dovecot.socket inactive firewalld.service firewalld.socket active httpd.service httpd.socket inactive irqbalance.service irqbalance.socket active kdump.service kdump.socket inactive mdmonitor.service mdmonitor.socket inactive messagebus.service messagebus.socket inactive named.service named.socket inactive nfs.service nfs.socket inactive nfslock.service nfslock.socket inactive ntpd.service ntpd.socket inactive ntpd.service ntpd.socket active ntpdate.service ntpdate.socket inactive oddjobd.service oddjobd.socket inactive pcscd.service pcscd.socket active portreserve.service portreserve.socket inactive postfix.service postfix.socket active psacct.service psacct.socket active qpidd.service qpidd.socket inactive quota_nld.service quota_nld.socket inactive rdisc.service rdisc.socket inactive rexec.service rexec.socket inactive rhnsd.service rhnsd.socket inactive rhsmcertd.service rhsmcertd.socket inactive rlogin.service rlogin.socket inactive rpcbind.service rpcbind.socket inactive rpcgssd.service rpcgssd.socket inactive rpcidmapd.service rpcidmapd.socket inactive rpcsvcgssd.service rpcsvcgssd.socket inactive rsh.service rsh.socket inactive rsyslog.service rsyslog.socket active saslauthd.service saslauthd.socket inactive smartd.service smartd.socket inactive smb.service smb.socket inactive snmpd.service snmpd.socket inactive squid.service squid.socket inactive sshd.service sshd.socket inactive sshd.service sshd.socket active sssd.service sssd.socket inactive sssd.service sssd.socket active sysstat.service sysstat.socket inactive telnet.service telnet.socket inactive tftp.service tftp.socket inactive vsftpd.service vsftpd.socket inactive xinetd.service xinetd.socket inactive ypbind.service ypbind.socket inactive zebra.service zebra.socket inactive 0 1 2 0 0 0 1 ^6.*$ ^7.*$ ^8.*$ ^6Server$ ^7.*$ ^8.*$ openSUSE-release ^15.*$ ^42.*$ unix ^6.*$ ^6.*$ ^6.*$ ^6.*$ unix ^7.*$ ^7.*$ ^7.*$ ^7.*$ 7 unix ^8.*$ ^4.*$ 7 ^6.*$ ^7.*$ ^8.*$ unix ^11.*$ ^11.*$ unix ^12.*$ ^12.*$ ^12.*$ unix ^3.*$ ^3.*$ ^3.*$ ^13.*$ ^4.*$ 1 2 0 0:7.4 0:7.4 aarch64 ppc64 ppc64le i686 x86_64 ^.*nodev.*$ ^.*noexec.*$ ^.*nosuid.*$ 1000000 pam_unix(?:.*[\n](?:.*[\n]){ })(?:.*[\n])*auth.*pam_faillock.so[\s]+[^\n]*deny=([0-9]+) pam_unix(?:.*[\n](?:.*[\n]){ })(?:.*[\n])*auth.*pam_faillock.so[\s]+[^\n]*deny=([0-9]+) -1 -1 -1 -1 -1 64 8 64 8 ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(chmod)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(chmod)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(chown)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(chown)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(creat)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(creat)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(fchmod)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(fchmod)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(fchmodat)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(fchmodat)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(fchown)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(fchown)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(fchownat)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(fchownat)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(fremovexattr)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(fremovexattr)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(fsetxattr)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(fsetxattr)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(ftruncate)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(ftruncate)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(lchown)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(lchown)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(lremovexattr)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(lremovexattr)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(lsetxattr)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(lsetxattr)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open_by_handle_at)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(open_by_handle_at)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(openat)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(openat)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(removexattr)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(removexattr)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(rename)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(rename)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(renameat)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(renameat)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(setxattr)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(setxattr)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(truncate)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(truncate)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(unlink)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(unlink)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(unlinkat)(?:|(?:,[\S]+)+))[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)(unlinkat)(?:|(?:,[\S]+)+))[\s]+ [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) xccdf-create-ocil.xslt from SCAP Security Guide ssg: 0.1.44 2.0 2019-04-18T11:25:40+02:00 Disable KDump Kernel Crash Analyzer (kdump) ocil:ssg-service_kdump_disabled_action:testaction:1 Enable cron Service ocil:ssg-service_cron_enabled_action:testaction:1 Create Warning Banners for All FTP Users ocil:ssg-ftp_present_banner_action:testaction:1 Configure System to Forward All Mail For The Root Account ocil:ssg-postfix_client_configure_mail_alias_action:testaction:1 Ensure All-Squashing Disabled On All Exports ocil:ssg-no_all_squash_exports_action:testaction:1 Configure Time Service Maxpoll Interval ocil:ssg-chronyd_or_ntpd_set_maxpoll_action:testaction:1 Specify a Remote NTP Server ocil:ssg-ntpd_specify_remote_server_action:testaction:1 Enable the NTP Daemon ocil:ssg-service_ntp_enabled_action:testaction:1 Enable the NTP Daemon ocil:ssg-service_ntpd_enabled_action:testaction:1 Enable systemd_timesyncd Service ocil:ssg-service_timesyncd_enabled_action:testaction:1 Remove Host-Based Authentication Files ocil:ssg-no_host_based_files_action:testaction:1 Remove Rsh Trust Files ocil:ssg-no_rsh_trust_files_action:testaction:1 Remove User Host-Based Authentication Files ocil:ssg-no_user_host_based_files_action:testaction:1 Uninstall telnet-server Package ocil:ssg-package_telnet-server_removed_action:testaction:1 Verify Permissions on SSH Server Private *_key Key Files ocil:ssg-file_permissions_sshd_private_key_action:testaction:1 Verify Permissions on SSH Server Public *.pub Key Files ocil:ssg-file_permissions_sshd_pub_key_action:testaction:1 Enable the OpenSSH Service ocil:ssg-service_sshd_enabled_action:testaction:1 Install the OpenSSH Client and Server Package ocil:ssg-package_openssh_installed_action:testaction:1 Disable Host-Based Authentication ocil:ssg-disable_host_auth_action:testaction:1 Allow Only SSH Protocol 2 ocil:ssg-sshd_allow_only_protocol2_action:testaction:1 Disable Compression Or Set Compression to delayed ocil:ssg-sshd_disable_compression_action:testaction:1 Disable SSH Access via Empty Passwords ocil:ssg-sshd_disable_empty_passwords_action:testaction:1 Disable GSSAPI Authentication ocil:ssg-sshd_disable_gssapi_auth_action:testaction:1 Disable Kerberos Authentication ocil:ssg-sshd_disable_kerb_auth_action:testaction:1 Disable SSH Support for .rhosts Files ocil:ssg-sshd_disable_rhosts_action:testaction:1 Disable SSH Support for Rhosts RSA Authentication ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1 Disable SSH Root Login ocil:ssg-sshd_disable_root_login_action:testaction:1 Disable SSH Support for User Known Hosts ocil:ssg-sshd_disable_user_known_hosts_action:testaction:1 Do Not Allow SSH Environment Options ocil:ssg-sshd_do_not_permit_user_env_action:testaction:1 Enable Use of Strict Mode Checking ocil:ssg-sshd_enable_strictmodes_action:testaction:1 Enable SSH Warning Banner ocil:ssg-sshd_enable_warning_banner_action:testaction:1 Enable Encrypted X11 Forwarding ocil:ssg-sshd_enable_x11_forwarding_action:testaction:1 Enable SSH Print Last Log ocil:ssg-sshd_print_last_log_action:testaction:1 Set SSH Idle Timeout Interval ocil:ssg-sshd_set_idle_timeout_action:testaction:1 Set SSH Client Alive Max Count ocil:ssg-sshd_set_keepalive_action:testaction:1 Set LogLevel to INFO ocil:ssg-sshd_set_loglevel_info_action:testaction:1 Set SSH authentication attempt limit ocil:ssg-sshd_set_max_auth_tries_action:testaction:1 Use Only DoD-approved encryption Ciphers ocil:ssg-sshd_use_approved_ciphers_action:testaction:1 Use Only FIPS 140-2 Validated MACs ocil:ssg-sshd_use_approved_macs_action:testaction:1 Enable Use of Privilege Separation ocil:ssg-sshd_use_priv_separation_action:testaction:1 Set SSH Daemon LogLevel to VERBOSE ocil:ssg-sshd_set_loglevel_verbose_action:testaction:1 Configure SSSD's Memory Cache to Expire ocil:ssg-sssd_memcache_timeout_action:testaction:1 Configure SSSD to Expire Offline Credentials ocil:ssg-sssd_offline_cred_expiration_action:testaction:1 Modify the System Login Banner ocil:ssg-banner_etc_issue_action:testaction:1 Modify the System Login Banner for Console Access ocil:ssg-banner_etc_motd_action:testaction:1 Enable GNOME3 Login Warning Banner ocil:ssg-dconf_gnome_banner_enabled_action:testaction:1 Set the GNOME3 Login Warning Banner Text ocil:ssg-dconf_gnome_login_banner_text_action:testaction:1 Enable GUI Warning Banner ocil:ssg-gconf_gdm_enable_warning_gui_banner_action:testaction:1 Set GUI Warning Banner Text ocil:ssg-gconf_gdm_set_login_banner_text_action:testaction:1 Display the Standard Mandatory DoD Notice and Consent Banner until Explicit Acknowledgement ocil:ssg-gui_login_dod_acknowledgement_action:testaction:1 Modify the System GUI Login Banner ocil:ssg-banner_etc_gdm_banner_action:testaction:1 Ensure PAM Displays Last Logon/Access Notification ocil:ssg-display_login_attempts_action:testaction:1 Enforce Delay After Failed Logon Attempts ocil:ssg-faildelay_action:testaction:1 The PAM configuration should not be changed automatically ocil:ssg-pam_disable_automatic_configuration_action:testaction:1 Limit Password Reuse ocil:ssg-accounts_password_pam_unix_remember_action:testaction:1 Set Deny For Failed Password Attempts ocil:ssg-accounts_passwords_pam_tally2_action:testaction:1 Set Password Strength Minimum Digit Characters ocil:ssg-cracklib_accounts_password_pam_dcredit_action:testaction:1 Set Password Strength Minimum Different Characters ocil:ssg-cracklib_accounts_password_pam_difok_action:testaction:1 Set Password Strength Minimum Lowercase Characters ocil:ssg-cracklib_accounts_password_pam_lcredit_action:testaction:1 Set Password to Maximum of Three Consecutive Repeating Characters ocil:ssg-cracklib_accounts_password_pam_maxrepeat_action:testaction:1 Set Password Strength Minimum Different Categories ocil:ssg-cracklib_accounts_password_pam_minclass_action:testaction:1 Set Password Minimum Length ocil:ssg-cracklib_accounts_password_pam_minlen_action:testaction:1 Set Password Strength Minimum Special Characters ocil:ssg-cracklib_accounts_password_pam_ocredit_action:testaction:1 Set Password Retry Prompts Permitted Per-Session ocil:ssg-cracklib_accounts_password_pam_retry_action:testaction:1 Set Password Strength Minimum Uppercase Characters ocil:ssg-cracklib_accounts_password_pam_ucredit_action:testaction:1 Set Password Hashing Algorithm in /etc/login.defs ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 Set PAM's Password Hashing Algorithm ocil:ssg-set_password_hashing_algorithm_systemauth_action:testaction:1 Set Password Hashing Rounds in /etc/login.defs ocil:ssg-set_password_hashing_min_rounds_logindefs_action:testaction:1 Set PAM's Password Hashing Algorithm for Logins ocil:ssg-set_password_hashing_algorithm_commonauth_action:testaction:1 Disable Ctrl-Alt-Del Reboot Activation ocil:ssg-disable_ctrlaltdel_reboot_action:testaction:1 Check for vlock Command ocil:ssg-vlock_installed_action:testaction:1 Install Smart Card Packages For Multifactor Authentication ocil:ssg-install_smartcard_packages_action:testaction:1 Enable Smart Card Login ocil:ssg-smartcard_auth_action:testaction:1 Configure Smart Card Certificate Status Checking ocil:ssg-smartcard_configure_cert_checking_action:testaction:1 Enable Smart Card Logins in PAM ocil:ssg-smartcard_pam_enabled_action:testaction:1 Configure Smart Card Certificate Authority Validation ocil:ssg-smartcard_configure_ca_action:testaction:1 Ensure All Accounts on the System Have Unique User IDs ocil:ssg-account_unique_id_action:testaction:1 Set Account Expiration Following Inactivity ocil:ssg-account_disable_post_pw_expiration_action:testaction:1 Assign Expiration Date to Temporary Accounts ocil:ssg-account_temp_expire_date_action:testaction:1 Ensure All Accounts on the System Have Unique Names ocil:ssg-account_unique_name_action:testaction:1 Use Centralized and Automated Authentication ocil:ssg-account_use_centralized_automated_auth_action:testaction:1 Set Account Password Minimum Lifetime ocil:ssg-account_minimum_age_shadow_action:testaction:1 Set Account Password Maximum Lifetime ocil:ssg-account_maximum_age_shadow_action:testaction:1 Never Automatically Remove or Disable Emergency Administrator Accounts ocil:ssg-account_emergency_admin_action:testaction:1 Policy Requires Immediate Change of Temporary Passwords ocil:ssg-policy_temp_passwords_immediate_change_action:testaction:1 Set Password Maximum Age ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1 Set Password Minimum Age ocil:ssg-accounts_minimum_age_login_defs_action:testaction:1 Set Password Minimum Length in login.defs ocil:ssg-accounts_password_minlen_login_defs_action:testaction:1 Set Password Warning Age ocil:ssg-accounts_password_warn_age_login_defs_action:testaction:1 Verify All Account Password Hashes are Shadowed ocil:ssg-accounts_password_all_shadowed_action:testaction:1 All GIDs referenced in /etc/passwd must be defined in /etc/group ocil:ssg-gid_passwd_group_same_action:testaction:1 Prevent Login to Accounts With Empty Password ocil:ssg-no_empty_passwords_action:testaction:1 Verify No netrc Files Exist ocil:ssg-no_netrc_files_action:testaction:1 Verify All Account Password Hashes are Shadowed with SHA512 ocil:ssg-accounts_password_all_shadowed_sha512_action:testaction:1 Verify Only Root Has UID 0 ocil:ssg-accounts_no_uid_except_zero_action:testaction:1 Direct root Logins Not Allowed ocil:ssg-no_direct_root_logins_action:testaction:1 Ensure that System Accounts Are Locked ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1 Restrict Serial Port Root Logins ocil:ssg-restrict_serial_port_logins_action:testaction:1 Restrict Virtual Console Root Logins ocil:ssg-securetty_root_login_console_only_action:testaction:1 Ensure Home Directories are Created for New Users ocil:ssg-accounts_have_homedir_login_defs_action:testaction:1 Ensure the Logon Failure Delay is Set Correctly in login.defs ocil:ssg-accounts_logon_fail_delay_action:testaction:1 Limit the Number of Concurrent Login Sessions Allowed Per User ocil:ssg-accounts_max_concurrent_login_sessions_action:testaction:1 Set Interactive Session Timeout ocil:ssg-accounts_tmout_action:testaction:1 User Initialization Files Must Not Run World-Writable Programs ocil:ssg-accounts_user_dot_no_world_writable_programs_action:testaction:1 Ensure that Users Path Contains Only Local Directories ocil:ssg-accounts_user_home_paths_only_action:testaction:1 All Interactive Users Must Have A Home Directory Defined ocil:ssg-accounts_user_interactive_home_directory_defined_action:testaction:1 All Interactive Users Home Directories Must Exist ocil:ssg-accounts_user_interactive_home_directory_exists_action:testaction:1 All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary User ocil:ssg-accounts_users_home_files_groupownership_action:testaction:1 Ensure All User Initialization Files Have Mode 0740 Or Less Permissive ocil:ssg-file_permission_user_init_files_action:testaction:1 All Interactive User Home Directories Must Have mode 0750 Or Less Permissive ocil:ssg-file_permissions_home_directories_action:testaction:1 Ensure that User Home Directories are not Group-Writable or World-Readable ocil:ssg-file_permissions_home_dirs_action:testaction:1 Ensure that Root's Path Does Not Include World or Group-Writable Directories ocil:ssg-accounts_root_path_dirs_no_write_action:testaction:1 Ensure the Default Umask is Set Correctly in login.defs ocil:ssg-accounts_umask_etc_login_defs_action:testaction:1 Ensure the Default Umask is Set Correctly in /etc/profile ocil:ssg-accounts_umask_etc_profile_action:testaction:1 Ensure the Default Umask is Set Correctly For Interactive Users ocil:ssg-accounts_umask_interactive_users_action:testaction:1 Enable auditd Service ocil:ssg-service_auditd_enabled_action:testaction:1 Record Events that Modify the System's Mandatory Access Controls ocil:ssg-audit_rules_mac_modification_action:testaction:1 Ensure auditd Collects Information on Exporting to Media (successful) ocil:ssg-audit_rules_media_export_action:testaction:1 Record Events that Modify the System's Network Environment ocil:ssg-audit_rules_networkconfig_modification_action:testaction:1 Ensure auditd Collects System Administrator Actions ocil:ssg-audit_rules_sysadmin_actions_action:testaction:1 Record Events that Modify User/Group Information ocil:ssg-audit_rules_usergroup_modification_action:testaction:1 Record Events that Modify User/Group Information - /etc/group ocil:ssg-audit_rules_usergroup_modification_group_action:testaction:1 Record Events that Modify User/Group Information - /etc/gshadow ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 Record Events that Modify User/Group Information - /etc/security/opasswd ocil:ssg-audit_rules_usergroup_modification_opasswd_action:testaction:1 Record Events that Modify User/Group Information - /etc/passwd ocil:ssg-audit_rules_usergroup_modification_passwd_action:testaction:1 Record Events that Modify User/Group Information - /etc/shadow ocil:ssg-audit_rules_usergroup_modification_shadow_action:testaction:1 Record Access Events to Audit Log directory ocil:ssg-directory_access_var_log_audit_action:testaction:1 System Audit Logs Must Have Mode 0750 or Less Permissive ocil:ssg-directory_permissions_var_log_audit_action:testaction:1 System Audit Logs Must Be Owned By Root ocil:ssg-file_ownership_var_log_audit_action:testaction:1 Record Events When Privileged Executables Are Run ocil:ssg-audit_rules_suid_privilege_function_action:testaction:1 Remove Default Configuration to Disable Syscall Auditing ocil:ssg-audit_rules_enable_syscall_auditing_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - chmod ocil:ssg-audit_rules_dac_modification_chmod_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - chown ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - fchmod ocil:ssg-audit_rules_dac_modification_fchmod_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - fchmodat ocil:ssg-audit_rules_dac_modification_fchmodat_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - fchown ocil:ssg-audit_rules_dac_modification_fchown_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - fchownat ocil:ssg-audit_rules_dac_modification_fchownat_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - fremovexattr ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - fsetxattr ocil:ssg-audit_rules_dac_modification_fsetxattr_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - lchown ocil:ssg-audit_rules_dac_modification_lchown_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - lremovexattr ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - lsetxattr ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - removexattr ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - setxattr ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - mount ocil:ssg-audit_rules_dac_modification_mount_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - umount ocil:ssg-audit_rules_dac_modification_umount_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - umount2 ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 Record Any Attempts to Run chcon ocil:ssg-audit_rules_execution_chcon_action:testaction:1 Record Any Attempts to Run chacl ocil:ssg-audit_rules_execution_chacl_action:testaction:1 Record Any Attempts to Run chmod ocil:ssg-audit_rules_execution_chmod_action:testaction:1 Record Any Attempts to Run crontab ocil:ssg-audit_rules_execution_crontab_action:testaction:1 Record Any Attempts to Run rm ocil:ssg-audit_rules_execution_rm_action:testaction:1 Record Any Attempts to Run setfacl ocil:ssg-audit_rules_execution_setfacl_action:testaction:1 Record Any Attempts to Run ssh-agent ocil:ssg-audit_rules_execution_ssh-agent_action:testaction:1 Ensure auditd Collects File Deletion Events by User ocil:ssg-audit_rules_file_deletion_events_action:testaction:1 Ensure auditd Collects Information on Kernel Module Loading and Unloading ocil:ssg-audit_rules_kernel_module_loading_action:testaction:1 Ensure auditd Collects Information on Kernel Module Unloading - delete_module ocil:ssg-audit_rules_kernel_module_loading_delete_action:testaction:1 Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module ocil:ssg-audit_rules_kernel_module_loading_finit_action:testaction:1 Ensure auditd Collects Information on Kernel Module Loading - init_module ocil:ssg-audit_rules_kernel_module_loading_init_action:testaction:1 Record Attempts to Alter Logon and Logout Events - lastlog ocil:ssg-audit_rules_login_events_lastlog_action:testaction:1 Record Attempts to Alter Logon and Logout Events - tallylog ocil:ssg-audit_rules_login_events_tallylog_action:testaction:1 Record Attempts to Alter Failed Logon and Logout Events - faillog ocil:ssg-audit_rules_login_events_faillog_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands ocil:ssg-audit_rules_privileged_commands_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - chage ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - chsh ocil:ssg-audit_rules_privileged_commands_chsh_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd ocil:ssg-audit_rules_privileged_commands_gpasswd_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - newgrp ocil:ssg-audit_rules_privileged_commands_newgrp_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check ocil:ssg-audit_rules_privileged_commands_pam_timestamp_check_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - passwd ocil:ssg-audit_rules_privileged_commands_passwd_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign ocil:ssg-audit_rules_privileged_commands_ssh_keysign_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - su ocil:ssg-audit_rules_privileged_commands_su_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - sudo ocil:ssg-audit_rules_privileged_commands_sudo_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit ocil:ssg-audit_rules_privileged_commands_sudoedit_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd ocil:ssg-audit_rules_privileged_commands_unix_chkpwd_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - chfn ocil:ssg-audit_rules_privileged_commands_chfn_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - insmod ocil:ssg-audit_rules_privileged_commands_insmod_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - kmod ocil:ssg-audit_rules_privileged_commands_kmod_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - modprobe ocil:ssg-audit_rules_privileged_commands_modprobe_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - passmass ocil:ssg-audit_rules_privileged_commands_passmass_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - rmmod ocil:ssg-audit_rules_privileged_commands_rmmod_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - usermod ocil:ssg-audit_rules_privileged_commands_usermod_action:testaction:1 Record attempts to alter time through adjtimex ocil:ssg-audit_rules_time_adjtimex_action:testaction:1 Record Attempts to Alter Time Through clock_settime ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 Record attempts to alter time through settimeofday ocil:ssg-audit_rules_time_settimeofday_action:testaction:1 Record Attempts to Alter Time Through stime ocil:ssg-audit_rules_time_stime_action:testaction:1 Record Attempts to Alter the localtime File ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) ocil:ssg-audit_rules_unsuccessful_file_modification_action:testaction:1 Record Unauthorized Access Attempts to Files (unsuccessful) - creat ocil:ssg-audit_rules_unsuccessful_file_modification_creat_action:testaction:1 Record Unauthorized Access Attempts to Files (unsuccessful) - ftruncate ocil:ssg-audit_rules_unsuccessful_file_modification_ftruncate_action:testaction:1 Record Unauthorized Access Attempts to Files (unsuccessful) - open ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 Record Unauthorized Access Attempts to Files (unsuccessful) - open_by_handle_at ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_action:testaction:1 Record Unauthorized Access Attempts to Files (unsuccessful) - openat ocil:ssg-audit_rules_unsuccessful_file_modification_openat_action:testaction:1 Record Unauthorized Access Attempts to Files (unsuccessful) - truncate ocil:ssg-audit_rules_unsuccessful_file_modification_truncate_action:testaction:1 Configure audispd Plugin To Send Logs To Remote Server ocil:ssg-auditd_audispd_configure_remote_server_action:testaction:1 Configure audispd's Plugin disk_full_action When Disk Is Full ocil:ssg-auditd_audispd_disk_full_action_action:testaction:1 Encrypt Audit Records Sent With audispd Plugin ocil:ssg-auditd_audispd_encrypt_sent_records_action:testaction:1 Configure audispd's Plugin network_failure_action On Network Failure ocil:ssg-auditd_audispd_network_failure_action_action:testaction:1 Configure auditd to use audispd's syslog plugin ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 Configure auditd Disk Error Action on Disk Error ocil:ssg-auditd_data_disk_error_action_action:testaction:1 Configure auditd Disk Full Action when Disk Space Is Full ocil:ssg-auditd_data_disk_full_action_action:testaction:1 Configure auditd mail_acct Action on Low Disk Space ocil:ssg-auditd_data_retention_action_mail_acct_action:testaction:1 Configure auditd admin_space_left Action on Low Disk Space ocil:ssg-auditd_data_retention_admin_space_left_action_action:testaction:1 Configure auditd Max Log File Size ocil:ssg-auditd_data_retention_max_log_file_action:testaction:1 Configure auditd max_log_file_action Upon Reaching Maximum Log Size ocil:ssg-auditd_data_retention_max_log_file_action_action:testaction:1 Configure auditd Number of Logs Retained ocil:ssg-auditd_data_retention_num_logs_action:testaction:1 Configure auditd space_left on Low Disk Space ocil:ssg-auditd_data_retention_space_left_action:testaction:1 Configure auditd space_left Action on Low Disk Space ocil:ssg-auditd_data_retention_space_left_action_action:testaction:1 Configure a Sufficiently Large Partition for Audit Logs ocil:ssg-auditd_audispd_configure_sufficiently_large_partition_action:testaction:1 Set Boot Loader Password in grub2 ocil:ssg-grub2_password_action:testaction:1 Set the UEFI Boot Loader Password ocil:ssg-grub2_uefi_password_action:testaction:1 Ensure rsyslog is Installed ocil:ssg-package_rsyslog_installed_action:testaction:1 Enable rsyslog Service ocil:ssg-service_rsyslog_enabled_action:testaction:1 Ensure real-time clock is set to UTC ocil:ssg-ensure_rtc_utc_configuration_action:testaction:1 Ensure Log Files Are Owned By Appropriate Group ocil:ssg-rsyslog_files_groupownership_action:testaction:1 Ensure Log Files Are Owned By Appropriate User ocil:ssg-rsyslog_files_ownership_action:testaction:1 Ensure System Log Files Have Correct Permissions ocil:ssg-rsyslog_files_permissions_action:testaction:1 Ensure Logrotate Runs Periodically ocil:ssg-ensure_logrotate_activated_action:testaction:1 Ensure syslog-ng is Installed ocil:ssg-package_syslogng_installed_action:testaction:1 Enable syslog-ng Service ocil:ssg-service_syslogng_enabled_action:testaction:1 Ensure Logs Sent To Remote Host ocil:ssg-rsyslog_remote_loghost_action:testaction:1 Ensure System is Not Acting as a Network Sniffer ocil:ssg-network_sniffer_disabled_action:testaction:1 Verify ip6tables Enabled if Using IPv6 ocil:ssg-service_ip6tables_enabled_action:testaction:1 Verify iptables Enabled ocil:ssg-service_iptables_enabled_action:testaction:1 Set Default ip6tables Policy for Incoming Packets ocil:ssg-set_ip6tables_default_rule_action:testaction:1 Set Default iptables Policy for Incoming Packets ocil:ssg-set_iptables_default_rule_action:testaction:1 Set Default iptables Policy for Forwarded Packets ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 Configure Kernel Parameter for Accepting IPv6 Source-Routed Packets for All Interfaces ocil:ssg-sysctl_net_ipv6_conf_all_accept_source_route_action:testaction:1 Configure Accepting IPv6 Redirects By Default ocil:ssg-sysctl_net_ipv6_conf_default_accept_redirects_action:testaction:1 Disable IPv6 Networking Support Automatic Loading ocil:ssg-kernel_module_ipv6_option_disabled_action:testaction:1 Configure Kernel Parameter for Accepting ICMP Redirects for All Interfaces ocil:ssg-sysctl_net_ipv4_conf_all_accept_redirects_action:testaction:1 Configure Kernel Parameter for Accepting IPv4 Source-Routed Packets for All Interfaces ocil:ssg-sysctl_net_ipv4_conf_all_accept_source_route_action:testaction:1 Configure Kernel Parameter for Accepting ICMP Redirects By Default ocil:ssg-sysctl_net_ipv4_conf_default_accept_redirects_action:testaction:1 Configure Kernel Parameter for Accepting Source-Routed Packets By Default ocil:ssg-sysctl_net_ipv4_conf_default_accept_source_route_action:testaction:1 Configure Kernel Parameter to Ignore ICMP Broadcast Echo Requests ocil:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts_action:testaction:1 Configure Kernel Parameter to Use TCP Syncookies ocil:ssg-sysctl_net_ipv4_tcp_syncookies_action:testaction:1 Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces ocil:ssg-sysctl_net_ipv4_conf_all_send_redirects_action:testaction:1 Disable Kernel Parameter for Sending ICMP Redirects by Default ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_action:testaction:1 Disable Kernel Parameter for IP Forwarding ocil:ssg-sysctl_net_ipv4_ip_forward_action:testaction:1 Disable RDS Support ocil:ssg-kernel_module_rds_disabled_action:testaction:1 Disable TIPC Support ocil:ssg-kernel_module_tipc_disabled_action:testaction:1 Deactivate Wireless Network Interfaces ocil:ssg-wireless_disable_interfaces_action:testaction:1 Enable DoS Protections in SuSEfirewall2 ocil:ssg-susefirewall2_ddos_protection_action:testaction:1 Only Allow Authorized Network Services in SuSEfirewall2 ocil:ssg-susefirewall2_only_required_services_action:testaction:1 Enable the SuSEfirewall 2 ocil:ssg-service_SuSEfirewall2_enabled_action:testaction:1 Verify that All World-Writable Directories Have Sticky Bits Set ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1 Verify that local System.map file (if exists) is readable only by root ocil:ssg-file_permissions_systemmap_action:testaction:1 Ensure All SGID Executables Are Authorized ocil:ssg-file_permissions_unauthorized_sgid_action:testaction:1 Ensure All SUID Executables Are Authorized ocil:ssg-file_permissions_unauthorized_suid_action:testaction:1 Ensure No World-Writable Files Exist ocil:ssg-file_permissions_unauthorized_world_writable_action:testaction:1 Ensure All Files Are Owned by a Group ocil:ssg-file_permissions_ungroupowned_action:testaction:1 Ensure All Files Are Owned by a User ocil:ssg-no_files_unowned_by_user_action:testaction:1 Disallow creating symlinks to a file you not own ocil:ssg-sysctl_fs_protected_hardlinks_action:testaction:1 Disallow creating symlinks to a file you not own ocil:ssg-sysctl_fs_protected_symlinks_action:testaction:1 Ensure All World-Writable Directories Are Group-Owned by a System Group ocil:ssg-dir_perms_world_writable_system_groupowned_action:testaction:1 Verify Group Who Owns group File ocil:ssg-file_groupowner_etc_group_action:testaction:1 Verify Group Who Owns gshadow File ocil:ssg-file_groupowner_etc_gshadow_action:testaction:1 Verify Group Who Owns passwd File ocil:ssg-file_groupowner_etc_passwd_action:testaction:1 Verify Group Who Owns shadow File ocil:ssg-file_groupowner_etc_shadow_action:testaction:1 Verify User Who Owns group File ocil:ssg-file_owner_etc_group_action:testaction:1 Verify User Who Owns gshadow File ocil:ssg-file_owner_etc_gshadow_action:testaction:1 Verify User Who Owns passwd File ocil:ssg-file_owner_etc_passwd_action:testaction:1 Verify User Who Owns shadow File ocil:ssg-file_owner_etc_shadow_action:testaction:1 Verify Permissions on group File ocil:ssg-file_permissions_etc_group_action:testaction:1 Verify Permissions on gshadow File ocil:ssg-file_permissions_etc_gshadow_action:testaction:1 Verify Permissions on passwd File ocil:ssg-file_permissions_etc_passwd_action:testaction:1 Verify Permissions on shadow File ocil:ssg-file_permissions_etc_shadow_action:testaction:1 Verify Permissions and Ownership of Old Passwords File ocil:ssg-file_etc_security_opasswd_action:testaction:1 Verify that System Executables Have Root Ownership ocil:ssg-file_ownership_binary_dirs_action:testaction:1 Verify that Shared Library Files Have Root Ownership ocil:ssg-file_ownership_library_dirs_action:testaction:1 Verify that System Executables Have Restrictive Permissions ocil:ssg-file_permissions_binary_dirs_action:testaction:1 Verify that Shared Library Files Have Restrictive Permissions ocil:ssg-file_permissions_library_dirs_action:testaction:1 Disable the Automounter ocil:ssg-service_autofs_disabled_action:testaction:1 Disable Core Dumps for SUID programs ocil:ssg-sysctl_fs_suid_dumpable_action:testaction:1 Restrict Exposed Kernel Pointer Addresses Access ocil:ssg-sysctl_kernel_kptr_restrict_action:testaction:1 Enable Randomized Layout of Virtual Address Space ocil:ssg-sysctl_kernel_randomize_va_space_action:testaction:1 Verify that local /var/log/messages is not world-readable ocil:ssg-file_permissions_var_log_messages_action:testaction:1 Verify that Local Logs of the audit Daemon are not World-Readable ocil:ssg-permissions_local_var_log_audit_action:testaction:1 Verify Permissions of Local Logs of audit Tools ocil:ssg-permissions_local_audit_binaries_action:testaction:1 OS commands and libraries must have the proper permissions to protect from unauthorized access ocil:ssg-run_chkstat_action:testaction:1 Encrypt Partitions ocil:ssg-encrypt_partitions_action:testaction:1 Ensure /home Located On Separate Partition ocil:ssg-partition_for_home_action:testaction:1 Ensure /srv Located On Separate Partition ocil:ssg-partition_for_srv_action:testaction:1 Ensure /tmp Located On Separate Partition ocil:ssg-partition_for_tmp_action:testaction:1 Ensure /var Located On Separate Partition ocil:ssg-partition_for_var_action:testaction:1 Ensure /var/log Located On Separate Partition ocil:ssg-partition_for_var_log_action:testaction:1 Ensure /var/log/audit Located On Separate Partition ocil:ssg-partition_for_var_log_audit_action:testaction:1 Ensure Home Directories are Located On Separate Partition ocil:ssg-partition_for_home_dirs_action:testaction:1 Configure GNOME3 DConf User Profile ocil:ssg-enable_dconf_user_profile_action:testaction:1 Force dconf to use the textfiles instead of a binary DB ocil:ssg-dconf_use_text_backend_action:testaction:1 Disable the User List ocil:ssg-gconf_gdm_disable_user_list_action:testaction:1 Disable the GNOME Login Restart and Shutdown Buttons ocil:ssg-gconf_gnome_disable_restart_shutdown_action:testaction:1 Disable GDM Automatic Login ocil:ssg-gnome_gdm_disable_automatic_login_action:testaction:1 Disable GNOME Automounting ocil:ssg-gconf_gnome_disable_automount_action:testaction:1 Disable All GNOME Thumbnailers ocil:ssg-gconf_gnome_disable_thumbnailers_action:testaction:1 Disable WIFI Network Connection Creation in GNOME ocil:ssg-gconf_gnome_disable_wifi_create_action:testaction:1 Disable WIFI Network Disconnect Notification in GNOME ocil:ssg-gconf_gnome_disable_wifi_disconnect_action:testaction:1 Disable WIFI Network Connection Notification in GNOME ocil:ssg-gconf_gnome_disable_wifi_notification_action:testaction:1 Set GNOME3 Screensaver Inactivity Timeout ocil:ssg-dconf_gnome_screensaver_idle_delay_action:testaction:1 Implement Blank Screensaver ocil:ssg-dconf_gnome_screensaver_mode_blank_action:testaction:1 Set GNOME Screen Locking Keybindings ocil:ssg-gconf_gnome_screen_locking_keybindings_action:testaction:1 GNOME Desktop Screensaver Mandatory Use ocil:ssg-gconf_gnome_screensaver_idle_activation_enabled_action:testaction:1 Set GNOME Login Inactivity Timeout ocil:ssg-gconf_gnome_screensaver_idle_delay_action:testaction:1 Enable Screen Lock Activation After Idle Period ocil:ssg-gconf_gnome_screensaver_lock_enabled_action:testaction:1 Set GNOME Login Maximum Allowed Inactivity Action ocil:ssg-gconf_gnome_screensaver_max_idle_action_action:testaction:1 Set GNOME Login Maximum Allowed Inactivity ocil:ssg-gconf_gnome_screensaver_max_idle_time_action:testaction:1 Implement Blank Screensaver ocil:ssg-gconf_gnome_screensaver_mode_blank_action:testaction:1 Enable GNOME3 Lock Screen ocil:ssg-dconf_gnome_enable_lock_screen_action:testaction:1 Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 ocil:ssg-dconf_gnome_disable_ctrlaltdel_reboot_action:testaction:1 Disable the GNOME Clock Temperature Feature ocil:ssg-gconf_gnome_disable_clock_temperature_action:testaction:1 Disable the GNOME Clock Weather Feature ocil:ssg-gconf_gnome_disable_clock_weather_action:testaction:1 Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME ocil:ssg-gconf_gnome_disable_ctrlaltdel_reboot_action:testaction:1 The Installed Operating System Is FIPS 140-2 Certified ocil:ssg-installed_OS_is_FIPS_certified_action:testaction:1 The Installed Operating System Is Vendor Supported and Certified ocil:ssg-installed_OS_is_certified_action:testaction:1 Configure System Cryptography Policy ocil:ssg-configure_crypto_policy_action:testaction:1 Configure Backups of User Data ocil:ssg-configure_user_data_backups_action:testaction:1 Enable Dracut FIPS Module ocil:ssg-enable_dracut_fips_module_action:testaction:1 Enable FIPS Mode ocil:ssg-enable_fips_mode_action:testaction:1 Set kernel parameter 'crypto.fips_enabled' to 1 ocil:ssg-sysctl_crypto_fips_enabled_action:testaction:1 Build and Test AIDE Database ocil:ssg-aide_build_database_action:testaction:1 Configure Periodic Execution of AIDE ocil:ssg-aide_periodic_cron_checking_action:testaction:1 Configure Notification of Post-AIDE Scan Details ocil:ssg-aide_scan_notification_action:testaction:1 Configure AIDE to Verify Access Control Lists (ACLs) ocil:ssg-aide_verify_acls_action:testaction:1 Configure AIDE to Verify Extended Attributes ocil:ssg-aide_verify_ext_attributes_action:testaction:1 Install AIDE ocil:ssg-package_aide_installed_action:testaction:1 Configure AIDE to Verify the Audit Tools ocil:ssg-aide_check_audit_tools_action:testaction:1 Only Authorized Local User Accounts Exist on Operating System ocil:ssg-accounts_authorized_local_users_action:testaction:1 Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate ocil:ssg-sudo_remove_no_authenticate_action:testaction:1 Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD ocil:ssg-sudo_remove_nopasswd_action:testaction:1 Ensure Users Re-Authenticate for Privilege Escalation - sudo ocil:ssg-sudo_require_authentication_action:testaction:1 Only the VDSM User Can Use sudo NOPASSWD ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1 Ensure zypper Removes Previous Package Versions ocil:ssg-clean_components_post_updating_action:testaction:1 Ensure gpgcheck Enabled In Main zypper Configuration ocil:ssg-ensure_gpgcheck_globally_activated_action:testaction:1 Ensure Software Patches Installed ocil:ssg-security_patches_up_to_date_action:testaction:1 Disable the usb-storage Kernel Module ocil:ssg-blacklist_usb-storage_action:testaction:1 Ensure AppArmor is Active and Configured ocil:ssg-apparmor_configured_action:testaction:1 Enable apparmor Service ocil:ssg-service_apparmor_enabled_action:testaction:1 Install the pam_apparmor Package ocil:ssg-package_pam_apparmor_installed_action:testaction:1 PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL To check that the kdump service is disabled in system boot configuration, run the following command: $ systemctl is-enabled kdump Output should indicate the kdump service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled kdumpdisabled Run the following command to verify kdump is not active (i.e. not running) through current runtime configuration: $ systemctl is-active kdump If the service is not running the command will return the following output: inactive Is it the case that ? Run the following command to determine the current status of the cron service: $ systemctl is-active cron If the service is running, it should return the following: active Is it the case that ? If FTP services are not installed, this is not applicable. To verify this configuration, run the following command: grep "banner_file" /etc/vsftpd.conf The output should show the value of banner_file is set to /etc/issue, an example of which is shown below: $ sudo grep "banner_file" /etc/vsftpd.conf banner_file=/etc/issue Is it the case that it does not? Find the list of alias maps used by the Postfix mail server: $ sudo postconf alias_maps Query the Postfix alias maps for an alias for the root user: $ sudo postmap -q root hash:/etc/aliases The output should return an alias. Is it the case that it is not? To verify all squashing has been disabled, run the following command: $ grep all_squash /etc/exports Is it the case that there is output? To verify that maxpoll has been set properly, perform the following: $ sudo grep maxpoll /etc/ntp.conf /etc/chrony.conf The output should return maxpoll . Is it the case that it does not exist or maxpoll has not been set to the expected value? To verify that a remote NTP service is configured for time synchronization, open the following file: /etc/ntp.conf In the file, there should be a section similar to the following: server ntpserver Is it the case that this is not the case? Run the following command to determine the current status of the ntp service: $ systemctl is-active ntp If the service is running, it should return the following: active Is it the case that ? Run the following command to determine the current status of the ntpd service: $ systemctl is-active ntpd If the service is running, it should return the following: active Is it the case that ? Run the following command to determine the current status of the systemd_timesyncd service: $ systemctl is-active systemd_timesyncd If the service is running, it should return the following: active Is it the case that ? To verify that there are no shosts.equiv files on the system, run the following command: $ find / -name shosts.equiv No output should be returned. Is it the case that these files exist? The existence of the file /etc/hosts.equiv or a file named .rhosts inside a user home directory indicates the presence of an Rsh trust relationship. Is it the case that these files exist? To verify that there are no .shosts files on the system, run the following command: $ sudo find / -name '.shosts' No output should be returned. Is it the case that these files exist? Run the following command to determine if the telnet-server package is installed: $ rpm -q telnet-server Is it the case that the package is installed? To check the permissions of /etc/ssh/*_key, run the command: $ ls -l /etc/ssh/*_key If properly configured, the output should indicate the following permissions: -rw-r----- Is it the case that /etc/ssh/*_key has unix mode -rw-r-----? To check the permissions of /etc/ssh/*.pub, run the command: $ ls -l /etc/ssh/*.pub If properly configured, the output should indicate the following permissions: -rw-r--r-- Is it the case that /etc/ssh/*.pub has unix mode -rw-r--r--? Run the following command to determine the current status of the sshd service: $ systemctl is-active sshd If the service is running, it should return the following: active Is it the case that ? Run the following command to determine if the openssh package is installed: $ rpm -q openssh Is it the case that the package is not installed? To determine how the SSH daemon's HostbasedAuthentication option is set, run the following command: $ sudo grep -i HostbasedAuthentication /etc/ssh/sshd_config If no line, a commented line, or a line indicating the value no is returned, then the required value is set. Is it the case that the required value is not set? To check which SSH protocol version is allowed, check version of openssh-server with following command: $ rpm -qi openssh-server | grep Version Versions equal to or higher than 7.4 only allow Protocol 2. If version is lower than 7.4, run the following command to check configuration: $ sudo grep Protocol /etc/ssh/sshd_config If configured properly, output should be Protocol 2 Is it the case that it is commented out or is not set correctly to Protocol 2? To check if compression is enabled or set correctly, run the following command: $ sudo grep Compression /etc/ssh/sshd_config If configured properly, output should be no or delayed. Is it the case that it is commented out, or is not set to no or delayed? To determine how the SSH daemon's PermitEmptyPasswords option is set, run the following command: $ sudo grep -i PermitEmptyPasswords /etc/ssh/sshd_config If no line, a commented line, or a line indicating the value no is returned, then the required value is set. Is it the case that the required value is not set? To check if GSSAPIAuthentication is disabled or set correctly, run the following command: $ sudo grep GSSAPIAuthentication /etc/ssh/sshd_config If configured properly, output should be no Is it the case that it is commented out or is not disabled? To check if KerberosAuthentication is disabled or set correctly, run the following command: $ sudo grep KerberosAuthentication /etc/ssh/sshd_config If configured properly, output should be no Is it the case that it is commented out or is not disabled? To determine how the SSH daemon's IgnoreRhosts option is set, run the following command: $ sudo grep -i IgnoreRhosts /etc/ssh/sshd_config If no line, a commented line, or a line indicating the value yes is returned, then the required value is set. Is it the case that the required value is not set? To check which SSH protocol version is allowed, check version of openssh-server with following command: $ rpm -qi openssh-server | grep Version Versions equal to or higher than 7.4 have deprecated the RhostsRSAAuthentication option. If version is lower than 7.4, run the following command to check configuration: To determine how the SSH daemon's RhostsRSAAuthentication option is set, run the following command: $ sudo grep -i RhostsRSAAuthentication /etc/ssh/sshd_config If no line, a commented line, or a line indicating the value no is returned, then the required value is set. Is it the case that the required value is not set? To determine how the SSH daemon's PermitRootLogin option is set, run the following command: $ sudo grep -i PermitRootLogin /etc/ssh/sshd_config If a line indicating no is returned, then the required value is set. Is it the case that the required value is not set? To determine how the SSH daemon's IgnoreUserKnownHosts option is set, run the following command: $ sudo grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config If a line indicating yes is returned, then the required value is set. Is it the case that the required value is not set? To ensure users are not able to present environment daemons, run the following command: $ sudo grep PermitUserEnvironment /etc/ssh/sshd_config If properly configured, output should be: PermitUserEnvironment no Is it the case that PermitUserEnvironment is not disabled? To check if StrictModes is enabled or set correctly, run the following command: $ sudo grep StrictModes /etc/ssh/sshd_config If configured properly, output should be yes Is it the case that it is commented out or is not enabled? To determine how the SSH daemon's Banner option is set, run the following command: $ sudo grep -i Banner /etc/ssh/sshd_config If a line indicating /etc/issue is returned, then the required value is set. Is it the case that the required value is not set? To determine how the SSH daemon's X11Forwarding option is set, run the following command: $ sudo grep -i X11Forwarding /etc/ssh/sshd_config If a line indicating yes is returned, then the required value is set. Is it the case that the required value is not set? To check if PrintLastLog is enabled or set correctly, run the following command: $ sudo grep PrintLastLog /etc/ssh/sshd_config If configured properly, output should be yes Is it the case that it is commented out or is not enabled? Run the following command to see what the timeout interval is: $ sudo grep ClientAliveInterval /etc/ssh/sshd_config If properly configured, the output should be: ClientAliveInterval Is it the case that it is commented out or not configured properly? To ensure the SSH idle timeout will occur when the ClientAliveInterval is set, run the following command: $ sudo grep ClientAliveCountMax /etc/ssh/sshd_config If properly configured, output should be: ClientAliveCountMax Is it the case that it is commented out or not configured properly? To check if LogLevel is enabled or set correctly, run the following command: $ sudo grep "^LogLevel" /etc/ssh/sshd_config If configured properly, output should be LogLevel INFO Is it the case that it is commented out or is not enabled? To ensure the MaxAuthTries parameter is set, run the following command: $ sudo grep MaxAuthTries /etc/ssh/sshd_config If properly configured, output should be: MaxAuthTries tries Is it the case that it is commented out or not configured properly? Only DoD-approved ciphers should be used. To verify that only DoD-approved ciphers are in use, run the following command: $ sudo grep Ciphers /etc/ssh/sshd_config The output should contain only those ciphers which are DoD-approved. Is it the case that DoD-approved ciphers are not configured or the enabled ciphers are not DoD-approved? Only FIPS-approved MACs should be used. To verify that only FIPS-approved MACs are in use, run the following command: $ sudo grep -i macs /etc/ssh/sshd_config The output should contain only those MACs which are FIPS-approved. Any use of other ciphers or algorithms will result in the module entering the non-FIPS mode of operation. Is it the case that MACs option is commented out or not using FIPS-approved hash algorithms? To check if UsePrivilegeSeparation is enabled or set correctly, run the following command: $ sudo grep UsePrivilegeSeparation /etc/ssh/sshd_config If configured properly, output should be . Is it the case that it is commented out or is not enabled? To check if LogLevel is enabled or set correctly, run the following command: $ sudo grep "^LogLevel" /etc/ssh/sshd_config If configured properly, output should be LogLevel VERBOSE Is it the case that it is commented out or is not enabled? To verify that SSSD's in-memory cache expires after a day, run the following command: $ sudo grep memcache_timeout /etc/sssd/sssd.conf If configured properly, output should be memcache_timeout = . Is it the case that it does not exist or is not configured properly? To verify that SSSD expires offline credentials, run the following command: $ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf If configured properly, output should be offline_credentials_expiration = 1 Is it the case that it does not exist or is not configured properly? To check if the system login banner is compliant, run the following command: $ cat /etc/issue Is it the case that it does not display the required banner? To check if the system login banner is compliant, run the following command: $ cat /etc/motd Is it the case that it does not display the required banner? To ensure a login warning banner is enabled, run the following: $ grep banner-message-enable /etc/dconf/db/gdm.d/* If properly configured, the output should be true. To ensure a login warning banner is locked and cannot be changed by a user, run the following: $ grep banner-message-enable /etc/dconf/db/gdm.d/locks/* If properly configured, the output should be /org/gnome/login-screen/banner-message-enable. Is it the case that it is not? To ensure the login warning banner text is properly set, run the following: $ grep banner-message-text /etc/dconf/db/gdm.d/* If properly configured, the proper banner text will appear. To ensure the login warning banner text is locked and cannot be changed by a user, run the following: $ grep banner-message-text /etc/dconf/db/gdm.d/locks/* If properly configured, the output should be /org/gnome/login-screen/banner-message-text. Is it the case that it does not? To ensure a login warning banner is enabled, run the following: $ gconftool-2 -g /apps/gdm/simple-greeter/banner_message_enable Search for the banner_message_enable schema. If properly configured, the default value should be true. Is it the case that it is not? To ensure the login warning banner text is properly set, run the following: $ gconftool-2 -g /apps/gdm/simple-greeter/banner_message_text If properly configured, the proper banner text will appear within this schema. Is it the case that it does not? Verify the SUSE operating system displays the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on via the local GUI. Note: If GNOME is not installed, this requirement is Not Applicable. Check the configuration by running the following command: # more /etc/gdm/Xsession The beginning of the file must contain the following text immediately after #!/bin/sh: if ! zenity --text-info \ --title "Consent" \ --filename=/etc/gdm/banner \ --no-markup \ --checkbox="Accept." 10 10; then sleep 1; exit 1; fi If the beginning of the file does not contain the above text immediately after the line (#!/bin/sh), this is a finding. Is it the case that the GNOME environment does not display the standard mandatory DoD notice and consent banner? To check if the system login banner is compliant, run the following command: $ cat /etc/gdm/banner Is it the case that it does not display the required banner? To ensure that last logon/access notification is configured correctly, run the following command: $ grep pam_lastlog.so /etc/pam.d/login The output should show output showfailed and must not contain silent. Is it the case that that is not the case? Verify the SUSE operating system enforces a delay of at least four seconds between logon prompts following a failed logon attempt. # grep pam_faildelay /etc/pam.d/common-auth* auth required pam_faildelay.so delay=000000 If the value of delay is not set to 4000000, delay is commented out, delay is missing, or the pam_faildelay line is missing completely, this is a finding. Is it the case that that is not the case? Check that soft links between PAM configuration files are removed with the following command: # find /etc/pam.d/ -type l -iname "common-*" If any results are returned, this is a finding. Is it the case that that is not the case? To verify the password reuse setting is compliant, run the following command: $ grep remember /etc/pam.d/common-password The output should show the following at the end of the line: remember= use_authtok Is it the case that the value of remember is not set equal to or greater than the expected setting? Check that the systems locks a user account after three consecutive failed login attempts with the following command: # grep pam_tally2.so /etc/pam.d/common-auth auth required pam_tally2.so deny=3 # grep pam_tally2.so /etc/pam.d/common-account account required pam_tally2.so deny=3 If the "deny" option in one of the files is greater than "3" or is missing, this is a finding. Is it the case that that is not the case? To check how many digits are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth The dcredit parameter (as a negative number) will indicate how many digits are required. The DoD requires at least one digit in a password. This would appear as dcredit=-1. Is it the case that dcredit is not found or not set to the required value? To check how many characters must differ during a password change, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth The difok parameter will indicate how many characters must differ. The DoD requires four characters differ during a password change. This would appear as difok=4. Is it the case that difok is not found or not set to the required value? To check how many lowercase characters are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth The lcredit parameter (as a negative number) will indicate how many special characters are required. The DoD and FISMA require at least one lowercase character in a password. This would appear as lcredit=-1. Is it the case that lcredit is not found or not set to the required value? To check the maximum value for consecutive repeating characters, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth Look for the value of the maxrepeat parameter. The DoD requirement is 3. Is it the case that maxrepeat is not found or not set to the required value? To check how many categories of characters must be used in password during a password change, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth The minclass parameter will indicate how many character classes must be used. If the requirement was for the password to contain characters from three different categories, then this would appear as minclass=3. Is it the case that minclass is not found or not set to the required value? To check how many characters are required in a password, run the following command: $ grep cracklib /etc/pam.d/system-auth Your output should contain minlen= Is it the case that minlen is not found or not set to the required value (or higher)? To check how many special characters are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth The ocredit parameter (as a negative number) will indicate how many special characters are required. The DoD and FISMA require at least one special character in a password. This would appear as ocredit=-1. Is it the case that ocredit is not found or not set to the required value? To check how many retry attempts are permitted on a per-session basis, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth The retry parameter will indicate how many attempts are permitted. The DoD required value is less than or equal to 3. This would appear as retry=3, or a lower value. Is it the case that it is not the required value? To check how many uppercase characters are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth The ucredit parameter (as a negative number) will indicate how many uppercase characters are required. The DoD and FISMA require at least one uppercase character in a password. This would appear as ucredit=-1. Is it the case that ucredit is not found or not set to the required value? Inspect /etc/login.defs and ensure the following line appears: ENCRYPT_METHOD SHA512 Is it the case that it does not? Inspect the contents of /etc/pam.d/common-password and ensure that the pam_unix.so module includes the argument sha512: $ grep sha512 /etc/pam.d/common-password Is it the case that it does not? Inspect /etc/login.defs and ensure the following settings are either not configured, or set at least to a value of 5000: SHA_CRYPT_MIN_ROUNDS 5000 SHA_CRYPT_MAX_ROUNDS 5000 Is it the case that it does not? Inspect the contents of /etc/pam.d/common-auth and ensure that the pam_unix.so module includes the argument sha512: $ grep sha512 /etc/pam.d/common-auth auth required pam_unix.so sha512 try_first_pass Is it the case that it does not? To ensure the system is configured to mask the Ctrl-Alt-Del sequence, enter the following command: $ sudo ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target or $ sudo systemctl mask ctrl-alt-del.target Is it the case that the system is configured to reboot when Ctrl-Alt-Del is pressed? Run the following command to determine if vlock is installed: $ rpm -q --whatprovides vlock Is it the case that the package is not installed? To verify the operating system has the packages required for multifactor authentication installed, run the following command: # rpm -q pam_pkcs11 mozilla-nss mozilla-nss-tools pcsc-ccid pcsc-lite pcsc-tools opensc coolkey Is it the case that smartcard software is not installed? Interview the SA to determine if all accounts not exempted by policy are using CAC authentication. For DoD systems, the following systems and accounts are exempt from using smart card (CAC) authentication: SIPRNET systemsStandalone systemsApplication accountsTemporary employee accounts, such as students or interns, who cannot easily receive a CAC or PIVOperational tactical locations that are not collocated with RAPIDS workstations to issue CAC or ALTTest systems, such as those with an Interim Approval to Test (IATT) and use a separate VPN, firewall, or security measure preventing access to network and system components from outside the protection boundary documented in the IATT. Is it the case that non-exempt accounts are not using CAC authentication? To verify the operating system implements certificate status checking for PKI authentication, run the following command: $ sudo grep -i cert_policy /etc/pam_pkcs11/pam_pkcs11.conf The output should return multiple lines similiar to the following: cert_policy = ca, ocsp_on, signature; cert_policy = ca, ocsp_on, signature; cert_policy = ca, ocsp_on, signature; Is it the case that ocsp_on is not configured? Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). Check that the pam_pkcs11.so option is configured in the etc/pam.d/common-auth file with the following command: # grep pam_pkcs11.so /etc/pam.d/common-auth auth sufficient pam_pkcs11.so If pam_pkcs11.so is not set in etc/pam.d/common-auth this is a finding. Is it the case that non-exempt accounts are not using CAC authentication? To verify the operating system implements certificate status checking for PKI authentication, run the following command: $ sudo grep -i cert_policy /etc/pam_pkcs11/pam_pkcs11.conf The output should return multiple lines similiar to the following: cert_policy = ca, ocsp_on, signature; cert_policy = ca, ocsp_on, signature; cert_policy = ca, ocsp_on, signature; Is it the case that ca is not configured? Run the following command to check for duplicate account names: $ awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd If there are no duplicate user IDs (UIDs), no line will be returned. Is it the case that a line is returned? To verify the INACTIVE setting, run the following command: $ grep "INACTIVE" /etc/default/useradd The output should indicate the INACTIVE configuration option is set to an appropriate integer as shown in the example below: $ grep "INACTIVE" /etc/default/useradd INACTIVE= Is it the case that the value of INACTIVE is greater than the expected value? For every temporary and emergency account, run the following command to obtain its account aging and expiration information: $ sudo chage -l USER Verify each of these accounts has an expiration date set as documented. Is it the case that any temporary or emergency accounts have no expiration date set or do not expire within a documented time frame? Run the following command to check for duplicate account names: $ sudo pwck -qr If there are no duplicate names, no line will be returned. Is it the case that a line is returned? Verify that the system is integrated with a centralized authentication mechanism such as as Active Directory, Kerberos, Directory Server, etc. that has automated account mechanisms in place. Is it the case that the system is not using a centralized authentication mechanism, or it is not automated? Check the minimum time period between password changes for each user account with the following command: # sudo cat /etc/shadow | cut -d ':' -f1,4 | grep -v 1 | grep -v ":$" smithj:1 Is it the case that the second column is zero for any account? Check the maximum time period between password changes for each user account with the following command: # sudo awk -F':' '$5 > { print $1, $5 }' < /etc/shadow smithj 90 Is it the case that any line appears? Check to see if an emergency administrator account password or account expires with the following command: # sudo chage -l [Emergency_Administrator] Password expires:never If Password expires or Account expires is set to anything other than never, this is a finding. Is it the case that any emergency administrator account or account password has an expiration date set? Verify that a policy exists that ensures when a user is created, it is creating using a method that forces a user to change their password upon their next login. Configure the SUSE operating system to allow the use of a temporary password for system logons with an immediate change to a permanent password. Using one of the acceptable methods listed below, force a user to change their password on their next logon by replacing "[UserName]" in the one of the following commands: # chage -d 0 [UserName] # passwd -e [UserName] Is it the case that any temporary or emergency accounts have no expiration date set or do not expire within a documented time frame? To check the maximum password age, run the command: $ grep PASS_MAX_DAYS /etc/login.defs The DoD and FISMA requirement is 60. A value of 180 days is sufficient for many environments. Is it the case that PASS_MAX_DAYS is not set equal to or greater than the required value? To check the minimum password age, run the command: $ grep PASS_MIN_DAYS /etc/login.defs Is it the case that it is not equal to or greater than the required value? To check the minimum password length, run the command: $ grep PASS_MIN_LEN /etc/login.defs The DoD requirement is 15. Is it the case that it is not set to the required value? To check the password warning age, run the command: $ grep PASS_WARN_AGE /etc/login.defs The DoD requirement is 7. Is it the case that it is not set to the required value? To check that no password hashes are stored in /etc/passwd, run the following command: awk '!/\S:x|\*/ {print}' /etc/passwd If it produces any output, then a password hash is stored in /etc/passwd. Is it the case that any stored hashes are found in /etc/passwd? To ensure all GIDs referenced in /etc/passwd are defined in /etc/group, run the following command: $ sudo pwck -qr There should be no output. Is it the case that GIFs referenced in /etc/passwd are returned as not defined in /etc/group? To verify that null passwords cannot be used, run the following command: $ grep nullok /etc/pam.d/common-password and /etc/pam.d/common-auth If this produces any output, it may be possible to log into accounts with empty passwords. Remove any instances of the nullok option to prevent logins with empty passwords. Is it the case that NULL passwords can be used? To check the system for the existence of any .netrc files, run the following command: $ sudo find /home -xdev -name .netrc Is it the case that any .netrc files exist? Check that the interactive user account passwords are using a strong password hash with the following command: # sudo cut -d: -f2 /etc/shadow $6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/ Password hashes ! or * indicate inactive accounts not available for logon and are not evaluated. If any interactive user password hash does not begin with $6, this is a finding. Is it the case that passwords hashed with an unauthorized algorithm are found in /etc/shadow? To list all password file entries for accounts with UID 0, run the following command: $ awk -F: '($3 == \"0\") {print}' /etc/passwd This should print only one line, for the user root. If there is a finding, change the UID of the failing (non-root) user. If the account is associated with the system commands or applications the UID should be changed to one greater than 0 but less than 1000. Otherwise assign a UID of greater than 1000 that has not already been assigned. Is it the case that any account other than root has a UID of 0? To ensure root may not directly login to the system over physical consoles, run the following command: cat /etc/securetty If any output is returned, this is a finding. Is it the case that the /etc/securetty file is not empty? To obtain a listing of all users and the contents of their shadow password field, run the command: $ sudo awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1 ":" $2}' /etc/shadow Identify the system accounts from this listing. These will primarily be the accounts with UID numbers less than UID_MIN, other than root. Value of the UID_MIN directive is set in /etc/login.defs configuration file. In the default configuration, UID_MIN is set to 500. Is it the case that it is not? To check for serial port entries which permit root login, run the following command: $ sudo grep ^ttyS/[0-9] /etc/securetty If any output is returned, then root login over serial ports is permitted. Is it the case that root login over serial ports is permitted? To check for virtual console entries which permit root login, run the following command: $ sudo grep ^vc/[0-9] /etc/securetty If any output is returned, then root logins over virtual console devices is permitted. Is it the case that root login over virtual console devices is permitted? Check if the system is configured to create home directories for local interactive users with the following command: $ sudo grep -i create_home /etc/login.defs Is it the case that the value of CREATE_HOME is not set to yes, is missing, or the line is commented out? Verify the FAIL_DELAY setting is configured correctly in the /etc/login.defs file by running the following command: $ sudo grep -i "FAIL_DELAY" /etc/login.defs All output must show the value of FAIL_DELAY set as shown in the below: $ sudo grep -i "FAIL_DELAY" /etc/login.defs fail_delay Is it the case that the above command returns no output, or FAIL_DELAY is configured less than the expected value? Run the following command to ensure the maxlogins value is configured for all users on the system: # grep "maxlogins" /etc/security/limits.conf You should receive output similar to the following: *\t\thard\tmaxlogins\t Is it the case that maxlogins is not equal to or less than the expected value? Run the following command to ensure the TMOUT value is configured for all users on the system: $ sudo grep TMOUT /etc/profile.d/autologout.sh The output should return the following: TMOUT= readonly TMOUT export TMOUT Is it the case that value of TMOUT is not less than or equal to expected setting? To verify that local initialization files do not execute world-writable programs, execute the following command: $ sudo find /home -perm -002 -type f -exec ls -ld {} -name ".[^.]*"\; There should be no output. Is it the case that files are executing world-writable programs? To verify that all interactive user initialization files executable search path statements do not contain statements that will reference a working directory other than the users home directory, run the following command: $ sudo grep -r PATH /home/ Inspect the output for any PATH is references directories outside the home directory. Is it the case that paths contain more than local home directories? To verify interactive users on the system have a home directory assigned, run the following command: $ sudo awk -F":" '{print $1 ":" $6}' /etc/passwd Inspect the output and verify that all interactive users have a home directory defined. Is it the case that users home directory is not defined? To verify the assigned home directory of all interactive users on the system exist, run the following command: $ sudo pwck -r The output should not return any interactive users. Is it the case that users home directory does not exist? To verify all files and directories in interactive user home directory are group-owned by a group the user is a member of, run the following command: $ sudo ls -lLR /home/USER Is it the case that the group ownership is incorrect? To verify that all user initialization files have a mode of 0740 or less permissive, run the following command: $ sudo find /home -type f -name '\.*' \( -perm -0002 -o -perm -0020 \) There should be no output. Is it the case that they are not 0740 or more permissive? To verify the assigned home directory of all interactive user home directories have a mode of 0750 or less permissive, run the following command: $ sudo ls -l /home Inspect the output for any directories with incorrect permissions. Is it the case that they are more permissive? To ensure the user home directory is not group-writable or world-readable, run the following: # ls -ld /home/USER Is it the case that the user home directory is group-writable or world-readable? To ensure write permissions are disabled for group and other for each element in root's path, run the following command: # ls -ld DIR Is it the case that group or other write permissions exist? Verify the UMASK setting is configured correctly in the /etc/login.defs file by running the following command: # grep -i "UMASK" /etc/login.defs All output must show the value of umask set as shown in the below: # grep -i "UMASK" /etc/login.defs umask Is it the case that the above command returns no output, or if the umask is configured incorrectly? Verify the umask setting is configured correctly in the /etc/profile file by running the following command: # grep "umask" /etc/profile All output must show the value of umask set as shown in the below: # grep "umask" /etc/profile umask Is it the case that the above command returns no output, or if the umask is configured incorrectly? Verify the UMASK setting is not configured for interactive users, run the following command: $ sudo grep -ri "UMASK" /home There should be no output. Is it the case that the above command returns no output, or if the umask is configured incorrectly? Run the following command to determine the current status of the auditd service: $ systemctl is-active auditd If the service is running, it should return the following: active Is it the case that ? To determine if the system is configured to audit changes to its SELinux configuration files, run the following command: $ sudo auditctl -l | grep "dir=/etc/selinux" If the system is configured to watch for changes to its SELinux configuration, a line should be returned (including perm=wa indicating permissions that are watched). Is it the case that the system is not configured to audit attempts to change the MAC policy? To verify that auditing is configured for all media exportation events, run the following command: $ sudo auditctl -l | grep syscall | grep mount Is it the case that there is not output? To determine if the system is configured to audit changes to its network configuration, run the following command: auditctl -l | egrep '(/etc/issue|/etc/issue.net|/etc/hosts|/etc/sysconfig/network)' If the system is configured to watch for network configuration changes, a line should be returned for each file specified (and perm=wa should be indicated for each). Is it the case that the system is not configured to audit changes of the network configuration? To verify that auditing is configured for system administrator actions, run the following command: $ sudo auditctl -l | grep "watch=/etc/sudoers\|watch=/etc/sudoers.d\|-w /etc/sudoers\|-w /etc/sudoers.d" Is it the case that there is not output? To determine if the system is configured to audit account changes, run the following command: auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' If the system is configured to watch for account changes, lines should be returned for each file specified (and with perm=wa for each). Is it the case that the system is not configured to audit account changes? To determine if the system is configured to audit account changes, run the following command: auditctl -l | egrep '(/etc/group)' If the system is configured to watch for account changes, lines should be returned for each file specified (and with perm=wa for each). Is it the case that the system is not configured to audit account changes? To determine if the system is configured to audit account changes, run the following command: auditctl -l | egrep '(/etc/gshadow)' If the system is configured to watch for account changes, lines should be returned for each file specified (and with perm=wa for each). Is it the case that the system is not configured to audit account changes? To determine if the system is configured to audit account changes, run the following command: auditctl -l | egrep '(/etc/security/opasswd)' If the system is configured to watch for account changes, lines should be returned for each file specified (and with perm=wa for each). Is it the case that the system is not configured to audit account changes? To determine if the system is configured to audit account changes, run the following command: auditctl -l | egrep '(/etc/passwd)' If the system is configured to watch for account changes, lines should be returned for each file specified (and with perm=wa for each). Is it the case that the system is not configured to audit account changes? To determine if the system is configured to audit account changes, run the following command: auditctl -l | egrep '(/etc/shadow)' If the system is configured to watch for account changes, lines should be returned for each file specified (and with perm=wa for each). Is it the case that the system is not configured to audit account changes? To determine if the system is configured to audit accesses to /var/log/audit directory, run the following command: preserve$ sudo grep "dir=/var/log/audit" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Run the following command to check the mode of the system audit logs: $ sudo ls -ld /var/log/audit Audit log directories must be mode 0700 or less permissive. Is it the case that any are more permissive? To properly set the owner of /var/log/audit, run the command: $ sudo chown root /var/log/audit To properly set the owner of /var/log/audit/*, run the command: $ sudo chown root /var/log/audit/* Is it the case that ? Find relevant setuid and setgid programs using the following command once for each local system partition, replacing "[PARTITION]" with each local system partition: # sudo find [PARTITION] -xdev -type f \( -perm -4000 -o -perm -2000 \) 2>/dev/null Verify all of the programs found with the command above are listed in the audit file by running the following command for every program found, replacing "[FILE_PATH]" with each program to include the full path: # grep [FILE_PATH] /etc/audit/audit.rules -w [SETUID_FILE_PATH] -p wa -k privilege_function All setuid and setgid programs on the system must have a corresponding audit rule, or there must be an audit rule for the subdirectory that contains the setuid/setgid file. Is it the case that audit records for all privileged operations performed through suid binaries are not generated? To check for the offending line, run the following command: $ grep task,never /etc/audit/{rules.d,.}/audit.rules There must not be any output, or else these lines must be removed from the matching files. Is it the case that syscall auditing is still disabled? To determine if the system is configured to audit calls to the chmod system call, run the following command: preserve$ sudo grep "chmod" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the chown system call, run the following command: preserve$ sudo grep "chown" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the fchmod system call, run the following command: preserve$ sudo grep "fchmod" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the fchmodat system call, run the following command: preserve$ sudo grep "fchmodat" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the fchown system call, run the following command: preserve$ sudo grep "fchown" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the fchownat system call, run the following command: preserve$ sudo grep "fchownat" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the fremovexattr system call, run the following command: preserve$ sudo grep "fremovexattr" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the fsetxattr system call, run the following command: preserve$ sudo grep "fsetxattr" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the lchown system call, run the following command: preserve$ sudo grep "lchown" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the lremovexattr system call, run the following command: preserve$ sudo grep "lremovexattr" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the lsetxattr system call, run the following command: preserve$ sudo grep "lsetxattr" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the removexattr system call, run the following command: preserve$ sudo grep "removexattr" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the setxattr system call, run the following command: preserve$ sudo grep "setxattr" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the mount system call, run the following command: preserve$ sudo grep "mount" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the umount system call, run the following command: preserve$ sudo grep "umount" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the umount2 system call, run the following command: preserve$ sudo grep "umount2" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To verify that execution of the command is being audited, run the following command: $ sudo grep "path=/usr/bin/chcon" /etc/audit/audit.rules /etc/audit/rules.d/* The output should return something similar to: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change Is it the case that ? To verify that execution of the command is being audited, run the following command: $ sudo grep "path=/usr/bin/chacl" /etc/audit/audit.rules /etc/audit/rules.d/* The output should return something similar to: -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k prim_mod Is it the case that ? To verify that execution of the command is being audited, run the following command: $ sudo grep "path=/usr/bin/chmod" /etc/audit/audit.rules /etc/audit/rules.d/* The output should return something similar to: -a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=unset -k prim_mod Is it the case that ? To verify that execution of the command is being audited, run the following command: $ sudo grep "path=/usr/bin/crontab" /etc/audit/audit.rules /etc/audit/rules.d/* The output should return something similar to: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k prim_mod Is it the case that ? To verify that execution of the command is being audited, run the following command: $ sudo grep "path=/usr/bin/rm" /etc/audit/audit.rules /etc/audit/rules.d/* The output should return something similar to: -a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=unset -k prim_mod Is it the case that ? To verify that execution of the command is being audited, run the following command: $ sudo grep "path=/usr/bin/setfacl" /etc/audit/audit.rules /etc/audit/rules.d/* The output should return something similar to: -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k prim_mod Is it the case that ? To verify that execution of the command is being audited, run the following command: $ sudo grep "path=/usr/bin/ssh-agent" /etc/audit/audit.rules /etc/audit/rules.d/* The output should return something similar to: -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent Is it the case that ? To determine if the system is configured to audit calls to the rmdir system call, run the following command: preserve$ sudo grep "rmdir" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the unlink system call, run the following command: preserve$ sudo grep "unlink" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the unlinkat system call, run the following command: preserve$ sudo grep "unlinkat" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the rename system call, run the following command: preserve$ sudo grep "rename" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the renameat system call, run the following command: preserve$ sudo grep "renameat" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the init_module system call, run the following command: preserve$ sudo grep "init_module" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the delete_module system call, run the following command: preserve$ sudo grep "delete_module" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the delete_module system call, run the following command: preserve$ sudo grep "delete_module" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the finit_module system call, run the following command: preserve$ sudo grep "finit_module" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the init_module system call, run the following command: preserve$ sudo grep "init_module" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To verify that auditing is configured for system administrator actions, run the following command: $ sudo auditctl -l | grep "watch=/var/log/lastlog\|-w /var/log/lastlog" Is it the case that there is not output? To verify that auditing is configured for system administrator actions, run the following command: $ sudo auditctl -l | grep "watch=/var/log/tallylog\|-w /var/log/tallylog" Is it the case that there is not output? To verify that auditing is configured for system administrator actions, run the following command: $ sudo auditctl -l | grep "watch=/var/log/faillog\|-w /var/log/faillog" Is it the case that there is not output? To verify that auditing of privileged command use is configured, run the following command for each local partition PART to find relevant setuid / setgid programs: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null Run the following command to verify entries in the audit rules for all programs found with the previous command: $ sudo grep path /etc/audit/audit.rules It should be the case that all relevant setuid / setgid programs have a line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep chage /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep chsh /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep gpasswd /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep newgrp /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep pam_timestamp_check /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep passwd /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep ssh-keysign /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep su /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep sudo /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep sudoedit /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep unix_chkpwd /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep chfn /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep insmod /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep rmmod /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep modprobe /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep passmass /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep rmmod /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep usermod /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? To determine if the system is configured to audit calls to the adjtimex system call, run the following command: preserve$ sudo grep "adjtimex" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the clock_settime system call, run the following command: preserve$ sudo grep "clock_settime" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the settimeofday system call, run the following command: preserve$ sudo grep "settimeofday" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? If the system is not configured to audit time changes, this is a finding. If the system is 64-bit only, this is not applicable ocil: | To determine if the system is configured to audit calls to the stime system call, run the following command: preserve$ sudo grep "stime" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit attempts to alter time via the /etc/localtime file, run the following command: $ sudo auditctl -l | grep "watch=/etc/localtime" If the system is configured to audit this activity, it will return a line. Is it the case that the system is not configured to audit time changes? To verify that the audit system collects unauthorized file accesses, run the following commands: $ sudo grep EACCES /etc/audit/audit.rules $ sudo grep EPERM /etc/audit/audit.rules Is it the case that 32-bit and 64-bit system calls to creat, open, openat, open_by_handle_at, truncate, and ftruncate are not audited during EACCES and EPERM? To determine if the system is configured to audit calls to the creat system call, run the following command: preserve$ sudo grep "creat" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the ftruncate system call, run the following command: preserve$ sudo grep "ftruncate" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the open system call, run the following command: preserve$ sudo grep "open" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the open_by_handle_at system call, run the following command: preserve$ sudo grep "open_by_handle_at" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the openat system call, run the following command: preserve$ sudo grep "openat" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the truncate system call, run the following command: preserve$ sudo grep "truncate" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To verify the audispd plugin off-loads audit records onto a different system or media from the system being audited, run the following command: $ sudo grep -i remote_server /etc/audisp/audisp-remote.conf The output should return something similar to: remote_server = Is it the case that audispd is not sending logs to a remote system? Inspect /etc/audisp/audisp-remote.conf and locate the following line to determine if the system is configured to either send to syslog, switch to single user mode, or halt when the disk is full: grep -i disk_full_action /etc/audisp/audisp-remote.conf The output should return something similar to: disk_full_action = single Acceptable values also include syslog and halt. Is it the case that the system is not configured to switch to single user mode for corrective action? To verify the audispd plugin encrypts audit records off-loaded onto a different system or media from the system being audited, run the following command: $ sudo grep -i enable_krb5 /etc/audisp/audisp-remote.conf The output should return the following: enable_krb5 = yes Is it the case that audispd is not encrypting audit records when sent over the network? Inspect /etc/audisp/audisp-remote.conf and locate the following line to determine if the system is configured to either send to syslog, switch to single user mode, or halt when there is a network failure with audispd: grep -i network_failure_action /etc/audisp/audisp-remote.conf The output should return something similar to: network_failure_action = single Acceptable values also include syslog and halt. Is it the case that the system is not configured to switch to single user mode for corrective action? To verify the audispd's syslog plugin is active, run the following command: $ sudo grep active /etc/audisp/plugins.d/syslog.conf If the plugin is active, the output will show yes. Is it the case that it is not activated? Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured to either log to syslog, switch to single-user mode, execute a script, or halt when the disk errors: disk_error_action single Is it the case that the system is not configured to switch to single-user mode for corrective action? Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured to either log to syslog, switch to single-user mode, execute a script, or halt when the disk is out of space: disk_full_action single Is it the case that the system is not configured to switch to single-user mode for corrective action? Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured to send email to an account when it needs to notify an administrator: action_mail_acct = root Is it the case that auditd is not configured to send emails per identified actions? Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured to either suspend, switch to single user mode, or halt when disk space has run low: admin_space_left_action single Is it the case that the system is not configured to switch to single user mode for corrective action? Inspect /etc/audit/auditd.conf and locate the following line to determine how much data the system will retain in each audit log file: $ sudo grep max_log_file /etc/audit/auditd.conf max_log_file = 6 Is it the case that the system audit data threshold has not been properly configured? Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured to rotate logs when they reach their maximum size: $ sudo grep max_log_file_action /etc/audit/auditd.conf max_log_file_action rotate Is it the case that the system has not been properly configured to rotate audit logs? Inspect /etc/audit/auditd.conf and locate the following line to determine how many logs the system is configured to retain after rotation: $ sudo grep num_logs /etc/audit/auditd.conf num_logs = 5 Is it the case that the system log file retention has not been properly configured? Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured correctly: space_left = SIZE_in_MB Where SIZE_in_MB is at least 25% of the capacity of partition storing /var/log/audit. Is it the case that the system is not configured a specfic size in MB to notify administrators of an issue? Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured to email the administrator when disk space is starting to run low: $ sudo grep space_left_action /etc/audit/auditd.conf space_left_action Acceptable values are email, suspend, single, and halt. Is it the case that the system is not configured to send an email to the system administrator when disk space is starting to run low? To verify whether audispd plugin off-loads audit records onto a different system or media from the system being audited, run the following command: $ sudo grep -i remote_server /etc/audisp/audisp-remote.conf The output should return something similar to where REMOTE_SYSTEM is an IP address or hostname: remote_server = REMOTE_SYSTEM Check the size of the partition that audit records are written to with the following command and verify whether it is sufficiently large: # df -h /var/log/audit/ /dev/sda2 24G 10.4G 13.6G 43% /var/log/audit Is it the case that audispd is not sending logs to a remote system and the local partition is insufficiently large? To verify the boot loader superuser account has been set, run the following command: sudo grep -A1 "superusers\|password" /etc/grub.d/40_custom The output should show the following: set superusers="superusers-account" export superusers password_pbkdf2 superusers-account ${GRUB2_PASSWORD} To verify the boot loader superuser account password has been set, and the password encrypted, run the following command: sudo cat /boot/grub2/grub.cfg The output should be similar to: password_pbkdf2 superuser grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC 2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0 916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7 0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828 Is it the case that it does not? To verify the boot loader superuser account has been set, run the following command: sudo grep -A1 "superusers\|password" /etc/grub.d/40_custom The output should show the following: set superusers="superusers-account" export superusers password_pbkdf2 superusers-account ${GRUB2_PASSWORD} To verify the boot loader superuser account password has been set, and the password encrypted, run the following command: sudo cat /boot/efi/EFI/sles/grub.cfg The output should be similar to: password_pbkdf2 superuser grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC 2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0 916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7 0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828 Is it the case that it does not? Run the following command to determine if the rsyslog package is installed: $ rpm -q rsyslog Is it the case that the package is not installed? Run the following command to determine the current status of the rsyslog service: $ systemctl is-active rsyslog If the service is running, it should return the following: active Is it the case that ? To verify that the system real-time clock is set to UTC, run the following command: $ timedatectl status The RTC in local TZ output should show no and the RTC time should be the same as the Universal time. If the RTC is set to the local time zone, use the following command to use UTC again: $ sudo timedatectl set-local-rtc 0 Is it the case that the system real-time clock is not configured to use UTC as its time base? The group-owner of all log files written by rsyslog should be . These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. To see the group-owner of a given log file, run the following command: $ ls -l LOGFILE Is it the case that the group-owner is not correct? The owner of all log files written by rsyslog should be . These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. To see the owner of a given log file, run the following command: $ ls -l LOGFILE Is it the case that the owner is not correct? The file permissions for all log files written by rsyslog should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. To see the permissions of a given log file, run the following command: $ ls -l LOGFILE The permissions should be 600, or more restrictive. Is it the case that the permissions are not correct? To determine the status and frequency of logrotate, run the following command: $ sudo grep logrotate /var/log/cron* If logrotate is configured properly, output should include references to /etc/cron.daily. Is it the case that logrotate is not configured to run daily? Run the following command to determine if the syslog-ng-core package is installed: $ rpm -q syslog-ng-core Is it the case that the package is not installed? Run the following command to determine the current status of the syslog-ng service: $ systemctl is-active syslog-ng If the service is running, it should return the following: active Is it the case that ? To ensure logs are sent to a remote host, examine the file /etc/rsyslog.conf. If using UDP, a line similar to the following should be present: *.* @loghost.example.com If using TCP, a line similar to the following should be present: *.* @@loghost.example.com If using RELP, a line similar to the following should be present: *.* :omrelp:loghost.example.com Is it the case that none of these are present? Promiscuous mode of an interface can be disabled with the following command: $ sudo ip link set dev device_name promisc off Is it the case that any network device is in promiscuous mode? If IPv6 is disabled, this is not applicable. Run the following command to determine the current status of the ip6tables service: $ systemctl is-active ip6tables If the service is running, it should return the following: active Is it the case that ? Run the following command to determine the current status of the iptables service: $ systemctl is-active iptables If the service is running, it should return the following: active Is it the case that ? If IPv6 is disabled, this is not applicable. Inspect the file /etc/sysconfig/ip6tables to determine the default policy for the INPUT chain. It should be set to DROP: $ sudo grep ":INPUT" /etc/sysconfig/ip6tables Is it the case that the default policy for the INPUT chain is not set to DROP? Inspect the file /etc/sysconfig/iptables to determine the default policy for the INPUT chain. It should be set to DROP: $ sudo grep ":INPUT" /etc/sysconfig/iptables Is it the case that the default policy for the INPUT chain is not set to DROP? Run the following command to ensure the default FORWARD policy is DROP: grep ":FORWARD" /etc/sysconfig/iptables The output should be similar to the following: $ sudo grep ":FORWARD" /etc/sysconfig/iptables :FORWARD DROP [0:0 Is it the case that the default policy for the FORWARD chain is not set to DROP? The status of the net.ipv6.conf.all.accept_source_route kernel parameter can be queried by running the following command: $ sysctl net.ipv6.conf.all.accept_source_route The output of the command should indicate a value of 0. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv6.conf.all.accept_source_route /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv6.conf.default.accept_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv6.conf.default.accept_redirects The output of the command should indicate a value of 0. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv6.conf.default.accept_redirects /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? If the system uses IPv6, this is not applicable. If the system is configured to disable the ipv6 kernel module, it will contain a line of the form: options ipv6 disable=1 Such lines may be inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf. This permits insertion of the IPv6 kernel module (which other parts of the system expect to be present), but otherwise keeps it inactive. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: preserve$ grep -r ipv6 /etc/modprobe.conf /etc/modprobe.d Is it the case that the ipv6 kernel module is not disabled? The status of the net.ipv4.conf.all.accept_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.accept_redirects The output of the command should indicate a value of 0. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv4.conf.all.accept_redirects /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv4.conf.all.accept_source_route kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.accept_source_route The output of the command should indicate a value of 0. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv4.conf.all.accept_source_route /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv4.conf.default.accept_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.accept_redirects The output of the command should indicate a value of 0. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv4.conf.default.accept_redirects /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv4.conf.default.accept_source_route kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.accept_source_route The output of the command should indicate a value of 0. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv4.conf.default.accept_source_route /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter can be queried by running the following command: $ sysctl net.ipv4.icmp_echo_ignore_broadcasts The output of the command should indicate a value of 1. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv4.tcp_syncookies kernel parameter can be queried by running the following command: $ sysctl net.ipv4.tcp_syncookies The output of the command should indicate a value of 1. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv4.conf.all.send_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.send_redirects The output of the command should indicate a value of 0. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv4.conf.all.send_redirects /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv4.conf.default.send_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.send_redirects The output of the command should indicate a value of 0. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv4.conf.default.send_redirects /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the net.ipv4.ip_forward kernel parameter can be queried by running the following command: $ sysctl net.ipv4.ip_forward The output of the command should indicate a value of 0. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r net.ipv4.ip_forward /etc/sysctl.conf /etc/sysctl.d The ability to forward packets is only appropriate for routers. Is it the case that ? If the system is configured to prevent the loading of the rds kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: $ grep -r rds /etc/modprobe.conf /etc/modprobe.d Is it the case that no line is returned? If the system is configured to prevent the loading of the tipc kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: $ grep -r tipc /etc/modprobe.conf /etc/modprobe.d Is it the case that no line is returned? Verify that there are no wireless interfaces configured on the system with the following command: # wicked show all lo up link: #1, state up type: loopback config: compat:suse:/etc/sysconfig/network/ifcfg-lo leases: ipv4 static granted leases: ipv6 static granted addr: ipv4 127.0.0.1/8 [static] addr: ipv6 ::1/128 [static] wlan0 up link: #3, state up, mtu 1500 type: wireless, hwaddr 06:00:00:00:00:02 config: wicked:xml:/etc/wicked/ifconfig/wlan0.xml leases: ipv4 dhcp granted addr: ipv4 10.0.0.101/16 [dhcp] route: ipv4 default via 10.0.0.1 proto dhcp The output should not contain any interfaces of type wireless in state up. If a wireless interface is configured it must be documented and approved by the local Authorizing Official. Is it the case that it is not? Run the following command to determine if the SuSEfirewall2 package is installed: $ rpm -q SuSEfirewall2 Run the following command to determine the current status of the SuSEfirewall2 service: $ systemctl is-active SuSEfirewall2 If the service is running, it should return the following: active Run the following command: # grep -i fw_services_accept_ext /etc/sysconfig/SuSEfirewall2 FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh" If the "FW_SERVICES_ACCEPT_EXT" rule does not contain both the hitcount and blockseconds parameters, this is a finding. Is it the case that the DoS protection is not active? Check the firewall configuration for any unnecessary or prohibited functions, ports, protocols, and/or services by running the following command: # grep ^FW_ /etc/sysconfig/SuSEfirewall2 Ask the System Administrator for the site or program PPSM Component Local Services Assessment (Component Local Services Assessment (CLSA). Verify the services allowed by the firewall match the PPSM CLSA. If there are any additional ports, protocols, or services that are not included in the PPSM CLSA, this is a findin. If there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding. Is it the case that unauthorized network services can be accessed from the network? Run the following command to determine the current status of the SuSEfirewall2 service: $ systemctl is-active SuSEfirewall2 If the service is running, it should return the following: active Is it the case that ? To find world-writable directories that lack the sticky bit, run the following command: $ sudo find / -xdev -type d -perm 002 ! -perm 1000 Is it the case that any world-writable directories are missing the sticky bit? To check the permissions of /boot/Sysem.map-*, run the command: $ ls -l /boot/Sysem.map-* If properly configured, the output should indicate the following permissions: -rw------- Is it the case that ? To find world-writable files, run the following command: $ sudo find / -xdev -type f -perm -002 Is it the case that there is output? To find world-writable files, run the following command: $ sudo find / -xdev -type f -perm -002 Is it the case that only authorized files appear in the output of the find command? To find world-writable files, run the following command: $ sudo find / -xdev -type f -perm -002 Is it the case that there is output? The following command will discover and print any files on local partitions which do not belong to a valid group. $ sudo find / -xdev -fstype local -nogroup Either remove all files and directories from the system that do not have a valid group, or assign a valid group with the chgrp command: $ sudo chgrp group file Is it the case that there is output? The following command will discover and print any files on local partitions which do not belong to a valid user. $ sudo find / -xdev -fstype local -nouser Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories on the system with the chown command: $ sudo chown user file Is it the case that files exist that are not owned by a valid user? The status of the fs.protected_hardlinks kernel parameter can be queried by running the following command: $ sysctl fs.protected_hardlinks The output of the command should indicate a value of 1. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r fs.protected_hardlinks /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the fs.protected_symlinks kernel parameter can be queried by running the following command: $ sysctl fs.protected_symlinks The output of the command should indicate a value of 1. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r fs.protected_symlinks /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The following command will discover and print world-writable directories that are not owned by a system account, given the assumption that only system groups have a uid lower than 1000. Run it once for each local partition PART: $ sudo find PART -xdev -type d -perm -0002 -gid +999 -print Is it the case that there is output? To check the group ownership of /etc/group, run the command: $ ls -lL /etc/group If properly configured, the output should indicate the following group-owner. root Is it the case that /etc/group has group owner root? To check the group ownership of /etc/gshadow, run the command: $ ls -lL /etc/gshadow If properly configured, the output should indicate the following group-owner. root Is it the case that /etc/gshadow has group owner root? To check the group ownership of /etc/passwd, run the command: $ ls -lL /etc/passwd If properly configured, the output should indicate the following group-owner. root Is it the case that /etc/passwd has group owner root? To check the group ownership of /etc/shadow, run the command: $ ls -lL /etc/shadow If properly configured, the output should indicate the following group-owner. root Is it the case that /etc/shadow has group owner root? To check the ownership of /etc/group, run the command: $ ls -lL /etc/group If properly configured, the output should indicate the following owner: root Is it the case that /etc/group has owner root? To check the ownership of /etc/gshadow, run the command: $ ls -lL /etc/gshadow If properly configured, the output should indicate the following owner: root Is it the case that /etc/gshadow has owner root? To check the ownership of /etc/passwd, run the command: $ ls -lL /etc/passwd If properly configured, the output should indicate the following owner: root Is it the case that /etc/passwd has owner root? To check the ownership of /etc/shadow, run the command: $ ls -lL /etc/shadow If properly configured, the output should indicate the following owner: root Is it the case that /etc/shadow has owner root? To check the permissions of /etc/passwd, run the command: $ ls -l /etc/passwd If properly configured, the output should indicate the following permissions: -rw-r--r-- Is it the case that /etc/group has unix mode -rw-r--r--? To check the permissions of /etc/gshadow, run the command: $ ls -l /etc/gshadow If properly configured, the output should indicate the following permissions: ---------- Is it the case that /etc/gshadow has unix mode ----------? To check the permissions of /etc/passwd, run the command: $ ls -l /etc/passwd If properly configured, the output should indicate the following permissions: -rw-r--r-- Is it the case that /etc/passwd has unix mode -rw-r--r--? To check the permissions of /etc/shadow, run the command: $ ls -l /etc/shadow If properly configured, the output should indicate the following permissions: -rw-r----- Is it the case that /etc/shadow has unix mode ----------? To check the ownership of /etc/security/opasswd, run the command: $ ls -lL /etc/security/opasswd If properly configured, the output should indicate the following owner: root To check the group ownership of /etc/security/opasswd, run the command: $ ls -lL /etc/security/opasswd If properly configured, the output should indicate the following group-owner. root To check the permissions of /etc/security/opasswd, run the command: $ ls -l /etc/security/opasswd If properly configured, the output should indicate the following permissions: 0600 Is it the case that /etc/security/opasswd has owner root and /etc/security/opasswd has group owner root and /etc/security/opasswd has unix mode 0600? System executables are stored in the following directories by default: /bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sbin To find system executables that are not owned by root, run the following command for each directory DIR which contains system executables: $ sudo find DIR/ \! -user root Is it the case that any system executables are found to not be owned by root? Shared libraries are stored in the following directories: /lib /lib64 /usr/lib /usr/lib64 For each of these directories, run the following command to find files not owned by root: $ sudo find -L $DIR ! -user root -exec chown root {} \; Is it the case that any of these files are not owned by root? System executables are stored in the following directories by default: /bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sbin To find system executables that are group-writable or world-writable, run the following command for each directory DIR which contains system executables: $ sudo find -L DIR -perm /022 -type f Is it the case that any system executables are found to be group or world writable? Shared libraries are stored in the following directories: /lib /lib64 /usr/lib /usr/lib64 To find shared libraries that are group-writable or world-writable, run the following command for each directory DIR which contains shared libraries: $ sudo find -L DIR -perm /022 -type f Is it the case that any of these files are group-writable or world-writable? To check that the autofs service is disabled in system boot configuration, run the following command: $ systemctl is-enabled autofs Output should indicate the autofs service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled autofsdisabled Run the following command to verify autofs is not active (i.e. not running) through current runtime configuration: $ systemctl is-active autofs If the service is not running the command will return the following output: inactive Is it the case that ? The status of the fs.suid_dumpable kernel parameter can be queried by running the following command: $ sysctl fs.suid_dumpable The output of the command should indicate a value of 0. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r fs.suid_dumpable /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the kernel.kptr_restrict kernel parameter can be queried by running the following command: $ sysctl kernel.kptr_restrict The output of the command should indicate a value of 1. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r kernel.kptr_restrict /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? The status of the kernel.randomize_va_space kernel parameter can be queried by running the following command: $ sysctl kernel.randomize_va_space The output of the command should indicate a value of 2. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly. This has to be checked in all files in the /etc/sysctl.d directory and the deprecated /etc/sysctl.conf. You can verify this by running the following command: $ grep -r kernel.randomize_va_space /etc/sysctl.conf /etc/sysctl.d Is it the case that the correct value is not returned? To check the permissions of /var/log/messages, run the command: $ ls -l /var/log/messages If properly configured, the output should indicate the following permissions: -rw-r----- Check that permissions.local file contains the correct permissions rules with the following command: # grep -i messages /etc/permissions.local /var/log/messages root:root 640 If the command does not return any or different output, this is a finding. Run the following command to correct the permissions after adding the missing entry: # sudo chkstat --set --system Is it the case that ? Check that permissions.local file contains the correct permissions rules with the following command: # grep -i audit /etc/permissions.local /var/log/audit/ root:root 600 /var/log/audit/audit.log root:root 600 /etc/audit/audit.rules root:root 640 If the command does not return all the above lines, the missing ones need to be added. Run the following command to correct the permissions after adding missing entries: # sudo chkstat --set --system Is it the case that ? Check that permissions.local file contains the correct permissions rules with the following command: grep "^/usr/sbin/au" /etc/permissions.local /usr/sbin/audispd root:root 0750 /usr/sbin/auditctl root:root 0750 /usr/sbin/auditd root:root 0750 /usr/sbin/ausearch root:root 0755 /usr/sbin/aureport root:root 0755 /usr/sbin/autrace root:root 0750 /usr/sbin/augenrules root:root 0750 If the command does not return all the above lines, the missing ones need to be added. Run the following command to correct the permissions after adding missing entries: # sudo chkstat --set --system Is it the case that ? Check that all of the audit information files and folders have the correct permissions with the following command: # sudo chkstat --warn --system If you get any warnings, set the correct permissions with the following command: # sudo chkstat --set --system Is it the case that ? Check the system partitions to determine if they are encrypted with the following command: blkid Output will be similar to: /dev/sda1: UUID=" ab12c3de-4f56-789a-8f33-3850cc8ce3a2 " TYPE="crypto_LUKS" /dev/sda2: UUID=" bc98d7ef-6g54-321h-1d24-9870de2ge1a2 " TYPE="crypto_LUKS" Pseudo-file systems, such as /proc, /sys, and tmpfs, are not required to use disk encryption and are not a finding. Is it the case that partitions do not have a type of crypto_LUKS? Run the following command to determine if /home is on its own partition or logical volume: $ mount | grep "on /home" If /home has its own partition or volume group, a line will be returned. Is it the case that no line is returned? Run the following command to determine if /srv is on its own partition or logical volume: $ mount | grep "on /srv" If /srv has its own partition or volume group, a line will be returned. Is it the case that no line is returned? Run the following command to determine if /tmp is on its own partition or logical volume: $ mount | grep "on /tmp" If /tmp has its own partition or volume group, a line will be returned. Is it the case that no line is returned? Run the following command to determine if /var is on its own partition or logical volume: $ mount | grep "on /var" If /var has its own partition or volume group, a line will be returned. Is it the case that no line is returned? Run the following command to determine if /var/log is on its own partition or logical volume: $ mount | grep "on /var/log" If /var/log has its own partition or volume group, a line will be returned. Is it the case that no line is returned? Run the following command to determine if /var/log/audit is on its own partition or logical volume: $ mount | grep "on /var/log/audit" If /var/log/audit has its own partition or volume group, a line will be returned. Is it the case that no line is returned? Assuming that user home directories are under /home, run the following command to determine if they use their own partition or logical volume: $ mount | grep "on /home" If /home has its own partition or volume group, a line will be returned. Is it the case that no line is returned? To verify that the DConf User profile is configured correctly, run the following command: $ cat /etc/dconf/profile/user The output should show the following: user-db:user system-db:gdm Is it the case that DConf User profile does not exist or is not configured correctly? To verify that the DConf uses text files as data backend, put the line service-db:keyfile/user at the top of the file /etc/dconf/profile/user Is it the case that DConf uses the binary database as data backend? To ensure the user list is disabled, run the following command: $ gconftool-2 -g /apps/gdm/simple-greeter/disable_user_list The output should be true. Is it the case that it is not? To ensure disable and restart on the login screen are disabled, run the following command: $ gconftool-2 -g /apps/gdm/simple-greeter/disable_restart_buttons The output should be true. Is it the case that disable-restart-buttons has not been configured or is not disabled? To verify that automatic logins are disabled, run the following command: $ grep -Pzoi "^\[daemon]\\nautomaticlogin.*" /etc/gdm/custom.conf The output should show the following: [daemon] AutomaticLoginEnable=false Is it the case that GDM allows users to automatically login? These settings can be verified by running the following: $ gconftool-2 -g /apps/nautilus/preferences/media_automount The output should return false. $ gconftool-2 -g /apps/nautilus/preferences/media_autorun_never The output should return true. Is it the case that GNOME automounting is not disabled? These settings can be verified by running the following: $ gconftool-2 -g /desktop/gnome/thumbnailers/disable_all The output should return true. Is it the case that GNOME thumbnailers are not disabled? To ensure that WIFI connections cannot be created, run the following command: $ gconftool-2 -g /apps/nm-applet/disable-wifi-create The output should return true. Is it the case that WIFI connections can be created through GNOME? To ensure that wireless network notification is disabled, run the following command: $ gconftool-2 -g /apps/nm-applet/disable-disconnected-notifications The output should return true. Is it the case that wireless disconnecting network notification is enabled and not disabled? To ensure that wireless network notification is disabled, run the following command: $ gconftool-2 -g /apps/nm-applet/disable-connected-notifications The output should return true. Is it the case that wireless connecting network notification is enabled and not disabled? To check the current idle time-out value, run the following command: $ gsettings get org.gnome.desktop.session idle-delay If properly configured, the output should be 'uint32 '. If you want to ensure that users cannot change the screensaver inactivity timeout setting, run the following: $ grep idle-delay /etc/dconf/db/local.d/locks/* If properly configured, the output should be /org/gnome/desktop/session/idle-delay Is it the case that idle-delay is not equal to or less than the expected value? To ensure the screensaver is configured to be blank, run the following command: $ gsettings get org.gnome.desktop.screensaver picture-uri If properly configured, the output should be ''. To ensure that users cannot set the screensaver background, run the following: $ grep picture-uri /etc/dconf/db/local.d/locks/* If properly configured, the output should be /org/gnome/desktop/screensaver/picture-uri Is it the case that it is not set or configured properly? To check the screensaver locking keybindings, run the following command: $ gconftool-2 -g /apps/gnome_settings_daemon/keybindings/screensaver If properly configured, the output should be <Control><Alt>l. Is it the case that GNOME screensaver locking keybindings are configured and cannot be changed? To check the screensaver mandatory use status, run the following command: $ gconftool-2 -g /apps/gnome-screensaver/idle_activation_enabled If properly configured, the output should be true. Is it the case that it is not? To check the current idle time-out value, run the following command: $ gconftool-2 -g /desktop/gnome/session/idle_delay If properly configured, the output should be . Is it the case that it is not? To check the status of the idle screen lock activation, run the following command: $ gconftool-2 -g /apps/gnome-screensaver/lock_enabled If properly configured, the output should be true. Is it the case that it is not? To check the current idle time-out value, run the following command: $ gconftool-2 -g /desktop/gnome/session/max_idle_action If properly configured, the output should be forced-logout. Is it the case that it is not? To check the current idle time-out value, run the following command: $ gconftool-2 -g /desktop/gnome/session/max_idle_time If properly configured, the output should be . Is it the case that it is not? To ensure the screensaver is configured to be blank, run the following command: $ gconftool-2 -g /apps/gnome-screensaver/mode If properly configured, the output should be blank-only Is it the case that it is not? To check the status of the screen lock, run the following command: $ gsettings get org.gnome.desktop.lockdown disable-lock-screen If properly configured, the output should be false. Is it the case that lock screen is disabled? To ensure the system is configured to ignore the Ctrl-Alt-Del sequence, run the following command: $ gsettings get org.gnome.settings-daemon.plugins.media-keys logout If properly configured, the output should be ''. To ensure that users cannot enable the Ctrl-Alt-Del sequence, run the following: $ grep logout /etc/dconf/db/local.d/locks/* If properly configured, the output should be /org/gnome/settings-daemon/plugins/media-keys/logout Is it the case that GNOME3 is configured to reboot when Ctrl-Alt-Del is pressed? To check the status of the idle screen lock activation, run the following command: $ gconftool-2 -g /apps/panel/applets/clock/prefs/show_temperature If properly configured, the output should be false. Is it the case that it is not? To check the status of the idle screen lock activation, run the following command: $ gconftool-2 -g /apps/panel/applets/clock/prefs/show_weather If properly configured, the output should be false. Is it the case that it is not? To ensure the system is configured to ignore the Ctrl-Alt-Del sequence, run the following command: $ gconftool-2 -g /apps/gnome_settings_daemon/keybindings/power The output should return nothing. Is it the case that GNOME is configured to reboot when Ctrl-Alt-Del is pressed? To verify that the installed operating system is supported or certified, run the following command: $ grep -i "suse" /etc/os-release The output should contain something similar to: SUSE Linux Enterprise 12 Is it the case that the installed operating system is not FIPS 140-2 certified? To verify that the installed operating system is supported or certified, run the following command: $ grep -i "suse linux enterprise" /etc/os-release The output should contain something similar to: SUSE Linux Enterprise 12 Is it the case that the installed operating system is not supported or certified? To verify that cryptography policy has been configured correctly, run the following command: $ update-crypto-policies --show The output should return . Is it the case that cryptographic policy is not configured or is configured incorrectly? Verify that the system backups user data. Is it the case that it is not? To verify that the Dracut FIPS module is enabled, run the following command: grep "add_dracutmodules" /etc/dracut.conf.d/40-fips.conf The output should look like this: add_dracutmodules+=" fips " Is it the case that the Dracut FIPS module is not enabled? To verify that FIPS is enabled properly, run the following command: # cat /proc/sys/crypto/fips_enabled The output should be 1. Is it the case that FIPS mode is not enabled? To verify that kernel parameter 'crypto.fips_enabled' is set properly, run the following command: sysctl crypto.fips_enabled The output should contain the following: crypto.fips_enabled = 1 Is it the case that crypto.fips_enabled is not 1? To find the location of the AIDE databse file, run the following command: $ sudo ls -l DBDIR/database_file_name Is it the case that there is no database file? To determine that periodic AIDE execution has been scheduled, run the following command: $ grep aide /etc/crontab The output should return some similiar to the following: 05 4 * * * root /usr/sbin/aide --check NOTE: The usage of special cron times, such as @daily or @weekly, is acceptable. Is it the case that there is no output? To determine that periodic AIDE execution has been scheduled, run the following command: $ grep aide /etc/crontab The output should return something similar to the following: 05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost Is it the case that AIDE has not been configured or has not been configured to notify personnel of scan details? To determine that AIDE is verifying ACLs, run the following command: $ grep acl /etc/aide.conf Verify that the acl option is added to the correct ruleset. Is it the case that the acl option is missing or not added to the correct ruleset? To determine that AIDE is verifying extended file attributes, run the following command: $ grep xattrs /etc/aide.conf Verify that the xattrs option is added to the correct ruleset. Is it the case that the xattrs option is missing or not added to the correct ruleset? Run the following command to determine if the aide package is installed: $ rpm -q aide Is it the case that the package is not installed? Check that AIDE is properly configured to protect the integrity of the audit tools by running the following command: # sudo cat /etc/aide.conf | grep /usr/sbin/au /usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 If AIDE is configured properly to protect the integrity of the audit tools, all lines listed above will be returned from the command. If one or more lines are missing, this is a finding. Is it the case that integrity checks of the audit tools are missing or incomplete? To verify that there are no unauthorized local user accounts, run the following command: $ less /etc/passwd Inspect the results, and if unauthorized local user accounts exist, remove them by running the following command: $ sudo userdel unauthorized_user Is it the case that there are unauthorized local user accounts on the system? To determine if !authenticate has not been configured for sudo, run the following command: $ sudo grep -r \!authenticate /etc/sudoers /etc/sudoers.d/ The command should return no output. Is it the case that !authenticate is enabled in sudo? To determine if NOPASSWD has been configured for sudo, run the following command: $ sudo grep -ri nopasswd /etc/sudoers /etc/sudoers.d/ The command should return no output. Is it the case that nopasswd is enabled in sudo? To determine if NOPASSWD or !authenticate have been configured for sudo, run the following command: $ sudo grep -ri "nopasswd\|\!authenticate" /etc/sudoers /etc/sudoers.d/ The command should return no output. Is it the case that nopasswd and/or !authenticate is enabled in sudo? To determine if NOPASSWD has been configured for the vdsm user for sudo, run the following command: $ sudo grep -ri nopasswd /etc/sudoers.d/ The command should return output only for the vdsm user. Is it the case that nopasswd is set for any users beyond vdsm? To verify that solver.upgradeRemoveDroppedPackages is configured properly, run the following command: $ grep upgradeRemoveDroppedPackages /etc/zypp/zypp.conf The output should return something similar to: solver.upgradeRemoveDroppedPackages=true Is it the case that clean_requirements_on_remove is not enabled or configured correctly? To determine whether zypper is configured to use gpgcheck, inspect /etc/zypp/zypp.conf and ensure the following appears in the [main] section: gpgcheck=1 A value of 1 indicates that gpgcheck is enabled. Absence of a gpgcheck line or a setting of 0 indicates that it is disabled. Is it the case that GPG checking is not enabled? If the system is configured for online updates, invoking the following command will indicate if updates are available: $ sudo zypper list-patches -g security If the system is not configured to update from one of these sources, run the following command to list when each package was last updated: $ rpm -qa -last Compare this to SUSE Update Advisories listed at https://www.suse.com/support/update/ to determine if the system is missing applicable updates. Is it the case that updates are not installed? Make sure that the usb-storage driver is blacklisted from being loaded through modprobe: # grep -R usb-storage /etc/modprobe.{conf,d} blacklist usb-storage If nothing is output from the command above, this is a finding. Is it the case that USB mass storage devices may get auto-mounted? Verify that the SUSE operating system Apparmor tool is configured to control whitelisted applications and user home directory access control. Check that pam_apparmor is installed on the system with the following command: # rpm -q pam_apparmor Check that the "apparmor" daemon is running with the following command: # systemctl status apparmor.service | grep -i active Active: active (exited) since Fri 2017-01-13 01:01:01 GMT; 1day 1h ago Note: pam_apparmor must have properly configured profiles. All configurations will be based on the actual system setup and organization. See the pam_apparmor documentation for more information on configuring profiles. Is it the case that it is not? Run the following command to determine the current status of the apparmor service: $ systemctl is-active apparmor If the service is running, it should return the following: active Is it the case that ? Run the following command to determine if the pam_apparmor package is installed: $ rpm -q pam_apparmor Is it the case that the package is not installed? draft This guide presents a catalog of security-relevant configuration settings for SUSE Linux Enterprise 12. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at https://www.open-scap.org/security-policies/scap-security-guide. Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance. Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic. The SCAP Security Guide Project https://www.open-scap.org/security-policies/scap-security-guide SUSE is a registered trademark of SUSE LLC in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies. 0.1.44 SCAP Security Guide Project SCAP Security Guide Project Frank J Cameron (CAM1244) <cameron@ctc.com> 0x66656c6978 <0x66656c6978@users.noreply.github.com> Gabe Alford <redhatrises@gmail.com> Firas AlShafei <firas.alshafei@us.abb.com> Christopher Anderson <cba@fedoraproject.org> angystardust <angystardust@users.noreply.github.com> Chuck Atkins <chuck.atkins@kitware.com> Ryan Ballanger <root@rballang-admin-2.fastenal.com> Alex Baranowski <alex@euro-linux.com> Molly Jo Bault <Molly.Jo.Bault@ballardtech.com> Gabriel Becker <ggasparb@redhat.com> Alexander Bergmann <abergmann@suse.com> Jose Luis BG <bgjoseluis@gmail.com> Joseph Bisch <joseph.bisch@gmail.com> Jeffrey Blank <blank@eclipse.ncsc.mil> Olivier Bonhomme <ptitoliv@ptitoliv.net> Ted Brunell <tbrunell@redhat.com> Blake Burkhart <blake.burkhart@us.af.mil> Patrick Callahan <pmc@patrickcallahan.com> Nick Carboni <ncarboni@redhat.com> James Cassell <james.cassell@ll.mit.edu> Frank Caviggia <fcaviggi@ra.iad.redhat.com> Eric Christensen <echriste@redhat.com> Caleb Cooper <coopercd@ornl.gov> Deric Crago <deric.crago@gmail.com> Maura Dailey <maura@eclipse.ncsc.mil> Klaas Demter <demter@atix.de> dhanushkar-wso2 <dhanushkar@wso2.com> Andrew DiPrinzio <andrew.diprinzio@jhuapl.edu> Jean-Baptiste Donnette <jean-baptiste.donnette@epita.fr> drax <applezip@gmail.com> Greg Elin <gregelin@gitmachines.com> Leah Fisher <lfisher047@gmail.com> Alijohn Ghassemlouei <alijohn.ghassemlouei@sapns2.com> Andrew Gilmore <agilmore2@gmail.com> Joshua Glemza <jglemza@nasa.gov> Loren Gordon <lorengordon@users.noreply.github.com> Patrik Greco <sikevux@sikevux.se> Steve Grubb <sgrubb@redhat.com> Marek Haicman <mhaicman@redhat.com> Rebekah Hayes <rhayes@corp.rivierautilities.com> Trey Henefield <thenefield@gmail.com> Henning Henkel <henning.henkel@helvetia.ch> hex2a <hex2a@users.noreply.github.com> John Hooks <jhooks@starscream.pa.jhbcomputers.com> Robin Price II <robin@redhat.com> Jeremiah Jahn <jeremiah@goodinassociates.com> Stephan Joerrens <Stephan.Joerrens@fiduciagad.de> Kai Kang <kai.kang@windriver.com> Charles Kernstock <charles.kernstock@ultra-ats.com> Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com> Lee Kinser <lee.kinser@gmail.com> Peter 'Pessoft' Kolínek <github@pessoft.com> Luke Kordell <luke.t.kordell@lmco.com> Malte Kraus <malte.kraus@suse.com> kspargur <kspargur@kspargur.csb> Amit Kumar <amitkuma@redhat.com> Fen Labalme <fen@civicactions.com> Ian Lee <lee1001@llnl.gov> Jarrett Lee <jarrettl@umd.edu> Jan Lieskovsky <jlieskov@redhat.com> Šimon Lukašík <slukasik@redhat.com> Milan Lysonek <mlysonek@redhat.com> Fredrik Lysén <fredrik@pipemore.se> Matus Marhefka <mmarhefk@redhat.com> Jamie Lorwey Martin <jlmartin@redhat.com> Michael McConachie <michael@redhat.com> Khary Mendez <kharyam@gmail.com> Rodney Mercer <rmercer@harris.com> Matt Micene <nzwulfin@gmail.com> Brian Millett <bmillett@gmail.com> Mixer9 <35545791+Mixer9@users.noreply.github.com> mmosel <mmosel@kde.example.com> Zbynek Moravec <zmoravec@redhat.com> Kazuo Moriwaka <moriwaka@users.noreply.github.com> Michael Moseley <michael@eclipse.ncsc.mil> Joe Nall <joe@nall.com> Neiloy <neiloy@redhat.com> Axel Nennker <axel@nennker.de> Michele Newman <mnewman@redhat.com> Sean O'Keeffe <seanokeeffe797@gmail.com> Ilya Okomin <ilya.okomin@oracle.com> Kaustubh Padegaonkar <theTuxRacer@gmail.com> Michael Palmiotto <mpalmiotto@tresys.com> Max R.D. Parmer <maxp@trystero.is> pcactr <paul.c.arnold4.ctr@mail.mil> Kenneth Peeples <kennethwpeeples@gmail.com> Nathan Peters <Nathaniel.Peters@ca.com> Frank Lin PIAT <fpiat@klabs.be> Stefan Pietsch <mail.ipv4v6+gh@gmail.com> Martin Preisler <mpreisle@redhat.com> Wesley Ceraso Prudencio <wcerasop@redhat.com> Raphael Sanchez Prudencio <rsprudencio@redhat.com> T.O. Radzy Radzykewycz <radzy@windriver.com> Kenyon Ralph <kenyon@kenyonralph.com> Rick Renshaw <Richard_Renshaw@xtoenergy.com> Chris Reynolds <c.reynolds82@gmail.com> rhayes <rhayes@rivierautilities.com> Pat Riehecky <riehecky@fnal.gov> rlucente-se-jboss <rlucente@redhat.com> Joshua Roys <roysjosh@gmail.com> rrenshaw <bofh69@yahoo.com> Chris Ruffalo <chris.ruffalo@gmail.com> Ray Shaw (Cont ARL/CISD) rvshaw <rvshaw@esme.arl.army.mil> Willy Santos <wsantos@redhat.com> Gautam Satish <gautams@hpe.com> Watson Sato <wsato@redhat.com> Satoru SATOH <satoru.satoh@gmail.com> Alexander Scheel <ascheel@redhat.com> Spencer Shimko <sshimko@tresys.com> Thomas Sjögren <konstruktoid@users.noreply.github.com> Francisco Slavin <fslavin@tresys.com> David Smith <dsmith@eclipse.ncsc.mil> Kevin Spargur <kspargur@redhat.com> Kenneth Stailey <kstailey.lists@gmail.com> Leland Steinke <leland.j.steinke.ctr@mail.mil> Brian Stinson <brian@bstinson.com> Philippe Thierry <phil@reseau-libre.net> Paul Tittle <ptittle@cmf.nrl.navy.mil> tomas.hudik <tomas.hudik@embedit.cz> Jeb Trayer <jeb.d.trayer@uscg.mil> Matěj Týč <matyc@redhat.com> VadimDor <29509093+VadimDor@users.noreply.github.com> Shawn Wells <shawn@redhat.com> Daniel E. White <linuxdan@users.noreply.github.com> Roy Williams <roywilli@roywilli.redhat.com> Rob Wilmoth <rwilmoth@redhat.com> Lucas Yamanishi <lucas.yamanishi@onyxpoint.com> Xirui Yang <xirui.yang@oracle.com> Kevin Zimmerman <kevin.zimmerman@kitware.com> Jan Černý <jcerny@redhat.com> Michal Šrubař <msrubar@redhat.com> https://github.com/OpenSCAP/scap-security-guide/releases/latest This profile contains rules to ensure standard security baseline of a SUSE Linux Enterprise 12 system. Regardless of your system's workload all of these checks should pass. This profile contains configuration checks that align to the DISA STIG for SUSE Linux Enterprise 12. XCCDF form of the various remediation functions as used by remediation scripts from the SCAP Security Guide Project. The purpose of this guidance is to provide security configuration recommendations and baselines for the SUSE Linux Enterprise 12 operating system. Recommended settings for the basic operating system are provided, as well as for many network services that the system can provide to other systems. The guide is intended for system administrators. Readers are assumed to possess basic system administration skills for Unix-like systems, as well as some familiarity with the product's documentation and administration conventions. Some instructions within this guide are complex. All directions should be followed completely and with understanding of their effects in order to avoid serious adverse effects on the system and its security. The following general principles motivate much of the advice in this guide and should also influence any configuration decisions that are not explicitly covered. Data transmitted over a network, whether wired or wireless, is susceptible to passive monitoring. Whenever practical solutions for encrypting such data exist, they should be applied. Even if data is expected to be transmitted only over a local network, it should still be encrypted. Encrypting authentication data, such as passwords, is particularly important. Networks of SUSE Linux Enterprise 12 machines can and should be configured so that no unencrypted authentication data is ever transmitted between machines. Grant the least privilege necessary for user accounts and software to perform tasks. For example, sudo can be implemented to limit authorization to super user accounts on the system only to designated personnel. Another example is to limit logins on server systems to only those administrators who need to log into them in order to perform administration tasks. Using SELinux also follows the principle of least privilege: SELinux policy can confine software to perform only actions on the system that are specifically allowed. This can be far more restrictive than the actions permissible by the traditional Unix permissions model. The simplest way to avoid vulnerabilities in software is to avoid installing that software. On SUSE Linux Enterprise 12,the RPM Package Manager (originally Red Hat Package Manager, abbreviated RPM) allows for careful management of the set of software packages installed on a system. Installed software contributes to system vulnerability in several ways. Packages that include setuid programs may provide local attackers a potential path to privilege escalation. Packages that include network services may give this opportunity to network-based attackers. Packages that include programs which are predictably executed by local users (e.g. after graphical login) may provide opportunities for trojan horses or other attack code to be run undetected. The number of software packages installed on a system can almost always be significantly pruned to include only the software for which there is an environmental or operational need. Whenever possible, a server should be dedicated to serving exactly one network service. This limits the number of other services that can be compromised in the event that an attacker is able to successfully exploit a software flaw in one network service. Several tools exist which can be effectively used to improve a system's resistance to and detection of unknown attacks. These tools can improve robustness against attack at the cost of relatively little configuration effort. In particular, this guide recommends and discusses the use of host-based firewalling, SELinux for protection against vulnerable services, and a logging and auditing infrastructure for detection of problems. Readers should heed the following points when using the guide. Commands intended for shell execution, as well as configuration file text, are featured in a monospace font. Italics are used to indicate instances where the system administrator must substitute the appropriate information into a command or configuration file. Each section may build on information and recommendations discussed in prior sections. Each section should be read and understood completely; instructions should never be blindly applied. Relevant discussion may occur after instructions for an action. A system reboot is implicitly required after some actions in order to complete the reconfiguration of the system. In many cases, the changes will not take effect until a reboot is performed. In order to ensure that changes are applied properly and to test functionality, always reboot the system after applying a set of recommendations from this guide. Most of the actions listed in this document are written with the assumption that they will be executed by the root user running the /bin/bash shell. Commands preceded with a hash mark (#) assume that the administrator will execute the commands as root, i.e. apply the command via sudo whenever possible, or use su to gain root privileges if sudo cannot be used. Commands which can be executed as a non-root user are are preceded by a dollar sign ($) prompt. This guidance should always be tested in a non-production environment before deployment. This test environment should simulate the setup in which the system will be deployed as closely as possible. The best protection against vulnerable software is running less software. This section describes how to review the software which SUSE Linux Enterprise 12 installs on a system and disable software which is not needed. It then enumerates the software packages installed on a default SUSE Linux Enterprise 12 system and provides guidance about which ones can be safely disabled. SUSE Linux Enterprise 12 provides a convenient minimal install option that essentially installs the bare necessities for a functional system. When building SUSE Linux Enterprise 12 systems, it is highly recommended to select the minimal packages and then build up the system from there. The apt service manage the package management and update of the whole system. Its configuration need to be properly defined to ensure efficient security updates, packages and repository authentication and proper lifecycle management. Unauthenticated repositories should not be used for updates. NT28(R15) Repositories hosts all packages that will be intsalled on the system during update. If a repository is not authenticated, the associated packages can't be trusted, and then should not be installed localy. Check that official Debian repositories, including security repository, are configured in apt. NT28(R15) The Debian distribution deliver DSA (Debian Security Announce), through the official Debian security repository, to correct various vulnerabilities impacting the Debian packages. Using the official repositories is the best way to ensure that the Debian updates are integrated soon enough. The Avahi daemon implements the DNS Service Discovery and Multicast DNS protocols, which provide service and host discovery on a network. It allows a system to automatically identify resources on the network, such as printers or web servers. This capability is also known as mDNSresponder and is a major part of Zeroconf networking. If your system requires the Avahi daemon, its configuration can be restricted to improve security. The Avahi daemon configuration file is /etc/avahi/avahi-daemon.conf. The following security recommendations should be applied to this file: See the avahi-daemon.conf(5) man page, or documentation at http://www.avahi.org, for more detailed information about the configuration options. To prevent Avahi from publishing its records, edit /etc/avahi/avahi-daemon.conf and ensure the following line appears in the [publish] section: disable-publishing=yes 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 This helps ensure that no record will be published by Avahi. Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Disabling it can reduce the system's vulnerability to such attacks. This section addresses the base services that are installed on a SUSE Linux Enterprise 12 default installation which are not covered in other sections. Some of these services listen on the network and should be treated with particular discretion. Other services are local system utilities that may or may not be extraneous. In general, system services should be disabled if not required. SLES-12-010840 The kdump service provides a kernel crash dump analyzer. It uses the kexec system call to boot a secondary kernel ("capture" kernel) following a system crash, which can load information from the crashed kernel for analysis. The kdump service can be disabled with the following command: $ sudo systemctl disable kdump.service SLES-12-010840 SV-91953r2_rule 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 CCI-000366 164.308(a)(1)(ii)(D) 164.308(a)(3) 164.308(a)(4) 164.310(b) 164.310(c) 164.312(a) 164.312(e) 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7 CM-6(b) PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000480-GPOS-00227 Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. Unless the system is used for kernel development or testing, there is little need to run the kdump service. SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'kdump.service' "$SYSTEMCTL_EXEC" disable 'kdump.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^kdump.socket\>' && "$SYSTEMCTL_EXEC" disable 'kdump.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'kdump.service' - name: Disable service kdump service: name: kdump enabled: 'no' state: stopped register: service_result failed_when: service_result is failed and ('Could not find the requested service' not in service_result.msg) tags: - service_kdump_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 - NIST-800-53-CM-6(b) - DISA-STIG-010840 - name: Disable socket of service kdump if applicable service: name: kdump.socket enabled: 'no' state: stopped register: socket_result failed_when: socket_result is failed and ('Could not find the requested service' not in socket_result.msg) tags: - service_kdump_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 - NIST-800-53-CM-6(b) - DISA-STIG-010840 The cron and at services are used to allow commands to be executed at a later time. The cron service is required by almost all systems to perform necessary maintenance tasks, while at may or may not be required on a given system. Both daemons should be configured defensively. The Cron service should be installed. NT28(R50) 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 The cron service allow periodic job execution, needed for almost all administrative tasks and services (software update, log rotating, etc.). Access to cron service should be restricted to administrative accounts only. The crond service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. The cron service can be enabled with the following command: $ sudo systemctl enable cron.service 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential. The /etc/cron.allow and /etc/at.allow files contain lists of users who are allowed to use cron and at to delay execution of processes. If these files exist and if the corresponding files /etc/cron.deny and /etc/at.deny do not exist, then only users listed in the relevant allow files can run the crontab and at commands to submit jobs to be run at scheduled intervals. On many systems, only the system administrator needs the ability to schedule jobs. Note that even if a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file controls only administrative access to the crontab command for scheduling and modifying cron jobs. To restrict at and cron to only authorized users: Remove the cron.deny file:$ sudo rm /etc/cron.denyEdit /etc/cron.allow, adding one line for each user allowed to use the crontab command to create cron jobs.Remove the at.deny file:$ sudo rm /etc/at.denyEdit /etc/at.allow, adding one line for each user allowed to use the at command to create at jobs. Some deprecated software services impact the overall system security due to their behavior (leak of confidentiality in network exchange, usage as uncontrolled communication channel, risk associated with the service due to its old age, etc. The inet-based telnet daemon should be uninstalled. NT007(R03) 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 telnet allows clear text communications, and does not protect any data transmission between client and server. Any confidential data can be listened and no integrity checking is made. The support for Yellowpages should not be installed unless it is required. NIS is the historical SUN service for central account management, more and more replaced by LDAP. NIS does not support efficiently security constraints, ACL, etc. and should not be used. ntpdate is a historical ntp synchronization client for unixes. It sould be uninstalled. ntpdate is an old not security-compliant ntp client. It should be replaced by modern ntp clients such as ntpd, able to use cryptographic mechanisms integrated in NTP. _{package_remove ntpdate} - name: Ensure ntpdate is removed package: name: ntpdate state: absent tags: - package_ntpdate_removed - low_severity - disable_strategy - low_complexity - low_disruption - no_reboot_needed include remove_ntpdate class remove_ntpdate { package { 'ntpdate': ensure => 'purged', } } The telnet daemon, even with ssl support, should be uninstalled. NT007(R02) 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 telnet, even with ssl support, should not be installed. When remote shell is required, up-to-date ssh daemon can be used. The telnet daemon should be uninstalled. NT007(R03) 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 telnet allows clear text communications, and does not protect any data transmission between client and server. Any confidential data can be listened and no integrity checking is made. The Dynamic Host Configuration Protocol (DHCP) allows systems to request and obtain an IP address and other configuration parameters from a server. This guide recommends configuring networking on clients by manually editing the appropriate files under /etc/sysconfig. Use of DHCP can make client systems vulnerable to compromise by rogue DHCP servers, and should be avoided unless necessary. If using DHCP is necessary, however, there are best practices that should be followed to minimize security risk. If DHCP must be used, then certain configuration changes can minimize the amount of information it receives and applies from the network, and thus the amount of incorrect information a rogue DHCP server could successfully distribute. For more information on configuring dhclient, see the dhclient(8) and dhclient.conf(5) man pages. Create the file /etc/dhcp/dhclient.conf, and add an appropriate setting for each of the ten configuration settings which can be obtained via DHCP. For each setting, do one of the following: If the setting should not be configured remotely by the DHCP server, select an appropriate static value, and add the line: supersede setting value; If the setting should be configured remotely by the DHCP server, add the lines: request setting; require setting; For example, suppose the DHCP server should provide only the IP address itself and the subnet mask. Then the entire file should look like: supersede domain-name "example.com"; supersede domain-name-servers 192.168.1.2; supersede nis-domain ""; supersede nis-servers ""; supersede ntp-servers "ntp.example.com "; supersede routers 192.168.1.1; supersede time-offset -18000; request subnet-mask; require subnet-mask; In this example, the options nis-servers and nis-domain are set to empty strings, on the assumption that the deprecated NIS protocol is not in use. It is necessary to supersede settings for unused services so that they cannot be set by a hostile DHCP server. If an option is set to an empty string, dhclient will typically not attempt to configure the service. By default, the DHCP client program, dhclient, requests and applies ten configuration options (in addition to the IP address) from the DHCP server. subnet-mask, broadcast-address, time-offset, routers, domain-name, domain-name-servers, host-name, nis-domain, nis-servers, and ntp-servers. Many of the options requested and applied by dhclient may be the same for every system on a network. It is recommended that almost all configuration options be assigned statically, and only options which must vary on a host-by-host basis be assigned via DHCP. This limits the damage which can be done by a rogue DHCP server. If appropriate for your site, it is also possible to supersede the host-name directive in /etc/dhcp/dhclient.conf, establishing a static hostname for the system. However, dhclient does not use the host name option provided by the DHCP server (instead using the value provided by a reverse DNS lookup). If the system must act as a DHCP server, the configuration information it serves should be minimized. Also, support for other protocols and DNS-updating schemes should be explicitly disabled unless needed. The configuration file for dhcpd is called /etc/dhcp/dhcpd.conf. The file begins with a number of global configuration options. The remainder of the file is divided into sections, one for each block of addresses offered by dhcpd, each of which contains configuration options specific to that address block. Edit /etc/dhcp/dhcpd.conf. Examine each address range section within the file, and ensure that the following options are not defined unless there is an operational need to provide this information via DHCP: option domain-name option domain-name-servers option nis-domain option nis-servers option ntp-servers option routers option time-offset By default, the Red Hat Enterprise Linux client installation uses DHCP to request much of the above information from the DHCP server. In particular, domain-name, domain-name-servers, and routers are configured via DHCP. These settings are typically necessary for proper network functionality, but are also usually static across systems at a given site. 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Because the configuration information provided by the DHCP server could be maliciously provided to clients by a rogue DHCP server, the amount of information provided via DHCP should be minimized. Remove these definitions from the DHCP server configuration to ensure that legitimate clients do not unnecessarily rely on DHCP for this information. DHCP is the default network configuration method provided by the system installer, and common on many networks. Nevertheless, manual management of IP addresses for systems implies a greater degree of management and accountability for network activity. The DHCP server dhcpd is not installed or activated by default. If the software was installed and activated, but the system does not need to act as a DHCP server, it should be disabled and removed. Most organizations have an operational need to run at least one nameserver. However, there are many common attacks involving DNS server software, and this server software should be disabled on any system on which it is not needed. DNS software should be disabled on any systems which does not need to be a nameserver. Note that the BIND DNS server software is not installed on SUSE Linux Enterprise 12 by default. The remainder of this section discusses secure configuration of systems which must be nameservers. This section discusses mechanisms for preventing the DNS server from interfering with other services. This is done both to protect the remainder of the network should a nameserver be compromised, and to make direct attacks on nameservers more difficult. Install the bind-chroot package: $ sudo yum install bind-chroot Place a valid named.conf file inside the chroot jail: $ sudo cp /etc/named.conf /var/named/chroot/etc/named.conf $ sudo chown root:root /var/named/chroot/etc/named.conf $ sudo chmod 644 /var/named/chroot/etc/named.conf Create and populate an appropriate zone directory within the jail, based on the options directive. If your named.conf includes: options { directory "/path/to/DIRNAME "; ... } then copy that directory and its contents from the original zone directory: $ sudo cp -r /path/to/DIRNAME /var/named/chroot/DIRNAME Add or correct the following line within /etc/sysconfig/named: ROOTDIR=/var/named/chroot If you are running BIND in a chroot jail, then you should use the jailed named.conf as the primary nameserver configuration file. That is, when this guide recommends editing /etc/named.conf, you should instead edit /var/named/chroot/etc/named.conf. Since DNS is a high-risk service which must frequently be made available to the entire Internet, it is strongly recommended that no other services be offered by systems which act as organizational DNS servers. This section discusses DNS configuration options which make it more difficult for attackers to gain access to private DNS data or to modify DNS data. If it is not possible to run external and internal nameservers on separate physical systems, run BIND9 and simulate this feature using views. Edit /etc/named.conf. Add or correct the following directives (where SUBNET is the numerical IP representation of your organization in the form xxx.xxx.xxx.xxx/xx): acl internal { SUBNET ; localhost; }; view "internal-view" { match-clients { internal; }; zone "." IN { type hint; file "db.cache"; }; zone "internal.example.com " IN { ... }; }; view "external-view" { match-clients { any; }; recursion no; zone "example.com " IN { ... }; }; As shown in the example, database files which are required for recursion, such as the root hints file, must be available to any clients which are allowed to make recursive queries. Under typical circumstances, this includes only the internal clients which are allowed to use this server as a general-purpose nameserver. Is it possible to run external and internal nameservers on separate systems? If so, follow the configuration guidance in this section. On the external nameserver, edit /etc/named.conf to add or correct the following directives: options { allow-query { any; }; recursion no; ... }; zone "example.com " IN { ... }; On the internal nameserver, edit /etc/named.conf. Add or correct the following directives, where SUBNET is the numerical IP representation of your organization in the form xxx.xxx.xxx.xxx/xx: acl internal { SUBNET ; localhost; }; options { allow-query { internal; }; ... }; zone "internal.example.com " IN { ... }; The docker service is necessary to create containers, which are self-sufficient and self-contained applications using the resource isolation features of the kernel. FTP is a common method for allowing remote access to files. Like telnet, the FTP protocol is unencrypted, which means that passwords and other data transmitted during the session can be captured and that the session is vulnerable to hijacking. Therefore, running the FTP server software is not recommended. However, there are some FTP server configurations which may be appropriate for some environments, particularly those which allow only read-only anonymous access as a means of downloading data available to the public. To minimize attack surface, disable vsftpd if at all possible. The primary vsftpd configuration file is /etc/vsftpd.conf, if that file exists, or /etc/vsftpd/vsftpd.conf if it does not. By default, iptables blocks access to the ports used by the web server. To configure iptables to allow port 21 traffic, one must edit /etc/sysconfig/iptables and /etc/sysconfig/ip6tables (if IPv6 is in use). Add the following line, ensuring that it appears before the final LOG and DROP lines for the INPUT chain: -A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT Edit the file /etc/sysconfig/iptables-config. Ensure that the space-separated list of modules contains the FTP connection tracking module: IPTABLES_MODULES="ip_conntrack_ftp" These settings configure the firewall to allow connections to an FTP server. The first line allows initial connections to the FTP server port. FTP is an older protocol which is not very compatible with firewalls. During the initial FTP dialogue, the client and server negotiate an arbitrary port to be used for data transfer. The ip_conntrack_ftp module is used by iptables to listen to that dialogue and allow connections to the data ports which FTP negotiates. This allows an FTP server to operate on a system which is running a firewall. SLES-12-030010 Edit the vsftpd configuration file, which resides at /etc/vsftpd.conf by default. Add or correct the following configuration options: banner_file=/etc/issue SLES-12-030010 SV-92127r3_rule CCI-000048 This setting will cause the system greeting banner to be used for FTP connections as well. _{replace_or_append '/etc/vsftpd.conf' '^banner_file' '/etc/issue' '' '%s=%s'} This section describes how to disable non-anonymous (password-based) FTP logins, or, if it is not possible to do this entirely due to legacy applications, how to restrict insecure FTP login to only those users who have an identified need for this access. If there is a mission-critical reason for users to access their accounts via the insecure FTP protocol, limit the set of users who are allowed this access. Edit the vsftpd configuration file. Add or correct the following configuration options: userlist_enable=YES userlist_file=/etc/vsftp.ftpusers userlist_deny=NO Edit the file /etc/vsftp.ftpusers. For each user USERNAME who should be allowed to access the system via FTP, add a line containing that user's name: USERNAME If anonymous access is also required, add the anonymous usernames to /etc/vsftp.ftpusers as well. anonymous ftp Historically, the file /etc/ftpusers contained a list of users who were not allowed to access the system via FTP. It was used to prevent system users such as the root user from logging in via the insecure FTP protocol. However, when the configuration option userlist deny=NO is set, vsftpd interprets ftpusers as the set of users who are allowed to login via FTP. Since it should be possible for most users to access their accounts via secure protocols, it is recommended that this setting be used, so that non-anonymous FTP access can be limited to legacy users who have been explicitly identified. If your use-case requires FTP service, install and set-up vsftpd to provide it. The web server is responsible for providing access to content via the HTTP protocol. Web servers represent a significant security risk because: The HTTP port is commonly probed by malicious sourcesWeb server software is very complex, and includes a long history of vulnerabilitiesThe HTTP protocol is unencrypted and vulnerable to passive monitoring The system's default web server software is Apache 2 and is provided in the RPM package httpd. If Apache was installed and activated, but the system does not need to act as a web server, then it should be disabled and removed from the system. If httpd was not installed and activated, but the system needs to act as a web server, then it should be installed on the system. Follow these guidelines to install it defensively. The httpd package can be installed with the following command: $ sudo yum install httpd This method of installation is recommended over installing the "Web Server" package group during the system installation process. The Web Server package group includes many packages which are likely extraneous, while the command-line method installs only the required httpd package itself. The default httpd installation minimizes the number of modules that are compiled directly into the binary (core prefork http_core mod_so). This minimizes risk by limiting the capabilities allowed by the web server. Query the set of compiled-in modules using the following command: $ httpd -l If the number of compiled-in modules is significantly larger than the aforementioned set, this guide recommends re-installing httpd with a reduced configuration. Minimizing the number of modules that are compiled into the httpd binary, reduces risk by limiting the capabilities allowed by the webserver. The httpd configuration file is /etc/httpd/conf/httpd.conf. Apply the recommendations in the remainder of this section to this file. The setting for LogLevel in /etc/httpd/conf/httpd.conf alert crit warn emerg error warn The setting for MaxKeepAliveRequests in httpd.conf 100 1000 10000 100000 500 100 The following configuration steps should be taken on the system which hosts the web server, in order to provide as safe an environment as possible for the web server. Running httpd inside a chroot jail is designed to isolate the web server process to a small section of the filesystem, limiting the damage if it is compromised. Versions of Apache greater than 2.2.10 (such as the one included with SUSE Linux Enterprise 12) provide the ChrootDir directive. To run Apache inside a chroot jail in /chroot/apache, add the following line to /etc/httpd/conf/httpd.conf: ChrootDir /chroot/apache This necessitates placing all files required by httpd inside /chroot/apache , including httpd's binaries, modules, configuration files, and served web pages. The details of this configuration are beyond the scope of this guide. This may also require additional SELinux configuration. Minimize access to critical httpd files and directories. PERL (Practical Extraction and Report Language) is an interpreted language optimized for scanning arbitrary text files, extracting information from those text files, and printing reports based on that information. The language is often used in shell scripting and is intended to be practical, easy to use, and efficient means of generating interactive web pages for the user. PHP is a widely-used and often misconfigured server-side scripting language. It should be used with caution, but configured appropriately when needed. Review /etc/php.ini and make the following changes if possible: # Do not expose PHP error messages to external users display_errors = Off # Enable safe mode safe_mode = On # Only allow access to executables in isolated directory safe_mode_exec_dir = php-required-executables-path # Limit external access to PHP environment safe_mode_allowed_env_vars = PHP_ # Restrict PHP information leakage expose_php = Off # Log all errors log_errors = On # Do not register globals for input data register_globals = Off # Minimize allowable PHP post size post_max_size = 1K # Ensure PHP redirects appropriately cgi.force_redirect = 0 # Disallow uploading unless necessary file_uploads = Off # Disallow treatment of file requests as fopen calls allow_url_fopen = Off # Enable SQL safe mode sql.safe_mode = On The Directory tags in the web server configuration file allow finer grained access control for a specified directory. All web directories should be configured on a case-by-case basis, allowing access only where needed. A default installation of httpd includes a plethora of dynamically shared objects (DSO) that are loaded at run-time. Unlike the aforementioned compiled-in modules, a DSO can be disabled in the configuration file by removing the corresponding LoadModule directive. Note: A DSO only provides additional functionality if associated directives are included in the httpd configuration file. It should also be noted that removing a DSO will produce errors on httpd startup if the configuration file contains directives that apply to that module. Refer to http://httpd.apache.org/docs/ for details on which directives are associated with each DSO. Following each DSO removal, the configuration can be tested with the following command to check if everything still works: $ sudo service httpd configtest The purpose of each of the modules loaded by default will now be addressed one at a time. If none of a module's directives are being used, remove it. These modules comprise a basic subset of modules that are likely needed for base httpd functionality; ensure they are not commented out in /etc/httpd/conf/httpd.conf: LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule authn_default_module modules/mod_authn_default.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule authz_groupfile_module modules/mod_authz_groupfile.so LoadModule authz_default_module modules/mod_authz_default.so LoadModule log_config_module modules/mod_log_config.so LoadModule logio_module modules/mod_logio.so LoadModule setenvif_module modules/mod_setenvif.so LoadModule mime_module modules/mod_mome.so LoadModule autoindex_module modules/mod_autoindex.so LoadModule negotiation_module modules/mod_negotiation.so LoadModule dir_module modules/mod_dir.so LoadModule alias_module modules/mod_alias.so Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. The following modules are necessary if this web server will provide content that will be restricted by a password. Authentication can be performed using local plain text password files (authn_file), local DBM password files (authn_dbm) or an LDAP directory. The only module required by the web server depends on your choice of authentication. Comment out the modules you don't need from the following: LoadModule authn_file_module modules/mod_authn_file.so LoadModule authn_dbm_module modules/mod_authn_dbm.so authn_alias allows for authentication based on aliases. authn_anon allows anonymous authentication similar to that of anonymous ftp sites. authz_owner allows authorization based on file ownership. authz_dbm allows for authorization based on group membership if the web server is using DBM authentication. If the above functionality is unnecessary, comment out the related module: #LoadModule authn_alias_module modules/mod_authn_alias.so #LoadModule authn_anon_module modules/mod_authn_anon.so #LoadModule authz_owner_module modules/mod_authz_owner.so #LoadModule authz_dbm_module modules/mod_authz_dbm.so The Include directive directs httpd to load supplementary configuration files from a provided path. The default configuration loads all files that end in .conf from the /etc/httpd/conf.d directory. To restrict excess configuration, the following line should be commented out and replaced with Include directives that only reference required configuration files: #Include conf.d/*.conf If the above change was made, ensure that the SSL encryption remains loaded by explicitly including the corresponding configuration file: Include conf.d/ssl.conf If PHP is necessary, a similar alteration must be made: Include conf.d/php.conf Explicitly listing the configuration files to be loaded during web server start-up avoids the possibility of unwanted or malicious configuration files to be automatically included as part of the server's running configuration. The following modules perform very specific tasks, sometimes providing access to just a few additional directives. If such functionality is not required (or if you are not using these directives), comment out the associated module: External filtering (response passed through external program prior to client delivery) #LoadModule ext_filter_module modules/mod_ext_filter.soUser-specified Cache Control and Expiration #LoadModule expires_module modules/mod_expires.soCompression Output Filter (provides content compression prior to client delivery) #LoadModule deflate_module modules/mod_deflate.soHTTP Response/Request Header Customization #LoadModule headers_module modules/mod_headers.soUser activity monitoring via cookies #LoadModule usertrack_module modules/mod_usertrack.soDynamically configured mass virtual hosting #LoadModule vhost_alias_module modules/mod_vhost_alias.so Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. Among the modules available for httpd are several whose use may improve the security of the web server installation. This section recommends and discusses the deployment of security-relevant modules. The security module provides an application level firewall for httpd. Following its installation with the base ruleset, specific configuration advice can be found at http://www.modsecurity.org/ to design a policy that best matches the security needs of the web applications. Usage of mod_security is highly recommended for some environments, but it should be noted this module does not ship with Red Hat Enterprise Linux itself, and instead is provided via Extra Packages for Enterprise Linux (EPEL). For more information on EPEL please refer to http://fedoraproject.org/wiki/EPEL. Because HTTP is a plain text protocol, all traffic is susceptible to passive monitoring. If there is a need for confidentiality, SSL should be configured and enabled to encrypt content. Note: mod_nss is a FIPS 140-2 certified alternative to mod_ssl. The modules share a considerable amount of code and should be nearly identical in functionality. If FIPS 140-2 validation is required, then mod_nss should be used. If it provides some feature or its greater compatibility is required, then mod_ssl should be used. The ServerTokens and ServerSignature directives determine how much information the web server discloses about the configuration of the system. Running httpd inside a chroot jail is designed to isolate the web server process to a small section of the filesystem, limiting the damage if it is compromised. Versions of Apache greater than 2.2.10 (such as the one included with Red Hat Enterprise Linux 7) provide the ChrootDir directive. To run Apache inside a chroot jail in /chroot/apache, add the following line to /etc/httpd/conf/httpd.conf: ChrootDir /chroot/apache This necessitates placing all files required by httpd inside /chroot/apache , including httpd's binaries, modules, configuration files, and served web pages. The details of this configuration are beyond the scope of this guide. This may also require additional SELinux configuration. Enter an appropriate login banner for your organization. Please note that new lines must be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\'. ^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:[\s\n]*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.[\s\n]*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.[\s\n]*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.[\s\n]*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.[\s\n]*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.|I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t.)$ You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:[\s\n]*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.[\s\n]*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.[\s\n]*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.[\s\n]*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.[\s\n]*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details. I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t. [\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times.[\s\n]+This[\s\n]+is[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+and[\s\n]+related[\s\n]+equipment[\s\n]+are[\s\n]+intended[\s\n]+for[\s\n]+the[\s\n]+communication,[\s\n]+transmission,[\s\n]+processing,[\s\n]+and[\s\n]+storage[\s\n]+of[\s\n]+official[\s\n]+U.S.[\s\n]+Government[\s\n]+or[\s\n]+other[\s\n]+authorized[\s\n]+information[\s\n]+only.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times[\s\n]+to[\s\n]+ensure[\s\n]+proper[\s\n]+functioning[\s\n]+of[\s\n]+equipment[\s\n]+and[\s\n]+systems[\s\n]+including[\s\n]+security[\s\n]+devices[\s\n]+and[\s\n]+systems,[\s\n]+to[\s\n]+prevent[\s\n]+unauthorized[\s\n]+use[\s\n]+and[\s\n]+violations[\s\n]+of[\s\n]+statutes[\s\n]+and[\s\n]+security[\s\n]+regulations,[\s\n]+to[\s\n]+deter[\s\n]+criminal[\s\n]+activity,[\s\n]+and[\s\n]+for[\s\n]+other[\s\n]+similar[\s\n]+purposes.[\s\n]+Any[\s\n]+user[\s\n]+of[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+should[\s\n]+be[\s\n]+aware[\s\n]+that[\s\n]+any[\s\n]+information[\s\n]+placed[\s\n]+in[\s\n]+the[\s\n]+system[\s\n]+is[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+not[\s\n]+subject[\s\n]+to[\s\n]+any[\s\n]+expectation[\s\n]+of[\s\n]+privacy.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+violation[\s\n]+of[\s\n]+criminal[\s\n]+statutes,[\s\n]+this[\s\n]+evidence[\s\n]+and[\s\n]+any[\s\n]+other[\s\n]+related[\s\n]+information,[\s\n]+including[\s\n]+identification[\s\n]+information[\s\n]+about[\s\n]+the[\s\n]+user,[\s\n]+may[\s\n]+be[\s\n]+provided[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+reveals[\s\n]+violations[\s\n]+of[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+unauthorized[\s\n]+use,[\s\n]+employees[\s\n]+who[\s\n]+violate[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+make[\s\n]+unauthorized[\s\n]+use[\s\n]+of[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+appropriate[\s\n]+disciplinary[\s\n]+action.[\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times. --[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. Denial-of-service attacks are difficult to detect and prevent while maintaining acceptable access to authorized users. However, some traffic-shaping modules can be used to address the problem. Well-known DoS protection modules include: mod_cband mod_bwshare mod_limitipconn mod_evasive Denial-of-service prevention should be implemented for a web server if such a threat exists. However, specific configuration details are very dependent on the environment and often best left at the discretion of the administrator. Dovecot provides IMAP and POP3 services. It is not installed by default. The project page at http://www.dovecot.org contains more detailed information about Dovecot configuration. If the system will operate as an IMAP or POP3 server, the dovecot software should be configured securely by following the recommendations below. The default iptables configuration does not allow inbound access to any services. This modification will allow remote hosts to initiate connections to the IMAP daemon, while keeping all other ports on the server in their default protected state. To configure iptables to allow port 143 traffic, one must edit /etc/sysconfig/iptables and /etc/sysconfig/ip6tables (if IPv6 is in use). Add the following line, ensuring that it appears before the final LOG and DROP lines for the INPUT chain: -A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT SSL should be used to encrypt network traffic between the Dovecot server and its clients. Users must authenticate to the Dovecot server in order to read their mail, and passwords should never be transmitted in clear text. In addition, protecting mail as it is downloaded is a privacy measure, and clients may use SSL certificates to authenticate the server, preventing another system from impersonating the server. Dovecot supports the IMAP and POP3 protocols, as well as SSL-protected versions of those protocols. Configure the Dovecot server to support only the protocols needed by your site. Edit /etc/dovecot/dovecot.conf. Add or correct the following lines, replacing PROTOCOL with only the subset of protocols (imap, imaps, pop3, pop3s) required: protocols = PROTOCOL If possible, require SSL protection for all transactions. The SSL protocol variants listen on alternate ports (995 instead of 110 for pop3s, and 993 instead of 143 for imaps), and require SSL-aware clients. An alternate approach is to listen on the standard port and require the client to use the STARTTLS command before authenticating. If the system does not need to operate as an IMAP or POP3 server, the dovecot software should be disabled and removed. LDAP is a popular directory service, that is, a standardized way of looking up information from a central database. SUSE Linux Enterprise 12 includes software that enables a system to act as both an LDAP client and server. This section provides information on which security settings are important to configure in OpenLDAP clients by manually editing the appropriate configuration files. SUSE Linux Enterprise 12 provides an automated configuration tool called authconfig and a graphical wrapper for authconfig called system-config-authentication. However, these tools do not provide as much control over configuration as manual editing of configuration files. The authconfig tools do not allow you to specify locations of SSL certificate files, which is useful when trying to use SSL cleanly across several protocols. Installation and configuration of OpenLDAP on SUSE Linux Enterprise 12 is available at Before configuring any system to be an LDAP client, ensure that a working LDAP server is present on the network. This section details some security-relevant settings for an OpenLDAP server. Create the PKI directory for LDAP certificates if it does not already exist: $ sudo mkdir /etc/pki/tls/ldap $ sudo chown root:root /etc/pki/tls/ldap $ sudo chmod 755 /etc/pki/tls/ldap Using removable media or some other secure transmission format, install the certificate files onto the LDAP server: /etc/pki/tls/ldap/serverkey.pem: the private key ldapserverkey.pem/etc/pki/tls/ldap/servercert.pem: the certificate file ldapservercert.pem Verify the ownership and permissions of these files: $ sudo chown root:ldap /etc/pki/tls/ldap/serverkey.pem $ sudo chown root:ldap /etc/pki/tls/ldap/servercert.pem $ sudo chmod 640 /etc/pki/tls/ldap/serverkey.pem $ sudo chmod 640 /etc/pki/tls/ldap/servercert.pem Verify that the CA's public certificate file has been installed as /etc/pki/tls/CA/cacert.pem, and has the correct permissions: $ sudo mkdir /etc/pki/tls/CA $ sudo chown root:root /etc/pki/tls/CA/cacert.pem $ sudo chmod 644 /etc/pki/tls/CA/cacert.pem As a result of these steps, the LDAP server will have access to its own private certificate and the key with which that certificate is encrypted, and to the public certificate file belonging to the CA. Note that it would be possible for the key to be protected further, so that processes running as ldap could not read it. If this were done, the LDAP server process would need to be restarted manually whenever the server rebooted. Mail servers are used to send and receive email over the network. Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious targets of network attack. Ensure that systems are not running MTAs unnecessarily, and configure needed MTAs as defensively as possible. Very few systems at any site should be configured to directly receive email over the network. Users should instead use mail client programs to retrieve email from a central server that supports protocols such as IMAP or POP3. However, it is normal for most systems to be independently capable of sending email, for instance so that cron jobs can report output to an administrator. Most MTAs, including Postfix, support a submission-only mode in which mail can be sent from the local system to a central site MTA (or directly delivered to a local account), but the system still cannot receive mail directly over a network. The alternatives program in SUSE Linux Enterprise 12 permits selection of other mail server software (such as Sendmail), but Postfix is the default and is preferred. Postfix was coded with security in mind and can also be more effectively contained by SELinux as its modular design has resulted in separate processes performing specific actions. More information is available on its website, http://www.postfix.org. This section discusses settings for Postfix in a submission-only e-mail configuration. Specify an email address (string) for a root mail alias. system.administrator@mail.mil SLES-12-020050 Set up an alias for root that forwards to a monitored email address: $ sudo echo "root: _{" >> /etc/aliases $ sudo newaliases} CM-6(b) SLES-12-020050 SV-91993r2_rule CCI-000366 A number of system services utilize email messages sent to the root user to notify system administrators of active or impending issues. These messages must be forwarded to at least one monitored email address. var_postfix_root_mail_alias="_{" replace_or_append '/etc/aliases' '^root' "$var_postfix_root_mail_alias" '' '%s: %s' newaliases} The guidance in this section is appropriate for any host which is operating as a site MTA, whether the mail server runs using Sendmail, Postfix, or some other software. If SMTP AUTH is to be used, the use of SSL to protect credentials in transit is strongly recommended. There are also configurations for which it may be desirable to encrypt all mail in transit from one MTA to another, though such configurations are beyond the scope of this guide. In either event, the steps for creating and installing an SSL certificate are independent of the MTA in use, and are described here. Create the PKI directory for mail certificates, if it does not already exist: $ sudo mkdir /etc/pki/tls/mail $ sudo chown root:root /etc/pki/tls/mail $ sudo chmod 755 /etc/pki/tls/mail Using removable media or some other secure transmission format, install the files generated in the previous step onto the mail server: /etc/pki/tls/mail/serverkey.pem: the private key mailserverkey.pem /etc/pki/tls/mail/servercert.pem: the certificate file mailservercert.pem Verify the ownership and permissions of these files: $ sudo chown root:root /etc/pki/tls/mail/serverkey.pem $ sudo chown root:root /etc/pki/tls/mail/servercert.pem $ sudo chmod 600 /etc/pki/tls/mail/serverkey.pem $ sudo chmod 644 /etc/pki/tls/mail/servercert.pem Verify that the CA's public certificate file has been installed as /etc/pki/tls/CA/cacert.pem, and has the correct permissions: $ sudo chown root:root /etc/pki/tls/CA/cacert.pem $ sudo chmod 644 /etc/pki/tls/CA/cacert.pem Postfix stores its configuration files in the directory /etc/postfix by default. The primary configuration file is /etc/postfix/main.cf. Edit /etc/postfix/main.cf. Edit the following lines to configure the amount of system resources Postfix can consume: default_process_limit = 100 smtpd_client_connection_count_limit = 10 smtpd_client_connection_rate_limit = 30 queue_minfree = 20971520 header_size_limit = 51200 message_size_limit = 10485760 smtpd_recipient_limit = 100 The values here are examples. Note: The values given here are examples, and may need to be modified for any particular site. By default, the Postfix anvil process gathers mail receipt statistics. To get information about about what connection rates are typical at your site, look in /var/log/maillog for lines with the daemon name postfix/anvil. Postfix's mail relay controls are implemented with the help of the smtpd recipient restrictions option, which controls the restrictions placed on the SMTP dialogue once the sender and recipient envelope addresses are known. The guidance in the following sections should be applied to all systems. If there are systems which must be allowed to relay mail, but which cannot be trusted to relay unconditionally, configure SMTP AUTH with SSL support. To configure Postfix to restrict addresses to which it will send mail, see: http://www.postfix.org/SMTPD_ACCESS_README.html#danger The full contents of smtpd_recipient_restrictions will vary by site, since this is a common place to put spam restrictions and other site-specific options. The permit_mynetworks option allows all mail to be relayed from the systems in mynetworks. Then, the reject_unauth_destination option denies all mail whose destination address is not local, preventing any other systems from relaying. These two options should always appear in this order, and should usually follow one another immediately unless SMTP AUTH is used. To configure Postfix to restrict addresses to which it will send mail, see: http://www.postfix.org/SMTPD_ACCESS_README.html#danger The full contents of smtpd_recipient_restrictions will vary by site, since this is a common place to put spam restrictions and other site-specific options. The permit_mynetworks option allows all mail to be relayed from the systems in mynetworks. Then, the reject_unauth_destination option denies all mail whose destination address is not local, preventing any other systems from relaying. These two options should always appear in this order, and should usually follow one another immediately unless SMTP AUTH is used. Postfix provides options to use TLS for certificate-based authentication and encrypted sessions. An encrypted session protects the information that is transmitted with SMTP mail or with SASL authentication. To configure Postfix to protect all SMTP AUTH transactions using TLS, see http://www.postfix.org/TLS_README.html. Edit /etc/postfix/main.cf, and configure the contents of the mynetworks variable in one of the following ways: If any system in the subnet containing the MTA may be trusted to relay messages, add or correct the following line: mynetworks_style = subnet This is also the default setting, and is in effect if all my_networks_style directives are commented.If only the MTA host itself is trusted to relay messages, add or correct the following line: mynetworks_style = hostIf the set of systems which can relay is more complicated, manually specify an entry for each netblock or IP address which is trusted to relay by setting the mynetworks variable directly: mynetworks = 10.0.0.0/16, 192.168.1.0/24, 127.0.0.1 SMTP authentication allows remote clients to relay mail safely by requiring them to authenticate before submitting mail. Postfix's SMTP AUTH uses an authentication library called SASL, which is not part of Postfix itself. To enable the use of SASL authentication, see http://www.postfix.org/SASL_README.html The Network File System is a popular distributed filesystem for the Unix environment, and is very widely deployed. This section discusses the circumstances under which it is possible to disable NFS and its dependencies, and then details steps which should be taken to secure NFS's configuration. This section is relevant to systems operating as NFS clients, as well as to those operating as NFS servers. If there is not a reason for the system to operate as either an NFS client or an NFS server, follow all instructions in this section to disable subsystems required by NFS. The steps in this section will prevent a system from operating as either an NFS client or an NFS server. Only perform these steps on systems which do not need NFS at all. To determine if any network filesystems handled by netfs are currently mounted on the system execute the following command: $ mount -t nfs,nfs4,smbfs,cifs,ncpfs If the command did not return any output then disable netfs. The netfs script manages the boot-time mounting of several types of networked filesystems, of which NFS and Samba are the most common. If these filesystem types are not in use, the script can be disabled, protecting the system somewhat against accidental or malicious changes to /etc/fstab and against flaws in the netfs script itself. The netfs service can be disabled with the following command: $ sudo systemctl disable netfs.service If NFS is not needed, disable the NFS client daemons nfslock, rpcgssd, and rpcidmapd. All of these daemons run with elevated privileges, and many listen for network connections. If they are not needed, they should be disabled to improve system security posture. The steps in this section are appropriate for all systems which run NFS, whether they operate as clients or as servers. If NFS must be used, it should be deployed in the simplest configuration possible to avoid maintainability problems which may lead to unnecessary security exposure. Due to the reliability and security problems caused by NFS (specially NFSv3 and NFSv2), it is not a good idea for systems which act as NFS servers to also mount filesystems via NFS. At the least, crossed mounts (the situation in which each of two servers mounts a filesystem from the other) should never be used. Firewalling should be done at each host and at the border firewalls to protect the NFS daemons from remote access, since NFS servers should never be accessible from outside the organization. However, by default for NFSv3 and NFSv2, the RPC Bind service assigns each NFS service to a port dynamically at service startup time. Dynamic ports cannot be protected by port filtering firewalls such as iptables. Therefore, restrict each service to always use a given port, so that firewalling can be done effectively. Note that, because of the way RPC is implemented, it is not possible to disable the RPC Bind service even if ports are assigned statically to all RPC services. In NFSv4, the mounting and locking protocols have been incorporated into the protocol, and the server listens on the the well-known TCP port 2049. As such, NFSv4 does not need to interact with the rpcbind, lockd, and rpc.statd daemons, which can and should be disabled in a pure NFSv4 environment. The rpc.mountd daemon is still required on the NFS server to setup exports, but is not involved in any over-the-wire operations. The steps in this section are appropriate for systems which operate as NFS clients. There is no need to run the NFS server daemons nfs and rpcsvcgssd except on a small number of properly secured systems designated as NFS servers. Ensure that these daemons are turned off on clients. Edit the file /etc/fstab. For each filesystem whose type (column 3) is nfs or nfs4, add the text ,nodev,nosuid to the list of mount options in column 4. If appropriate, also add ,noexec. See the section titled "Restrict Partition Mount Options" for a description of the effects of these options. In general, execution of files mounted via NFS should be considered risky because of the possibility that an adversary could intercept the request and substitute a malicious file. Allowing setuid files to be executed from remote servers is particularly risky, both for this reason and because it requires the clients to extend root-level trust to the NFS server. The steps in this section are appropriate for systems which operate as NFS servers. The all_squash maps all uids and gids to an anonymous user. This should be disabled by removing any instances of the all_squash option from the file /etc/exports. The all_squash option maps all client requests to a single anonymous uid/gid on the NFS server, negating the ability to track file access by user ID. Linux's NFS implementation uses the file /etc/exports to control what filesystems and directories may be accessed via NFS. (See the exports(5) manpage for more information about the format of this file.) The syntax of the exports file is not necessarily checked fully on reload, and syntax errors can leave your NFS configuration more open than intended. Therefore, exercise caution when modifying the file. The syntax of each line in /etc/exports is: /DIR host1(opt1,opt2) host2(opt3) where /DIR is a directory or filesystem to export, hostN is an IP address, netblock, hostname, domain, or netgroup to which to export, and optN is an option. If a filesystem is being exported so that users can view the files in a convenient fashion, but there is no need for users to edit those files, exporting the filesystem read-only removes an attack vector against the server. The default filesystem export mode is ro, so do not specify rw without a good reason. When configuring NFS exports, ensure that each export line in /etc/exports contains a list of hosts which are allowed to access that export. If no hosts are specified on an export line, then that export is available to any remote host which requests it. All lines of the exports file should specify the hosts (or subnets, if needed) which are allowed to access the exported directory, so that unknown or remote hosts will be denied. Authorized hosts can be specified in several different formats: Name or alias that is recognized by the resolverFully qualified domain nameIP addressIP subnets in the format address/netmask or address/CIDR The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictably on unmanaged systems. Central time protocols can be used both to ensure that time is consistent among a network of systems, and that their time is consistent with the outside world. If every system on a network reliably reports the same time, then it is much easier to correlate log messages in case of an attack. In addition, a number of cryptographic protocols (such as Kerberos) use timestamps to prevent certain types of attacks. If your network does not have synchronized time, these protocols may be unreliable or even unusable. Depending on the specifics of the network, global time accuracy may be just as important as local synchronization, or not very important at all. If your network is connected to the Internet, using a public timeserver (or one provided by your enterprise) provides globally accurate timestamps which may be essential in investigating or responding to an attack which originated outside of your network. A typical network setup involves a small number of internal systems operating as NTP servers, and the remainder obtaining time information from those internal servers. There is a choice between the daemons ntpd and chronyd, which are available from the repositories in the ntp and chrony packages respectively. The default chronyd daemon can work well when external time references are only intermittently accesible, can perform well even when the network is congested for longer periods of time, can usually synchronize the clock faster and with better time accuracy, and quickly adapts to sudden changes in the rate of the clock, for example, due to changes in the temperature of the crystal oscillator. Chronyd should be considered for all systems which are frequently suspended or otherwise intermittently disconnected and reconnected to a network. Mobile and virtual systems for example. The ntpd NTP daemon fully supports NTP protocol version 4 (RFC 5905), including broadcast, multicast, manycast clients and servers, and the orphan mode. It also supports extra authentication schemes based on public-key cryptography (RFC 5906). The NTP daemon (ntpd) should be considered for systems which are normally kept permanently on. Systems which are required to use broadcast or multicast IP, or to perform authentication of packets with the Autokey protocol, should consider using ntpd. Refer to https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/servers/Configuring_NTP_Using_the_chrony_Suite/ for more detailed comparison of features of chronyd and ntpd daemon features respectively, and for further guidance how to choose between the two NTP daemons. The upstream manual pages at http://chrony.tuxfamily.org/manual.html for chronyd and http://www.ntp.org for ntpd provide additional information on the capabilities and configuration of each of the NTP daemons. The maximum NTP or Chrony poll interval number in seconds specified as a power of two. 17 16 16 The list of vendor-approved time servers 0.fedora.pool.ntp.org,1.fedora.pool.ntp.org,2.fedora.pool.ntp.org,3.fedora.pool.ntp.org 0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org 0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org 0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org 0.opensuse.pool.ntp.org,1.opensuse.pool.ntp.org,2.opensuse.pool.ntp.org,3.opensuse.pool.ntp.org SLES-12-030300 The maxpoll should be configured to _{in /etc/ntp.conf or /etc/chrony.conf to continuously poll time servers. To configure maxpoll in /etc/ntp.conf or /etc/chrony.conf add the following: maxpoll} AU-8(1)(a) AU-8(1)(b) SLES-12-030300 SV-92171r1_rule 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 CCI-001891 CCI-002046 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-8(1)(a) PR.PT-1 SRG-OS-000355-GPOS-00143 SRG-OS-000356-GPOS-00144 Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. var_time_service_set_maxpoll="_{" var_multiple_time_servers="" if ! rpm -q ntp > /dev/null && ! rpm -q chrony ; then package_install ntp || exit 1 systemctl enable ntpd fi remediated=0 config_file="/etc/ntp.conf /etc/chrony.conf" for config_file in $config_files ; do [[ -f "$config_file" ]] || continue remediated=1 # Set maxpoll values to var_time_service_set_maxpoll sed -i "s/^\(server.*maxpoll\) [0-9][0-9]*\(.*\)$/\1 $var_time_service_set_maxpoll \2/" "$config_file" # add time servers if none are set if ! grep -q '^server' "$config_file" ; then echo >> "$config_file" # spawn a sub-shell, to avoid modifying IFS globally ( IFS=',' for server in $var_multiple_time_servers ; do echo "server $server maxpoll $var_time_service_set_maxpoll" >> "$config_file" done ) fi # Add maxpoll to server entries without maxpoll grep "^server" "$config_file" | grep -v maxpoll | while read -r line ; do sed -i "s/$line/& maxpoll $var_time_service_set_maxpoll/" "$config_file" done done [[ "$remediated" = "1" ]]} Additional NTP servers can be specified for time synchronization in the file /etc/ntp.conf. To do so, add additional lines of the following form, substituting the IP address or hostname of a remote NTP server for ntpserver: server ntpserver 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-8(1) PR.PT-1 Req-10.4.3 Specifying additional NTP servers increases the availability of accurate time data, in the event that one of the specified servers becomes unavailable. This is typical for a system acting as an NTP server for other systems. To specify a remote NTP server for time synchronization, edit the file /etc/ntp.conf. Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver: server ntpserver This instructs the NTP software to contact that remote server to obtain time data. 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-8(1) PR.PT-1 Req-10.4.1 Req-10.4.3 Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events. The ntpd service should be installed. CCI-001891 CCI-002046 AU-8(1)(a) AU-8(1)(b) NT012(R03) 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 CCI-000160 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-8(1) PR.PT-1 Req-10.4 SRG-OS-000355-GPOS-00143 SRG-OS-000356-GPOS-00144 Time synchronization (using NTP) is required by almost all network and administrative tasks (syslog, cryptographic based services (authentication, etc.), etc.). Ntpd is regulary maintained and updated, supporting security features such as RFC 5906. _{package_install ntp} - name: Ensure ntp is installed package: name: ntp state: present when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - package_ntp_installed - high_severity - enable_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-AU-8(1) - PCI-DSS-Req-10.4 include install_ntp class install_ntp { package { 'ntp': ensure => 'installed', } } The ntpd service can be enabled with the following command: $ sudo systemctl enable ntpd.service NT012(R03) 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 CCI-000160 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-8(1) PR.PT-1 Req-10.4 Enabling the ntpd service ensures that the ntpd service will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client (and synchronize only its own clock) or it is also acting as an NTP server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches. The NTP daemon offers all of the functionality of ntpdate, which is now deprecated. Additional information on this is available at http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate. The ntpd service can be enabled with the following command: $ sudo systemctl enable ntpd.service CCI-001891 CCI-002046 AU-8(1)(a) AU-8(1)(b) SRG-OS-000355-GPOS-00143 SRG-OS-000356-GPOS-00144 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-8(1) PR.PT-1 Req-10.4 Enabling the ntpd service ensures that the ntpd service will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client (and synchronize only its own clock) or it is also acting as an NTP server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches. The NTP daemon offers all of the functionality of ntpdate, which is now deprecated. Additional information on this is available at http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate. _{package_install 'ntp' || exit 1 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" start 'ntpd.service' "$SYSTEMCTL_EXEC" enable 'ntpd.service'} - name: Enable service ntpd service: name: ntpd enabled: 'yes' state: started when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - service_ntpd_enabled - medium_severity - enable_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-AU-8(1) - PCI-DSS-Req-10.4 The systemd_timesyncd service can be enabled with the following command: $ sudo systemctl enable systemd_timesyncd.service NT012(R03) 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 CCI-000160 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-8(1) PR.PT-1 Req-10.4 Enabling the systemd_timesyncd service ensures that this host uses the ntp protocol to fetch time data from a ntp server. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches. Additional information on Ubuntu network time protocol is available at https://help.ubuntu.com/lts/serverguide/NTP.html.en. This section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or severely limiting the service has been the best available guidance for some time. As a result of this, many of these services are not installed as part of SUSE Linux Enterprise 12 by default. Organizations which are running these services should switch to more secure equivalents as soon as possible. If it remains absolutely necessary to run one of these services for legacy reasons, care should be taken to restrict the service as much as possible, for instance by configuring host firewall software such as iptables to restrict access to the vulnerable service to only those remote hosts which have a known need to use it. The xinetd service acts as a dedicated listener for some network services (mostly, obsolete ones) and can be used to provide access controls and perform some logging. It has been largely obsoleted by other features, and it is not installed by default. The older Inetd service is not even available as part of SUSE Linux Enterprise 12. The Network Information Service (NIS), also known as 'Yellow Pages' (YP), and its successor NIS+ have been made obsolete by Kerberos, LDAP, and other modern centralized authentication services. NIS should not be used because it suffers from security problems inherent in its design, such as inadequate protection of important authentication information. The Berkeley r-commands are legacy services which allow cleartext remote access and have an insecure trust model. SLES-12-010410 The shosts.equiv file list remote hosts and users that are trusted by the local system. To remove these files, run the following command to delete them from any location: $ sudo rm /[path]/[to]/[file]/shosts.equiv SLES-12-010410 SV-91835r1_rule CCI-000366 SRG-OS-000480-GPOS-00227 The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. # Identify local mounts MOUNT_LIST=$(df --local | awk '{ print $6 }') # Find file on each listed mount point for cur_mount in ${MOUNT_LIST} do find ${cur_mount} -xdev -type f -name "shosts.equiv" -exec rm -f {} \; done The files /etc/hosts.equiv and ~/.rhosts (in each user's home directory) list remote hosts and users that are trusted by the local system when using the rshd daemon. To remove these files, run the following command to delete them from any location: $ sudo rm /etc/hosts.equiv $ rm ~/.rhosts 6.2.14 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 CCI-001436 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system. SLES-12-010400 The ~/.shosts (in each user's home directory) files list remote hosts and users that are trusted by the local system. To remove these files, run the following command to delete them from any location: $ sudo find / -name '.shosts' -type f -delete SLES-12-010400 SV-91833r1_rule CCI-000366 SRG-OS-000480-GPOS-00227 The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. # Identify local mounts MOUNT_LIST=$(df --local | awk '{ print $6 }') # Find file on each listed mount point for cur_mount in ${MOUNT_LIST} do find ${cur_mount} -xdev -type f -name ".shosts" -exec rm -f {} \; done The talk software makes it possible for users to send and receive messages across systems through a terminal session. The telnet protocol does not provide confidentiality or integrity for information transmitted on the network. This includes authentication information such as passwords. Organizations which use telnet should be actively working to migrate to a more secure protocol. SLES-12-030000 The telnet-server package can be removed with the following command: $ sudo zypper remove telnet-server SLES-12-030000 SV-92125r1_rule 2.1.1 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 CCI-000381 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) CM-7(a) PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000095-GPOS-00049 It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities are often overlooked and therefore may remain unsecure. They increase the risk to the platform by providing additional attack vectors. The telnet service provides an unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to login using this service, the privileged user password could be compromised. Removing the telnet-server package decreases the risk of the telnet service's accidental (or intentional) activation. _{package_remove telnet-server} - name: Ensure telnet-server is removed package: name: telnet-server state: absent tags: - package_telnet-server_removed - high_severity - disable_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-AC-17(8) - NIST-800-53-CM-7(a) - DISA-STIG-030000 include remove_telnet-server class remove_telnet-server { package { 'telnet-server': ensure => 'purged', } } TFTP is a lightweight version of the FTP protocol which has traditionally been used to configure networking equipment. However, TFTP provides little security, and modern versions of networking operating systems frequently support configuration via SSH or other more secure protocols. A TFTP server should be run only if no more secure method of supporting existing equipment can be found. The Common Unix Printing System (CUPS) service provides both local and network printing support. A system running the CUPS service can accept print jobs from other systems, process them, and send them to the appropriate printer. It also provides an interface for remote administration through a web browser. The CUPS service is installed and activated by default. The project homepage and more detailed documentation are available at http://www.cups.org. CUPS provides the ability to easily share local printers with other systems over the network. It does this by allowing systems to share lists of available printers. Additionally, each system that runs the CUPS service can potentially act as a print server. Whenever possible, the printer sharing and print server capabilities of CUPS should be limited or disabled. The following recommendations should demonstrate how to do just that. A proxy server is a very desirable target for a potential adversary because much (or all) sensitive data for a given infrastructure may flow through it. Therefore, if one is required, the system acting as a proxy server should be dedicated to that purpose alone and be stored in a physically secure location. The system's default proxy server software is Squid, and provided in an RPM package of the same name. If Squid was installed and activated, but the system does not need to act as a proxy server, then it should be disabled and removed. A router is a very desirable target for a potential adversary because they fulfill a variety of infrastructure networking roles such as access to network segments, gateways to other networks, filtering, etc. Therefore, if one is required, the system acting as a router should be dedicated to that purpose alone and be stored in a physically secure location. The system's default routing software is Quagga, and provided in an RPM package of the same name. If Quagga was installed and activated, but the system does not need to act as a router, then it should be disabled and removed. When properly configured, the Samba service allows Linux systems to provide file and print sharing to Microsoft Windows systems. There are two software packages that provide Samba support. The first, samba-client, provides a series of command line tools that enable a client system to access Samba shares. The second, simply labeled samba, provides the Samba service. It is this second package that allows a Linux system to act as an Active Directory server, a domain controller, or as a domain member. Only the samba-client package is installed by default. All settings for the Samba daemon can be found in /etc/samba/smb.conf. Settings are divided between a [global] configuration section and a series of user created share definition sections meant to describe file or print shares on the system. By default, Samba will operate in user mode and allow client systems to access local home directories and printers. It is recommended that these settings be changed or that additional limitations be set in place. By default, Samba utilizes the CUPS printing service to enable printer sharing with Microsoft Windows workstations. If there are no printers on the local system, or if printer sharing with Microsoft Windows is not required, disable the printer sharing capability by commenting out the following lines, found in /etc/samba/smb.conf: [global] load printers = yes cups options = raw [printers] comment = All Printers path = /usr/spool/samba browseable = no guest ok = no writable = no printable = yes There may be other options present, but these are the only options enabled and uncommented by default. Removing the [printers] share should be enough for most users. If the Samba printer sharing capability is needed, consider disabling the Samba network browsing capability or restricting access to a particular set of users or network addresses. Set the valid users parameter to a small subset of users or restrict it to a particular group of users with the shorthand @. Separate each user or group of users with a space. For example, under the [printers] share: [printers] valid users = user @printerusers Only users with local user accounts will be able to log in to Samba shares by default. Shares can be limited to particular users or network addresses. Use the hosts allow and hosts deny directives accordingly, and consider setting the valid users directive to a limited subset of users or to a group of users. Separate each address, user, or user group with a space as follows for a particular share or global: [share] hosts allow = 192.168.1. 127.0.0.1 valid users = userone usertwo @usergroup It is also possible to limit read and write access to particular users with the read list and write list options, though the permissions set by the system itself will override these settings. Set the read only attribute for each share to ensure that global settings will not accidentally override the individual share settings. Then, as with the valid users directive, separate each user or group of users with a space: [share] read only = yes write list = userone usertwo @usergroup Even after the Samba server package has been installed, it will remain disabled. Do not enable this service unless it is absolutely necessary to provide Microsoft Windows file and print sharing functionality. The Simple Network Management Protocol allows administrators to monitor the state of network devices, including computers. Older versions of SNMP were well-known for weak security, such as plaintext transmission of the community string (used for authentication) and usage of easily-guessable choices for the community string. The system includes an SNMP daemon that allows for its remote monitoring, though it not installed by default. If it was installed and activated but is not needed, the software should be disabled and removed. If it is necessary to run the snmpd agent on the system, some best practices should be followed to minimize the security risk from the installation. The multiple security models implemented by SNMP cannot be fully covered here so only the following general configuration advice can be offered: use only SNMP version 3 security models and enable the use of authentication and encryptionwrite access to the MIB (Management Information Base) should be allowed only if necessaryall access to the MIB should be restricted following a principle of least privilegenetwork access should be limited to the maximum extent possible including restricting to expected network addresses both in the configuration files and in the system firewall rulesensure SNMP agents send traps only to, and accept SNMP queries only from, authorized management stationsensure that permissions on the snmpd.conf configuration file (by default, in /etc/snmp) are 640 or more restrictiveensure that any MIB files' permissions are also 640 or more restrictive The SSH protocol is recommended for remote login and remote file transfer. SSH provides confidentiality and integrity for data exchanged between two systems, as well as server authentication, through the use of public key cryptography. The implementation included with the system is called OpenSSH, and more detailed documentation is available from its website, http://www.openssh.org. Its server program is called sshd and provided by the RPM package openssh-server. Specify firewalld zone to enable SSH service. This value is used only for remediation purposes. block public dmz drop external home internal public trusted work Specify port the SSH server is listening. 22 Specify the maximum number of authentication attempts per connection. 10 3 4 5 4 Specify if the Policy requires SSH to be installed. Used by SSH Rules to determine if SSH should be uninstalled or configured. A value of 0 means that the policy doesn't care if OpenSSH server is installed or not. If it is installed, scanner will check for it's configuration, if it's not installed, the check will pass. A value of 1 indicates that OpenSSH server package is not required by the policy; A value of 2 indicates that OpenSSH server package is required by the policy. 0 1 2 Specify the FIPS approved MACs (message authentication code) algorithms that are used for data integrity protection by the SSH server. hmac-sha2-512,hmac-sha2-256 Specify duration of allowed idle time. 600 7200 900 1800 300 3600 300 Specify the maximum number of idle message counts before session is terminated. 10 3 5 0 1 0 SLES-12-030220 To properly set the permissions of /etc/ssh/*_key, run the command: $ sudo chmod 0600 /etc/ssh/*_key CM-6(b) SLES-12-030220 SV-92161r2_rule 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 3.1.13 3.13.10 CCI-000366 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 AC-17 PR.AC-4 PR.DS-5 SRG-OS-000480-GPOS-00227 If an unauthorized user obtains the private SSH host key file, the host could be impersonated. find /etc/ssh -regex '^/etc/ssh/.*_key$' -exec chmod 0600 {} \; - name: Find /etc/ssh file(s) find: paths: /etc/ssh patterns: ^.*_key$ use_regex: true register: files_found when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - file_permissions_sshd_private_key - medium_severity - configure_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-AC-6 - NIST-800-53-AC-17 - NIST-800-171-3.1.13 - NIST-800-171-3.13.10 - DISA-STIG-030220 - name: Set permissions for /etc/ssh file(s) file: path: '{{ item.path }}' mode: 384 with_items: - '{{ files_found.files }}' when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - file_permissions_sshd_private_key - medium_severity - configure_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-AC-6 - NIST-800-53-AC-17 - NIST-800-171-3.1.13 - NIST-800-171-3.13.10 - DISA-STIG-030220 include ssh_private_key_perms class ssh_private_key_perms { exec { 'sshd_priv_key': command => "chmod 0640 /etc/ssh/*_key", path => '/bin:/usr/bin' } } SLES-12-030210 To properly set the permissions of /etc/ssh/*.pub, run the command: $ sudo chmod 0644 /etc/ssh/*.pub CM-6(b) SLES-12-030210 SV-92159r2_rule 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 3.1.13 3.13.10 CCI-000366 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 SRG-OS-000480-GPOS-00227 If a public host key file is modified by an unauthorized user, the SSH service may be compromised. find /etc/ssh -regex '^/etc/ssh/.*.pub$' -exec chmod 0644 {} \; - name: Find /etc/ssh file(s) find: paths: /etc/ssh patterns: ^.*.pub$ use_regex: true register: files_found when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - file_permissions_sshd_pub_key - medium_severity - configure_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-AC-6 - NIST-800-171-3.1.13 - NIST-800-171-3.13.10 - DISA-STIG-030210 - name: Set permissions for /etc/ssh file(s) file: path: '{{ item.path }}' mode: 420 with_items: - '{{ files_found.files }}' when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - file_permissions_sshd_pub_key - medium_severity - configure_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-AC-6 - NIST-800-171-3.1.13 - NIST-800-171-3.13.10 - DISA-STIG-030210 include ssh_public_key_perms class ssh_public_key_perms { exec { 'sshd_pub_key': command => "chmod 0644 /etc/ssh/*.pub", path => '/bin:/usr/bin' } } By default, inbound connections to SSH's port are allowed. If the SSH server is not being used, this exception should be removed from the firewall configuration. Edit the files /etc/sysconfig/iptables and /etc/sysconfig/ip6tables (if IPv6 is in use). In each file, locate and delete the line: -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT This is unusual, as SSH is a common method for encrypted and authenticated remote access. If inbound SSH connections are not expected, disallowing access to the SSH port will avoid possible exploitation of the port by an attacker. The SSH server service, sshd, is commonly needed. However, if it can be disabled, do so. The sshd service can be disabled with the following command: $ sudo systemctl disable sshd.service This is unusual, as SSH is a common method for encrypted and authenticated remote access. SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'sshd.service' "$SYSTEMCTL_EXEC" disable 'sshd.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^sshd.socket\>' && "$SYSTEMCTL_EXEC" disable 'sshd.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'sshd.service' - name: Disable service sshd service: name: sshd enabled: 'no' state: stopped register: service_result failed_when: service_result is failed and ('Could not find the requested service' not in service_result.msg) when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - service_sshd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - no_reboot_needed - name: Disable socket of service sshd if applicable service: name: sshd.socket enabled: 'no' state: stopped register: socket_result failed_when: socket_result is failed and ('Could not find the requested service' not in socket_result.msg) when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - service_sshd_disabled - unknown_severity - disable_strategy - low_complexity - low_disruption - no_reboot_needed SLES-12-030100 The SSH server service, sshd, is commonly needed. The sshd service can be enabled with the following command: $ sudo systemctl enable sshd.service SLES-12-030100 SV-92137r2_rule 13 14 APO01.06 DSS05.02 DSS05.04 DSS05.07 DSS06.02 DSS06.06 3.1.13 3.5.4 3.13.8 CCI-002418 CCI-002420 CCI-002421 CCI-002422 SR 3.1 SR 3.8 SR 4.1 SR 4.2 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 SC-8 PR.DS-2 PR.DS-5 SRG-OS-000423-GPOS-00187 SRG-OS-000423-GPOS-00188 SRG-OS-000423-GPOS-00189 SRG-OS000423-GPOS-00190 Without protection of the transmitted information, confidentiality, and integrity may be compromised because unprotected communications can be intercepted and either read or altered. This checklist item applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, etc). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. _{package_install 'openssh' || exit 1 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" start 'sshd.service' "$SYSTEMCTL_EXEC" enable 'sshd.service'} - name: Enable service sshd service: name: sshd enabled: 'yes' state: started when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - service_sshd_enabled - medium_severity - enable_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-SC-8 - NIST-800-171-3.1.13 - NIST-800-171-3.5.4 - NIST-800-171-3.13.8 - DISA-STIG-030100 The openssh package should be installed. The openssh package can be installed with the following command: $ sudo zypper install openssh CCI-002418 CCI-002420 CCI-002421 CCI-002422 SC-8 SRG-OS-000423-GPOS-00187 Without protection of the transmitted information, confidentiality, and integrity may be compromised because unprotected communications can be intercepted and either read or altered. _{package_install openssh} - name: Ensure openssh is installed package: name: openssh state: present when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - package_openssh_installed - medium_severity - enable_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-SC-8 include install_openssh class install_openssh { package { 'openssh': ensure => 'installed', } } If the system needs to act as an SSH server, then certain changes should be made to the OpenSSH daemon configuration file /etc/ssh/sshd_config. The following recommendations can be applied to this file. See the sshd_config(5) man page for more detailed information. Specify whether and how sshd separates privileges when handling incoming network connections. no yes sandbox sandbox SSH's cryptographic host-based authentication is more secure than .rhosts authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization. To disable host-based authentication, add or correct the following line in /etc/ssh/sshd_config: HostbasedAuthentication no 5.2.7 11 12 14 15 16 18 3 5 9 5.5.6 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.03 DSS06.06 3.1.12 CCI-000366 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-3 AC-17 CM-6(b) PR.AC-4 PR.AC-6 PR.IP-1 PR.PT-3 FIA_AFL.1 SRG-OS-000480-GPOS-00229 SRG-OS-000480-VMM-002000 SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. grep -q ^HostbasedAuthentication /etc/ssh/sshd_config && \ sed -i "s/HostbasedAuthentication.*/HostbasedAuthentication no/g" /etc/ssh/sshd_config if ! [ $? -eq 0 ]; then echo "HostbasedAuthentication no" >> /etc/ssh/sshd_config fi - name: Disable Host-Based Authentication lineinfile: create: true dest: /etc/ssh/sshd_config regexp: ^HostbasedAuthentication line: HostbasedAuthentication no when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - disable_host_auth - medium_severity - restrict_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-AC-3 - NIST-800-53-AC-17 - NIST-800-53-CM-6(b) - NIST-800-171-3.1.12 - CJIS-5.5.6 Only SSH protocol version 2 connections should be permitted. The default setting in /etc/ssh/sshd_config is correct, and can be verified by ensuring that the following line appears: Protocol 2 As of openssh-server version 7.4 and above, the only protocol supported is version 2, and line Protocol 2 in /etc/ssh/sshd_config is not necessary. 5.2.2 1 12 15 16 5 8 5.5.6 APO13.01 DSS01.04 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.1.13 3.5.4 CCI-000197 CCI-000366 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.6 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.13.1.1 A.13.2.1 A.14.1.3 A.18.1.4 A.6.2.1 A.6.2.2 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 AC-17(b) AC-17(8).1(ii) IA-5(1)(c) PR.AC-1 PR.AC-3 PR.AC-6 PR.AC-7 PR.PT-4 SRG-OS-000074-GPOS-00042 SRG-OS-000480-GPOS-00227 SRG-OS-000033-VMM-000140 SSH protocol version 1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system. SLES-12-030250 Compression is useful for slow network connections over long distances but can cause performance issues on local LANs. If use of compression is required, it should be enabled only after a user has authenticated; otherwise , it should be disabled. To disable compression or delay compression until after a user has successfully authenticated, add or correct the following line in the /etc/ssh/sshd_config file: Compression no or Compression delayed SLES-12-030250 SV-92167r2_rule 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 3.1.12 CCI-000366 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 CM-6(b) PR.IP-1 SRG-OS-000480-GPOS-00227 SRG-OS-000480-VMM-002000 If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially wih root privileges. _{replace_or_append '/etc/ssh/sshd_config' '^Compression' 'delayed' '' '%s %s'} SLES-12-030150 To explicitly disallow SSH login from accounts with empty passwords, add or correct the following line in /etc/ssh/sshd_config: PermitEmptyPasswords no Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords. CCI-000366 CM-6(b) SLES-12-030150 SV-92147r1_rule 5.2.9 11 12 13 14 15 16 18 3 5 9 5.5.6 APO01.06 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.03 DSS06.06 3.1.1 3.1.5 CCI-000366 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 5.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.1 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-3 AC-6 AC-17(b) CM-6(b) PR.AC-4 PR.AC-6 PR.DS-5 PR.IP-1 PR.PT-3 FIA_AFL.1 SRG-OS-000480-GPOS-00229 SRG-OS-000480-VMM-002000 Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. _{replace_or_append '/etc/ssh/sshd_config' '^PermitEmptyPasswords' 'no' '' '%s %s'} Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like GSSAPI. To disable GSSAPI authentication, add or correct the following line in the /etc/ssh/sshd_config file: GSSAPIAuthentication no 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 3.1.12 CCI-000368 CCI-000318 CCI-001812 CCI-001813 CCI-001814 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 AC-17(b) CM-6(c) PR.IP-1 FIA_AFL.1 SRG-OS-000364-GPOS-00151 SRG-OS-000480-VMM-002000 GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like Kerberos. To disable Kerberos authentication, add or correct the following line in the /etc/ssh/sshd_config file: KerberosAuthentication no 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 3.1.12 CCI-000368 CCI-000318 CCI-001812 CCI-001813 CCI-001814 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 CM-6(c) PR.IP-1 FIA_AFL.1 SRG-OS-000364-GPOS-00151 SRG-OS-000480-VMM-002000 Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementations may be subject to exploitation. SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via .rhosts files. To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config: IgnoreRhosts yes 5.2.6 11 12 14 15 16 18 3 5 9 5.5.6 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.03 DSS06.06 3.1.12 CCI-000366 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-3 AC-17(b) CM-6(a) PR.AC-4 PR.AC-6 PR.IP-1 PR.PT-3 FIA_AFL.1 SRG-OS-000480-GPOS-00227 SRG-OS-000107-VMM-000530 SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. SSH can allow authentication through the obsolete rsh command through the use of the authenticating user's SSH keys. This should be disabled. To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config: RhostsRSAAuthentication no As of openssh-server version 7.4 and above, the RhostsRSAAuthentication option has been deprecated, and the line RhostsRSAAuthentication no in /etc/ssh/sshd_config is not necessary. 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 3.1.12 CCI-000366 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 CM-6(a) AC-17(b) PR.IP-1 FIA_AFL.1 SRG-OS-000480-GPOS-00227 Configuring this setting for the SSH daemon provides additional assurance that remove login via SSH will require a password, even in the event of misconfiguration elsewhere. SLES-12-030140 The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following line in /etc/ssh/sshd_config: PermitRootLogin no CCI-000770 IA-2(5) SRG-OS-000109-GPOS-00056 SLES-12-030140 SV-92145r2_rule 5.2.8 1 11 12 13 14 15 16 18 3 5 5.5.6 APO01.06 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.02 DSS06.03 DSS06.06 DSS06.10 3.1.1 3.1.5 CCI-000366 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.18.1.4 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-3 AC-6(2) AC-17(b) IA-2 IA-2(5) PR.AC-1 PR.AC-4 PR.AC-6 PR.AC-7 PR.DS-5 PR.PT-3 FIA_AFL.1 SRG-OS-000480-GPOS-00227 SRG-OS-000480-VMM-002000 Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password. SSHD_CONFIG='/etc/ssh/sshd_config' # Obtain line number of first uncommented case-insensitive occurrence of Match # block directive (possibly prefixed with whitespace) present in $SSHD_CONFIG FIRST_MATCH_BLOCK=$(sed -n '/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG) # Obtain line number of first uncommented case-insensitive occurence of # PermitRootLogin directive (possibly prefixed with whitespace) present in # $SSHD_CONFIG FIRST_PERMIT_ROOT_LOGIN=$(sed -n '/^[[:space:]]*PermitRootLogin[^\n]*/I{=;q}' $SSHD_CONFIG) # Case: Match block directive not present in $SSHD_CONFIG if [ -z "$FIRST_MATCH_BLOCK" ] then # Case: PermitRootLogin directive not present in $SSHD_CONFIG yet if [ -z "$FIRST_PERMIT_ROOT_LOGIN" ] then # Append 'PermitRootLogin no' at the end of $SSHD_CONFIG echo -e "\nPermitRootLogin no" >> $SSHD_CONFIG # Case: PermitRootLogin directive present in $SSHD_CONFIG already else # Replace first uncommented case-insensitive occurrence # of PermitRootLogin directive sed -i "$FIRST_PERMIT_ROOT_LOGIN s/^[[:space:]]*PermitRootLogin.*$/PermitRootLogin no/I" $SSHD_CONFIG fi # Case: Match block directive present in $SSHD_CONFIG else # Case: PermitRootLogin directive not present in $SSHD_CONFIG yet if [ -z "$FIRST_PERMIT_ROOT_LOGIN" ] then # Prepend 'PermitRootLogin no' before first uncommented # case-insensitive occurrence of Match block directive sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/PermitRootLogin no\n\1/I" $SSHD_CONFIG # Case: PermitRootLogin directive present in $SSHD_CONFIG and placed # before first Match block directive elif [ "$FIRST_PERMIT_ROOT_LOGIN" -lt "$FIRST_MATCH_BLOCK" ] then # Replace first uncommented case-insensitive occurrence # of PermitRootLogin directive sed -i "$FIRST_PERMIT_ROOT_LOGIN s/^[[:space:]]*PermitRootLogin.*$/PermitRootLogin no/I" $SSHD_CONFIG # Case: PermitRootLogin directive present in $SSHD_CONFIG and placed # after first Match block directive else # Prepend 'PermitRootLogin no' before first uncommented # case-insensitive occurrence of Match block directive sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/PermitRootLogin no\n\1/I" $SSHD_CONFIG fi fi SLES-12-030200 SSH can allow system users host-based authentication to connect to systems if a cache of the remote systems public keys are available. This should be disabled. To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config: IgnoreUserKnownHosts yes CM-6(b) SLES-12-030200 SV-92157r1_rule 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 3.1.12 CCI-000366 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 AC-17(b) CM-6(a) PR.IP-1 FIA_AFL.1 SRG-OS-000480-GPOS-00227 Configuring this setting for the SSH daemon provides additional assurance that remove login via SSH will require a password, even in the event of misconfiguration elsewhere. _{replace_or_append '/etc/ssh/sshd_config' '^IgnoreUserKnownHosts' 'yes' '' '%s %s'} SLES-12-030150 To ensure users are not able to override environment options to the SSH daemon, add or correct the following line in /etc/ssh/sshd_config: PermitUserEnvironment no CCI-000366 CM-6(b) SLES-12-030150 SV-92147r1_rule 5.2.10 11 3 9 5.5.6 BAI10.01 BAI10.02 BAI10.03 BAI10.05 3.1.12 CCI-000366 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 AC-17(b) CM-6(b) PR.IP-1 SRG-OS-000480-GPOS-00229 SRG-OS-000480-VMM-002000 SSH environment options potentially allow users to bypass access restriction in some configurations. _{replace_or_append '/etc/ssh/sshd_config' '^PermitUserEnvironment' 'no' '' '%s %s'} SLES-12-030230 SSHs StrictModes option checks file and ownership permissions in the user's home directory .ssh folder before accepting login. If world- writable permissions are found, logon is rejected. To enable StrictModes in SSH, add or correct the following line in the /etc/ssh/sshd_config file: StrictModes yes CM-6(b) SLES-12-030230 SV-92163r2_rule 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 3.1.12 CCI-000366 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 AC-17(b) PR.AC-4 PR.DS-5 SRG-OS-000480-GPOS-00227 SRG-OS-000480-VMM-002000 If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user. _{replace_or_append '/etc/ssh/sshd_config' '^StrictModes' 'yes' '' '%s %s'} SLES-12-030120, SLES-12-030050 To enable the warning banner and ensure it is consistent across the system, add or correct the following line in /etc/ssh/sshd_config: Banner /etc/issue Another section contains information on how to create an appropriate system-wide warning banner. CCI-000048 AC-8(a) SLES-12-030120 SV-92141r2_rule SLES-12-030050 SV-92135r3_rule 5.2.16 1 12 15 16 5.5.6 DSS05.04 DSS05.10 DSS06.10 3.1.9 CCI-000048 CCI-000050 CCI-001384 CCI-001385 CCI-001386 CCI-001387 CCI-001388 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-8(a) AC-8(b) AC-8(c)(1) AC-8(c)(2) AC-8(c)(3) AC-17(b) PR.AC-7 FMT_MOF_EXT.1 SRG-OS-000023-GPOS-00006 SRG-OS-000024-GPOS-00007 SRG-OS-000228-GPOS-00088 SRG-OS-000023-VMM-000060 SRG-OS-000024-VMM-000070 The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution. grep -q ^Banner /etc/ssh/sshd_config && \ sed -i "s/Banner.*/Banner \/etc\/issue/g" /etc/ssh/sshd_config if ! [ $? -eq 0 ]; then echo "Banner /etc/issue" >> /etc/ssh/sshd_config fi SLES-12-030260 By default, remote X11 connections are not encrypted when initiated by users. SSH has the capability to encrypt remote X11 connections when SSH's X11Forwarding option is enabled. To enable X11 Forwarding, add or correct the following line in /etc/ssh/sshd_config: X11Forwarding yes CM-6(b) SLES-12-030260 SV-92169r1_rule 5.2.4 1 11 12 13 15 16 18 20 3 4 6 9 BAI03.08 BAI07.04 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS03.01 3.1.13 CCI-000366 4.3.4.3.2 4.3.4.3.3 4.4.3.3 SR 7.6 A.12.1.1 A.12.1.2 A.12.1.4 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.2 A.14.2.2 A.14.2.3 A.14.2.4 CM-2(1)(b) DE.AE-1 PR.DS-7 PR.IP-1 SRG-OS-000480-GPOS-00227 Open X displays allow an attacker to capture keystrokes and to execute commands remotely. _{replace_or_append '/etc/ssh/sshd_config' '^X11Forwarding' 'yes' '' '%s %s'} By default, the SSH configuration allows any user with an account to access the system. In order to specify the users that are allowed to login via SSH and deny all other users, add or correct the following line in the /etc/ssh/sshd_config file: DenyUsers USER1 USER2 Where USER1 and USER2 are valid user names. 11 12 14 15 16 18 3 5 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.03 DSS06.06 3.1.12 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-3 PR.AC-4 PR.AC-6 PR.PT-3 Specifying which accounts are allowed SSH access into the system reduces the possibility of unauthorized access to the system. SLES-12-030130 When enabled, SSH will display the date and time of the last successful account logon. To enable LastLog in SSH, add or correct the following line in the /etc/ssh/sshd_config file: PrintLastLog yes CCI-000366 CM-6(b) SLES-12-030130 SV-92143r1_rule 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 CCI-000366 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-9 AC-17(b) PR.AC-7 SRG-OS-000480-GPOS-00227 Providing users feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use. _{replace_or_append '/etc/ssh/sshd_config' '^PrintLastLog' 'yes' '' '%s %s'} SLES-12-030190 SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out. To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as follows: ClientAliveInterval The timeout interval is given in seconds. To have a timeout of 10 minutes, set interval to 600. If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle. CCI-000879 CCI-001133 CCI-002361 MA-4(e) SC-10 AC-12 SRG-OS-000126-GPOS-00066 SRG-OS-000163-GPOS-00072 SRG-OS-000279-GPOS-00109 SLES-12-030190 SV-92155r1_rule 5.2.12 1 12 13 14 15 16 18 3 5 7 8 5.5.6 APO13.01 BAI03.01 BAI03.02 BAI03.03 DSS01.03 DSS03.05 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.1.11 CCI-001133 CCI-002361 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 6.2 A.12.4.1 A.12.4.3 A.14.1.1 A.14.2.1 A.14.2.5 A.18.1.4 A.6.1.2 A.6.1.5 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-2(5) SA-8(i) AC-12 AC-17(b) DE.CM-1 DE.CM-3 PR.AC-1 PR.AC-4 PR.AC-6 PR.AC-7 PR.IP-2 Req-8.1.8 SRG-OS-000163-GPOS-00072 SRG-OS-000279-GPOS-00109 SRG-OS-000480-VMM-002000 Terminating an idle ssh session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been let unattended. sshd_idle_timeout_value="_{" replace_or_append '/etc/ssh/sshd_config' '^ClientAliveInterval' $sshd_idle_timeout_value '' '%s %s'} SLES-12-030191 To ensure the SSH idle timeout occurs precisely when the ClientAliveInterval is set, edit /etc/ssh/sshd_config as follows: ClientAliveCountMax CCI-000879 CCI-001133 CCI-002361 MA-4(e) SC-10 AC-12 SLES-12-030191 SV-96515r1_rule 5.2.12 1 12 13 14 15 16 18 3 5 7 8 5.5.6 APO13.01 BAI03.01 BAI03.02 BAI03.03 DSS01.03 DSS03.05 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.1.11 CCI-001133 CCI-002361 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 6.2 A.12.4.1 A.12.4.3 A.14.1.1 A.14.2.1 A.14.2.5 A.18.1.4 A.6.1.2 A.6.1.5 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-2(5) SA-8 AC-12 AC-17(b) DE.CM-1 DE.CM-3 PR.AC-1 PR.AC-4 PR.AC-6 PR.AC-7 PR.IP-2 SRG-OS-000163-GPOS-00072 SRG-OS-000279-GPOS-00109A SRG-OS-000480-VMM-002000 This ensures a user login will be terminated as soon as the ClientAliveInterval is reached. var_sshd_set_keepalive="_{" replace_or_append '/etc/ssh/sshd_config' '^ClientAliveCountMax' "$var_sshd_set_keepalive" '' '%s %s'} The INFO parameter specifices that record login and logout activity will be logged. To specify the log level in SSH, add or correct the following line in the /etc/ssh/sshd_config file: LogLevel INFO AC-17(b) SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. to set MaxAUthTries edit /etc/ssh/sshd_config as follows: MaxAuthTries tries Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. SLES-12-030170 Limit the ciphers to those algorithms which are DoD-approved. Only Counter (CTR) mode is allowed inside the SSH daemon configuration. The following line in /etc/ssh/sshd_config demonstrates use of DoD-approved encryption ciphers: Ciphers aes128-ctr,aes192-ctr,aes256-ctr The man page sshd_config(5) contains a list of supported ciphers. CCI-000068 CCI-000366 CCI-000803 CCI-002890 AC-17(2) CM-6(b) IA-7 MA-4(6) SLES-12-030170 SV-92151r2_rule 5.2.10 1 11 12 14 15 16 18 3 5 6 8 9 5.5.6 APO11.04 APO13.01 BAI03.05 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.06 DSS06.10 MEA02.01 3.1.13 3.13.11 3.13.8 CCI-000068 CCI-000366 CCI-000803 164.308(b)(1) 164.308(b)(2) 164.312(e)(1) 164.312(e)(2)(i) 164.312(e)(2)(ii) 164.314(b)(2)(i) 4.3.3.2.2 4.3.3.3.9 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.5.1 A.12.6.2 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.18.1.4 A.6.1.2 A.6.2.1 A.6.2.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-3 AC-17(b) AC-17(2) AU-10(5) CM-6(b) IA-5(1)(c) IA-7 SI-7 SC-13 PR.AC-1 PR.AC-3 PR.AC-4 PR.AC-6 PR.AC-7 PR.IP-1 PR.PT-1 PR.PT-3 PR.PT-4 SRG-OS-000033-GPOS-00014 SRG-OS-000120-GPOS-00061 SRG-OS-000125-GPOS-00065 SRG-OS-000250-GPOS-00093 SRG-OS-000393-GPOS-00173 SRG-OS-000033-VMM-000140 SRG-OS-000120-VMM-000600 SRG-OS-000478-VMM-001980 SRG-OS-000396-VMM-001590 Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and system data may be compromised. Operating systems utilizing encryption are required to use DoD-approved ciphers to protect the confidentiality of SSH remote connections. _{replace_or_append '/etc/ssh/sshd_config' '^Ciphers' 'aes128-ctr,aes192-ctr,aes256-ctr' '' '%s %s'} SLES-12-030180 Limit the MACs to those hash algorithms which are FIPS-approved. The following line in /etc/ssh/sshd_config demonstrates use of FIPS-approved MACs: MACs hmac-sha2-512,hmac-sha2-256 The man page sshd_config(5) contains a list of supported MACs. CCI-000877 CCI-001453 CCI-003123 MA-4(c) AC-17(2) MA-4(6) SLES-12-030180 SV-92153r2_rule 5.2.12 1 12 13 15 16 5 8 APO01.06 APO13.01 DSS01.04 DSS05.02 DSS05.03 DSS05.04 DSS05.07 DSS06.02 DSS06.03 3.1.13 3.13.11 3.13.8 CCI-000068 CCI-000803 CCI-001453 164.308(b)(1) 164.308(b)(2) 164.312(e)(1) 164.312(e)(2)(i) 164.312(e)(2)(ii) 164.314(b)(2)(i) 4.3.3.5.1 4.3.3.6.6 SR 1.1 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.6 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.11.2.6 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.6.2.1 A.6.2.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-17(b) AC-17(2) IA-7 SC-13 PR.AC-1 PR.AC-3 PR.DS-5 PR.PT-4 SRG-OS-000250-GPOS-00093 SRG-OS-000125-GPOS-00065 SRG-OS-000394-GPOS-00174 SRG-OS-000033-VMM-000140 SRG-OS-000120-VMM-000600 SRG-OS-000478-VMM-001980 SRG-OS-000480-VMM-002000 SRG-OS-000396-VMM-001590 DoD Information Systems are required to use FIPS-approved cryptographic hash functions. The only SSHv2 hash algorithms meeting this requirement is SHA2. sshd_approved_macs="_{" replace_or_append '/etc/ssh/sshd_config' '^MACs' "$sshd_approved_macs" '' '%s %s'} SLES-12-030240 When enabled, SSH will create an unprivileged child process that has the privilege of the authenticated user. To enable privilege separation in SSH, add or correct the following line in the /etc/ssh/sshd_config file: UsePrivilegeSeparation CM-6(b) SLES-12-030240 SV-92165r2_rule 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 3.1.12 CCI-000366 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 AC-17(b) PR.AC-4 PR.DS-5 SRG-OS-000480-GPOS-00227 SSH daemon privilege separation causes the SSH process to drop root privileges when not needed which would decrease the impact of software vulnerabilities in the unprivileged section. var_sshd_priv_separation="_{" replace_or_append '/etc/ssh/sshd_config' '^UsePrivilegeSeparation' "$var_sshd_priv_separation" '' '%s %s'} SLES-12-030110 The VERBOSE parameter specifices that record login and logout activity will be logged. To specify the log level in SSH, add or correct the following line in the /etc/ssh/sshd_config file: LogLevel VERBOSE CCI-000067 AC-17(1) SLES-12-030110 SV-92139r1_rule SRG-OS-000032-GPOS-00013 SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO or VERBOSE level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. grep -q ^LogLevel /etc/ssh/sshd_config && \ sed -i "s/^LogLevel.*/LogLevel VERBOSE/g" /etc/ssh/sshd_config if ! [ $? -eq 0 ]; then echo "LogLevel VERBOSE" >> /etc/ssh/sshd_config fi If the SSH server is expected to only receive connections from the local network, then strengthen the default firewall rule for the SSH service to only accept connections from the appropriate network segment(s). Determine an appropriate network block, netwk, network mask, mask, and network protocol, ip_protocol, representing the systems on your network which will be allowed to access this SSH server. Run the following command: firewall-cmd --permanent --add-rich-rule='rule family="ip_protocol" source address="netwk/mask" service name="ssh" accept' The System Security Services Daemon (SSSD) is a system daemon that provides access to different identity and authentication providers such as Red Hat's IdM, Microsoft's AD, openLDAP, MIT Kerberos, etc. It uses a common framework that can provide caching and offline support to systems utilizing SSSD. SSSD using caching to reduce load on authentication servers permit offline authentication as well as store extended user data. For more information, see Value of the memcache_timeout option in the [nss] section of SSSD config /etc/sssd/sssd.conf. 180 300 600 900 1800 86400 300 Value of the ssh_known_hosts_timeout option in the [ssh] section of SSSD configuration file /etc/sssd/sssd.conf. 180 300 600 900 1800 86400 180 SLES-12-010670 SSSD's memory cache should be configured to set to expire records after seconds. To configure SSSD to expire memory cache, set memcache_timeout to under the [nss] section in /etc/sssd/sssd.conf. For example: [nss] memcache_timeout = SLES-12-010670 SV-91879r3_rule 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 CCI-002007 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(10) IA-5(13) PR.AC-1 PR.AC-6 PR.AC-7 FIA_AFL.1 SRG-OS-000383-GPOS-00166 SRG-OS-000383-VMM-001570 If cached authentication information is out-of-date, the validity of the authentication information may be questionable. var_sssd_memcache_timeout="_{" SSSD_CONF="/etc/sssd/sssd.conf" MEMCACHE_TIMEOUT_REGEX="[[:space:]]*\[nss]([^\n\[]*\n+)+?[[:space:]]*memcache_timeout" NSS_REGEX="[[:space:]]*\[nss]" # Try find [nss] and memcache_timeout in sssd.conf, if it exists, set to # var_sssd_memcache_timeout, if it isn't here, add it, if [nss] doesn't # exist, add it there if grep -qzosP $MEMCACHE_TIMEOUT_REGEX $SSSD_CONF; then sed -i "s/memcache_timeout[^(\n)]*/memcache_timeout = $var_sssd_memcache_timeout/" $SSSD_CONF elif grep -qs $NSS_REGEX $SSSD_CONF; then sed -i "/$NSS_REGEX/a memcache_timeout = $var_sssd_memcache_timeout" $SSSD_CONF else mkdir -p /etc/sssd touch $SSSD_CONF echo -e "[nss]\nmemcache_timeout = $var_sssd_memcache_timeout" >> $SSSD_CONF fi} SLES-12-010680 SSSD should be configured to expire offline credentials after 1 day. To configure SSSD to expire offline credentials, set offline_credentials_expiration to 1 under the [pam] section in /etc/sssd/sssd.conf. For example: [pam] offline_credentials_expiration = 1 SLES-12-010680 SV-91881r2_rule 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 CCI-002007 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(13) PR.AC-1 PR.AC-6 PR.AC-7 FIA_AFL.1 SRG-OS-000383-GPOS-00166 SRG-OS-000383-VMM-001570 If cached authentication information is out-of-date, the validity of the authentication information may be questionable. SSSD_CONF="/etc/sssd/sssd.conf" SSSD_OPT="offline_credentials_expiration" SSSD_OPT_VAL=1 PAM_REGEX="[[:space:]]*\[pam]" PAM_OPT_REGEX="${PAM_REGEX}([^\n\[]*\n+)+?[[:space:]]*${SSSD_OPT}" # Try find [pam] and offline_credentials_expiration in sssd.conf, if it exists # set it to 1, if it doesn't exist add it, if [pam] section doesn't exist add # the section and the configuration option. if grep -qzosP $PAM_OPT_REGEX $SSSD_CONF; then sed -i "s/${SSSD_OPT}[^(\n)]*/${SSSD_OPT} = ${SSSD_OPT_VAL}/" $SSSD_CONF elif grep -qs $PAM_REGEX $SSSD_CONF; then sed -i "/$PAM_REGEX/a ${SSSD_OPT} = ${SSSD_OPT_VAL}" $SSSD_CONF else mkdir -p /etc/sssd touch $SSSD_CONF echo -e "[pam]\n${SSSD_OPT} = ${SSSD_OPT_VAL}" >> $SSSD_CONF fi The System Security Services Daemon (SSSD) is a system daemon that provides access to different identity and authentication providers such as Red Hat's IdM, Microsoft's AD, openLDAP, MIT Kerberos, etc. It uses a common framework that can provide caching and offline support to systems utilizing SSSD. SSSD using caching to reduce load on authentication servers permit offline authentication as well as store extended user data. SSSD can support many backends including LDAP. The sssd-ldap backend allows SSSD to fetch identity information from an LDAP server. Path of a directory that contains Certificate Authority certificates. /etc/openldap/cacerts The X Window System implementation included with the system is called X.org. Unless there is a mission-critical reason for the system to run a graphical user interface, ensure X is not set to start automatically at boot and remove the X Windows software packages. There is usually no reason to run X Windows on a dedicated server system, as it increases the system's attack surface and consumes system resources. Administrators of server systems should instead login via SSH or on the text console. Contains rules that check correct system settings. In traditional Unix security, if an attacker gains shell access to a certain login account, they can perform any action or access any file to which that account has access. Therefore, making it more difficult for unauthorized people to gain shell access to accounts, particularly to privileged accounts, is a necessary part of securing a system. This section introduces mechanisms for restricting access to accounts under SUSE Linux Enterprise 12. Each system should expose as little information about itself as possible. System banners, which are typically displayed just before a login prompt, give out information about the service or the host's operating system. This might include the distribution name and the system kernel version, and the particular version of a network service. This information can assist intruders in gaining access to the system as it can reveal whether the system is running vulnerable software. Most network services can be configured to limit what information is displayed. Many organizations implement security policies that require a system banner provide notice of the system's ownership, provide warning to unauthorized users, and remind authorized users of their consent to monitoring. Enter an appropriate login banner for your organization. Please note that new lines must be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\'. ^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.|I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$) You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details. I(\\\')*(\')*ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreement. [\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times.[\s\n]+This[\s\n]+is[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+and[\s\n]+related[\s\n]+equipment[\s\n]+are[\s\n]+intended[\s\n]+for[\s\n]+the[\s\n]+communication,[\s\n]+transmission,[\s\n]+processing,[\s\n]+and[\s\n]+storage[\s\n]+of[\s\n]+official[\s\n]+U.S.[\s\n]+Government[\s\n]+or[\s\n]+other[\s\n]+authorized[\s\n]+information[\s\n]+only.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times[\s\n]+to[\s\n]+ensure[\s\n]+proper[\s\n]+functioning[\s\n]+of[\s\n]+equipment[\s\n]+and[\s\n]+systems[\s\n]+including[\s\n]+security[\s\n]+devices[\s\n]+and[\s\n]+systems,[\s\n]+to[\s\n]+prevent[\s\n]+unauthorized[\s\n]+use[\s\n]+and[\s\n]+violations[\s\n]+of[\s\n]+statutes[\s\n]+and[\s\n]+security[\s\n]+regulations,[\s\n]+to[\s\n]+deter[\s\n]+criminal[\s\n]+activity,[\s\n]+and[\s\n]+for[\s\n]+other[\s\n]+similar[\s\n]+purposes.[\s\n]+Any[\s\n]+user[\s\n]+of[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+should[\s\n]+be[\s\n]+aware[\s\n]+that[\s\n]+any[\s\n]+information[\s\n]+placed[\s\n]+in[\s\n]+the[\s\n]+system[\s\n]+is[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+not[\s\n]+subject[\s\n]+to[\s\n]+any[\s\n]+expectation[\s\n]+of[\s\n]+privacy.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+violation[\s\n]+of[\s\n]+criminal[\s\n]+statutes,[\s\n]+this[\s\n]+evidence[\s\n]+and[\s\n]+any[\s\n]+other[\s\n]+related[\s\n]+information,[\s\n]+including[\s\n]+identification[\s\n]+information[\s\n]+about[\s\n]+the[\s\n]+user,[\s\n]+may[\s\n]+be[\s\n]+provided[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+reveals[\s\n]+violations[\s\n]+of[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+unauthorized[\s\n]+use,[\s\n]+employees[\s\n]+who[\s\n]+violate[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+make[\s\n]+unauthorized[\s\n]+use[\s\n]+of[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+appropriate[\s\n]+disciplinary[\s\n]+action.[\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times. --[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. To configure the system login banner edit /etc/issue. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. OR: I've read & consent to terms in IS user agreem't. 1.7.1.2 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 3.1.9 CCI-000048 CCI-000050 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-8(a) AC-8(b) AC-8(c)(1) AC-8(c)(2) AC-8(c)(3) PR.AC-7 FMT_MOF_EXT.1 SRG-OS-000023-GPOS-00006 SRG-OS-000024-GPOS-00007 SRG-OS-000023-VMM-000060 SRG-OS-000024-VMM-000070 Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. login_banner_text="_{" # There was a regular-expression matching various banners, needs to be expanded expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/[^-]- /\n\n-/g;s/(n)\**//g') formatted=$(echo "$expanded" | fold -sw 80) cat <<EOF >/etc/issue $formatted EOF printf "\n" >> /etc/issue} SLES-12-010030 To configure the system login banner edit /etc/motd. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. OR: I've read & consent to terms in IS user agreem't. SLES-12-010030 SV-91747r2_rule CCI-000048 AC-8(a) AC-8(b) AC-8(c)(1) AC-8(c)(2) AC-8(c)(3) Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. login_banner_text="_{" # There was a regular-expression matching various banners, needs to be expanded expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/[^-]- /\n\n-/g;s/(n)\**//g') formatted=$(echo "$expanded" | fold -sw 80) cat <<EOF >/etc/motd $formatted EOF printf "\n" >> /etc/motd} In the default graphical environment, users logging directly into the system are greeted with a login screen provided by the GNOME Display Manager (GDM). The warning banner should be displayed in this graphical environment for these users. The following sections describe how to configure the GDM login banner. SLES-12-010040 In the default graphical environment, displaying a login warning banner in the GNOME Display Manager's login screen can be enabled on the login screen by setting banner-message-enable to true. To enable, add or edit banner-message-enable to /etc/dconf/db/gdm.d/00-security-settings. For example: [org/gnome/login-screen] banner-message-enable=true Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/login-screen/banner-message-enable After the settings have been set, run dconf update. The banner text must also be set. SLES-12-010040 SV-91749r2_rule 1.7.2 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 3.1.9 CCI-000048 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-8(a) AC-8(b) AC-8(c)(1) AC-8(c)(2) AC-8(c)(3) PR.AC-7 FMT_MOF_EXT.1 OS-SRG-000023-GPOS-00006 SRG-OS-000024-GPOS-00007 SRG-OS-000228-GPOS-00088 Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. For U.S. Government systems, system use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. _{include_dconf_settings dconf_settings 'org/gnome/login-screen' 'banner-message-enable' 'true' 'gdm.d' '00-security-settings' dconf_lock 'org/gnome/login-screen' 'banner-message-enable' 'gdm.d' '00-security-settings-lock'} SLES-12-010050 In the default graphical environment, configuring the login warning banner text in the GNOME Display Manager's login screen can be configured on the login screen by setting banner-message-text to string 'APPROVED_BANNER' where APPROVED_BANNER is the approved banner for your environment. To enable, add or edit banner-message-text to /etc/dconf/db/gdm.d/00-security-settings. For example: [org/gnome/login-screen] banner-message-text='APPROVED_BANNER' Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/login-screen/banner-message-text After the settings have been set, run dconf update. When entering a warning banner that spans several lines, remember to begin and end the string with ' and use \n for new lines. CCI-001384 CCI-001385 CCI-001386 CCI-001387 CCI-001388 SLES-12-010050 SV-91751r4_rule 1.7.2 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 3.1.9 CCI-000048 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-8(a) AC-8(b) AC-8(c) PR.AC-7 FMT_MOF_EXT.1 SRG-OS-000023-GPOS-00006 SRG-OS-000024-GPOS-00007 SRG-OS-000228-GPOS-00088 An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. login_banner_text="_{" include_dconf_settings expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;s/\\n/\\\\n/g') dconf_settings 'org/gnome/login-screen' 'banner-message-text' "string '${expanded}'" 'gdm.d' '00-security-settings' dconf_lock 'org/gnome/login-screen' 'banner-message-text' 'gdm.d' '00-security-settings-lock'} To enable displaying a login warning banner in the GNOME Display Manager's login screen, run the following command: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gdm/simple-greeter/banner_message_enable true To display a banner, this setting must be enabled and then banner text must also be set. 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-8(a) AC-8(b) AC-8(c) PR.AC-7 An appropriate warning message reinforces policy awareness during the login process and facilitates possible legal action against attackers. To set the text shown by the GNOME Display Manager in the login screen, run the following command: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type string \ --set /apps/gdm/simple-greeter/banner_message_text \ "Text of the warning banner here" When entering a warning banner that spans several lines, remember to begin and end the string with ". This command writes directly either to the /etc/gconf/gconf.xml.mandatory/%gconf-tree.xml if it exists or to the file /etc/gconf/gconf.xml.mandatory/apps/gdm/simple-greeter/%gconf.xml. Either of these files can later be edited directly if necessary. 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-8(a) AC-8(b) AC-8(c) PR.AC-7 An appropriate warning message reinforces policy awareness during the login process and facilitates possible legal action against attackers. SLES-12-010020 Display of a standardized and approved use notification before granting access to the SUSE operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The banner must be acknowledged by the user prior to allowing the user access to the SUSE operating system. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD will not be in compliance with system use notifications required by law. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for the SUSE operating system: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. Check the configuration by running the following command: # more /etc/gdm/Xsession The beginning of the file must contain the following text immediately after #!/bin/sh: if ! zenity --text-info \ --title "Consent" \ --filename=/etc/gdm/banner \ --no-markup \ --checkbox="Accept." 10 10; then sleep 1; exit 1; fi SLES-12-010020 SV-91745r3_rule CCI-000048 CCI-000050 Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. For U.S. Government systems, system use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. if ! [ -x /etc/gdm/Xsession ] ; then echo "can only remediate if /etc/gdm/Xsession is an executable shell script" >&2 exit 1 fi if ! awk 'NR==1 && $0 == "#!/bin/sh" { exit 0 } ; { exit 1 }' /etc/gdm/Xsession ; then echo "can only remediate if /etc/gdm/Xsession is a shell script" >&2 exit 1 fi f=$(mktemp) echo '#!/bin/sh if ! zenity --text-info \ --title "Consent" \ --filename=/etc/gdm/banner \ --no-markup \ --checkbox="Accept." 10 10; then sleep 1; exit 1; fi ' > "$f" # copy original contents of /etc/gdm/Xsession - but skip the shebang tail -n +2 /etc/gdm/Xsession >> "$f" chown --reference=/etc/gdm/Xsession "$f" chmod --reference=/etc/gdm/Xsession "$f" mv "$f" /etc/gdm/Xsession SLES-12-030020 To configure the GUI system login banner edit /etc/gdm/banner. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. OR: I've read & consent to terms in IS user agreem't. SLES-12-030020 SV-92129r1_rule CCI-000050 AC-8(b) Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. login_banner_text="_{" # There was a regular-expression matching various banners, needs to be expanded expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/[^-]- /\n\n-/g;s/(n)\**//g') formatted=$(echo "$expanded" | fold -sw 80) cat <<EOF >/etc/gdm/banner $formatted EOF chmod 0644 /etc/gdm/banner} PAM, or Pluggable Authentication Modules, is a system which implements modular authentication for Linux programs. PAM provides a flexible and configurable architecture for authentication, and it should be configured to minimize exposure to unnecessary risk. This section contains guidance on how to accomplish that. PAM is implemented as a set of shared objects which are loaded and invoked whenever an application wishes to authenticate a user. Typically, the application must be running as root in order to take advantage of PAM, because PAM's modules often need to be able to access sensitive stores of account information, such as /etc/shadow. Traditional privileged network listeners (e.g. sshd) or SUID programs (e.g. sudo) already meet this requirement. An SUID root application, userhelper, is provided so that programs which are not SUID or privileged themselves can still take advantage of PAM. PAM looks in the directory /etc/pam.d for application-specific configuration information. For instance, if the program login attempts to authenticate a user, then PAM's libraries follow the instructions in the file /etc/pam.d/login to determine what actions should be taken. One very important file in /etc/pam.d is /etc/pam.d/system-auth. This file, which is included by many other PAM configuration files, defines 'default' system authentication measures. Modifying this file is a good way to make far-reaching authentication changes, for instance when implementing a centralized authentication service. Be careful when making changes to PAM's configuration files. The syntax for these files is complex, and modifications can have unexpected consequences. The default configurations shipped with applications should be sufficient for most users. Running authconfig or system-config-authentication will re-write the PAM configuration files, destroying any manually made changes and replacing them with a series of system defaults. One reference to the configuration file syntax can be found at http://www.linux-pam.org/Linux-PAM-html/sag-configuration-file.html. The last n passwords for each user are saved in /etc/security/opasswd in order to force password change history and keep the user from alternating between the same password too frequently. 0 10 24 4 5 5 SLES-12-010390 To configure the system to notify users of last logon/access using pam_lastlog, add or correct the pam_lastlog settings in /etc/pam.d/login to read as follows: session required pam_lastlog.so showfailed And make sure that, the silent option is not set. SLES-12-010390 SV-91831r2_rule 1 12 15 16 5.5.2 DSS05.04 DSS05.10 DSS06.10 CCI-000366 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-9 PR.AC-7 Req-10.2.4 SRG-OS-000480-GPOS-00227 Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. _{ensure_pam_module_options '/etc/pam.d/login' 'session' 'required' 'pam_lastlog.so' 'showfailed' "" "" # remove 'silent' option sed -i --follow-symlinks -E -e 's/^([^#]+pam_lastlog\.so[^#]*)\ssilent/\1/' '/etc/pam.d/login'} SLES-12-010370 To configure the system to introduce a delay after failed logon attempts, add or correct the pam_faildelay settings in /etc/pam.d/common-auth to read as follows: auth required pam_faildelay.so delay=₀₀₀₀₀₀ SLES-12-010370 SV-91827r2_rule CCI-000366 CM-6(b) CM-6.1(iv) Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account. var_accounts_fail_delay="_{" # convert to microseconds delay=$((var_accounts_fail_delay*1000000)) ensure_pam_module_options '/etc/pam.d/common-auth' 'auth' 'required' 'pam_faildelay.so' 'delay' "$delay" "$delay"} SLES-12-010910 Verify the SUSE operating system is configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes. SLES-12-010910 SV-91981r2_rule CCI-000366 CM-6(b) CM-6.1(iv) pam-config is a command line utility that automatically generates a system PAM configuration as packages are installed, updated or removed from the system. pam-config removes configurations for PAM modules and parameters that it does not know about. It may render ineffective PAM configuration by the system administrator and thus impact system security. for link in $(find /etc/pam.d/ -type l -iname "common-*") ; do target=$(readlink -f "$link") cp -p --remove-destination "$target" "$link" done The pam_faillock PAM module provides the capability to lock out user accounts after a number of failed login attempts. Its documentation is available in /usr/share/doc/pam-VERSION/txts/README.pam_faillock. Locking out user accounts presents the risk of a denial-of-service attack. The lockout policy must weigh whether the risk of such a denial-of-service attack outweighs the benefits of thwarting password guessing attacks. SLES-12-010310 Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules. In the file /etc/pam.d/common-password, append remember= _{use_authtok} to the line which refers to the pam_pwhistory.somodule, as shown below: password requisite pam_pwhistory.so ...existing_options... remember= _{use_authtok} The DoD STIG requirement is 5 passwords. SLES-12-010310 SV-91817r3_rule 5.3.3 1 12 15 16 5 5.6.2.1.1 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.5.8 CCI-000200 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(f) IA-5(1)(e) PR.AC-1 PR.AC-6 PR.AC-7 Req-8.2.5 SRG-OS-000077-GPOS-00045 SRG-OS-000077-VMM-000440 Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user. var_password_pam_unix_remember="_{" ensure_pam_module_options '/etc/pam.d/common-password' 'password' 'requisite' 'pam_pwhistory.so' 'remember' "$var_password_pam_unix_remember" "$var_password_pam_unix_remember" ensure_pam_module_options '/etc/pam.d/common-password' 'password' 'requisite' 'pam_pwhistory.so' 'use_authtok' '' ''} SLES-12-010130 The SUSE operating system must lock an account after three consecutive invalid logon attempts. SLES-12-010130 SV-91767r2_rule CCI-000044 AC-7(a) By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. Check that the systems locks a user account after three consecutive failed login attempts with the following command: # grep pam_tally2.so /etc/pam.d/common-auth auth required pam_tally2.so deny=3 # grep pam_tally2.so /etc/pam.d/common-account account required pam_tally2.so deny=3 If the "deny" option in one of the files is greater than "3" or is missing, this is a finding. _{ensure_pam_module_options '/etc/pam.d/common-auth' 'auth' 'required' 'pam_tally2.so' 'deny' '[123]' '3' ensure_pam_module_options '/etc/pam.d/common-account' 'account' 'required' 'pam_tally2.so' 'deny' '[123]' '3'} The default pam_pwquality PAM module provides strength checking for passwords. It performs a number of checks, such as making sure passwords are not similar to dictionary words, are of at least a certain length, are not the previous password reversed, and are not simply a change of case from the previous password. It can also require passwords to be in certain character classes. The pam_pwquality module is the preferred way of configuring password requirements. The pam_cracklib PAM module can also provide strength checking for passwords as the pam_pwquality module. It performs a number of checks, such as making sure passwords are not similar to dictionary words, are of at least a certain length, are not the previous password reversed, and are not simply a change of case from the previous password. It can also require passwords to be in certain character classes. The man pages pam_pwquality(8) and pam_cracklib(8) provide information on the capabilities and configuration of each. The pam_cracklib PAM module can be configured to meet requirements for a variety of policies. For example, to configure pam_cracklib to require at least one uppercase character, lowercase character, digit, and other (special) character, locate the following line in /etc/pam.d/system-auth: password requisite pam_cracklib.so try_first_pass retry=3 and then alter it to read: password required pam_cracklib.so try_first_pass retry=3 maxrepeat=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4 If no such line exists, add one as the first line of the password section in /etc/pam.d/system-auth. The arguments can be modified to ensure compliance with your organization's security policy. Discussion of each parameter follows. Note that the password quality requirements are not enforced for the root account for some reason. SLES-12-010170 The pam_cracklib module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_cracklib will grant +1 additional length credit for each digit. Add dcredit=-1 after pam_cracklib.so to require use of a digit in passwords. CCI-000194 IA-5(a) SLES-12-010170 SV-91775r3_rule 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(b) IA-5(c) PR.AC-1 PR.AC-6 PR.AC-7 Req-8.2.3 Requiring digits makes password guessing attacks more difficult by ensuring a larger search space. _{ensure_pam_module_options '/etc/pam.d/common-password' 'password' 'requisite' 'pam_cracklib.so' 'dcredit' '-1' '-1'} SLES-12-010190 The pam_cracklib module's difok parameter controls requirements for usage of different characters during a password change. Add difok= after pam_cracklib.so to require differing characters when changing passwords. SLES-12-010190 SV-91783r3_rule 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(b) IA-5(c) IA-5(1)(b) PR.AC-1 PR.AC-6 PR.AC-7 Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however. var_password_pam_difok="_{" ensure_pam_module_options '/etc/pam.d/common-password' 'password' 'requisite' 'pam_cracklib.so' 'difok' "$var_password_pam_difok" "$var_password_pam_difok"} SLES-12-010160 The pam_cracklib module's lcredit= parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each lowercase character. Add lcredit=-1 after pam_cracklib.so to require use of a lowercase character in passwords. SLES-12-010160 SV-91773r3_rule 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(b) IA-5(c) IA-5(1)(a) PR.AC-1 PR.AC-6 PR.AC-7 Req-8.2.3 Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space. _{ensure_pam_module_options '/etc/pam.d/common-password' 'password' 'requisite' 'pam_cracklib.so' 'lcredit' '-1' '-1'} The pam_cracklib module's maxrepeat parameter controls requirements for consecutive repeating characters. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters. Add maxrepeat= after pam_cracklib.so to prevent a run of ( _{+ 1) or more identical characters: password required pam_cracklib.so maxrepeat=} 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(c) PR.AC-1 PR.AC-6 PR.AC-7 Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks. The pam_cracklib module's minclass parameter controls requirements for usage of different character classes, or types, of character that must exist in a password before it is considered valid. For example, setting this value to three (3) requires that any password must have characters from at least three different categories in order to be approved. The default value is zero (0), meaning there are no required classes. There are four categories available: * Upper-case characters * Lower-case characters * Digits * Special characters (for example, punctuation) Add minclass= after pam_cracklib.so entry into the /etc/pam.d/system-auth file in order to require _{differing categories of characters when changing passwords. For example to require at least three character classes to be used in password, use minclass=3.} Requiring a minimum number of character categories makes password guessing attacks more difficult by ensuring a larger search space. SLES-12-010250 The pam_cracklib module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements. CCI-000205 SLES-12-010250 SV-91805r3_rule 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(1)(a) PR.AC-1 PR.AC-6 PR.AC-7 Req-8.2.3 Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password. var_password_pam_minlen="_{" ensure_pam_module_options '/etc/pam.d/common-password' 'password' 'requisite' 'pam_cracklib.so' 'minlen' "$var_password_pam_minlen" "$var_password_pam_minlen"} SLES-12-010180 The pam_cracklib module's ocredit= parameter controls requirements for usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each special character. Add ocredit= after pam_cracklib.so to require use of a special character in passwords. CCI-001619 SLES-12-010180 SV-91777r3_rule 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(b) IA-5(c) IA-5(1)(a) PR.AC-1 PR.AC-6 PR.AC-7 Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space. _{ensure_pam_module_options '/etc/pam.d/common-password' 'password' 'requisite' 'pam_cracklib.so' 'ocredit' '-1' '-1'} To configure the number of retry prompts that are permitted per-session: Edit the pam_cracklib.so statement in /etc/pam.d/system-auth to show retry=, or a lower value if site policy is more restrictive. The DoD requirement is a maximum of 3 prompts per session. 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(c) PR.AC-1 PR.AC-6 PR.AC-7 Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. Note that this is different from account lockout, which is provided by the pam_faillock module. SLES-12-010150, SLES-12-010320 The pam_cracklib module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each uppercase character. Add ucredit=-1 after pam_cracklib.so to require use of an upper case character in passwords. CCI-000192 SLES-12-010150 SV-91771r3_rule SLES-12-010320 SV-91819r2_rule 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.5.7 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(b) IA-5(c) IA-5(1)(a) PR.AC-1 PR.AC-6 PR.AC-7 Req-8.2.3 Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space. _{ensure_pam_module_options '/etc/pam.d/common-password' 'password' 'requisite' 'pam_cracklib.so' 'ucredit' '-1' '-1'} The pam_pwquality PAM module can be configured to meet requirements for a variety of policies. For example, to configure pam_pwquality to require at least one uppercase character, lowercase character, digit, and other (special) character, make sure that pam_pwquality exists in /etc/pam.d/system-auth: password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= If no such line exists, add one as the first line of the password section in /etc/pam.d/system-auth. Next, modify the settings in /etc/security/pwquality.conf to match the following: difok = 4 minlen = 14 dcredit = -1 ucredit = -1 lcredit = -1 ocredit = -1 maxrepeat = 3 The arguments can be modified to ensure compliance with your organization's security policy. Discussion of each parameter follows. Number of failed login attempts before account lockout 10 3 5 6 3 Interval for counting failed login attempts before account lockout 100000000 1800 3600 86400 900 900 Seconds before automatic unlocking or permanently locking after excessive failed logins 1800 3600 600 604800 86400 900 never never Minimum number of digits in password 0 -1 -2 -1 Minimum number of lower case in password 0 -1 -2 -1 Maximum Number of Consecutive Repeating Characters in a Password From the Same Character Class 1 2 3 4 4 Maximum Number of Consecutive Repeating Characters in a Password 1 2 3 3 Minimum number of categories of characters that must exist in a password 1 2 3 4 3 Minimum number of characters in password 10 12 14 15 6 7 8 15 Minimum number of other (special characters) in password 0 -1 -2 -1 Number of retry attempts before erroring out 1 2 3 4 5 3 Minimum number of upper case in password 0 -1 -2 -1 Minimum number of characters not present in old password 15 1 2 3 4 5 6 7 8 8 The system's default algorithm for storing password hashes in /etc/shadow is SHA-512. This can be configured in several locations. SLES-12-010210 In /etc/login.defs, add or correct the following line to ensure the system will use SHA-512 as the hashing algorithm: ENCRYPT_METHOD SHA512 SLES-12-010210 SV-91789r2_rule 6.3.1 1 12 15 16 5 5.6.2.2 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.13.11 CCI-000196 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(b) IA-5(c) IA-5(1)(c) IA-7 PR.AC-1 PR.AC-6 PR.AC-7 Req-8.2.1 SRG-OS-000073-GPOS-00041 Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text. Using a stronger hashing algorithm makes password cracking attacks more difficult. if grep --silent ^ENCRYPT_METHOD /etc/login.defs ; then sed -i 's/^ENCRYPT_METHOD.*/ENCRYPT_METHOD SHA512/g' /etc/login.defs else echo "" >> /etc/login.defs echo "ENCRYPT_METHOD SHA512" >> /etc/login.defs fi SLES-12-010230 The PAM system service can be configured to only store encrypted representations of passwords. In /etc/pam.d/common-password, the password section of the file controls which PAM modules execute during a password change. Set the pam_unix.so module in the password section to include the argument sha512, as shown below: password required pam_unix.so sha512 other arguments... This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default. SLES-12-010230 SV-91801r3_rule 6.3.1 1 12 15 16 5 5.6.2.2 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.13.11 CCI-000196 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(b) IA-5(c) IA-5(1)(c) IA-7 PR.AC-1 PR.AC-6 PR.AC-7 Req-8.2.1 SRG-OS-000073-GPOS-00041 SRG-OS-000480-VMM-002000 Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kepy in plain text. This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult. _{ensure_pam_module_options '/etc/pam.d/common-password' 'password' 'required' 'pam_unix.so' 'sha512' '' ''} SLES-12-010240 In /etc/login.defs, remove or correct the following lines to ensure the system will use a sufficient number of hashing rounds to store passwords: SHA_CRYPT_MIN_ROUNDS 5000 SHA_CRYPT_MAX_ROUNDS 5000 SLES-12-010240 SV-91803r2_rule CCI-000196 IA-5(1)(c) IA-7 Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text. Using more hashing rounds makes password cracking attacks more difficult. _{replace_or_append '/etc/login.defs' '^SHA_CRYPT_MIN_ROUNDS' '5000' '' '%s %s' replace_or_append '/etc/login.defs' '^SHA_CRYPT_MAX_ROUNDS' '5000' '' '%s %s'} SLES-12-010200 The PAM system service can be configured to only store encrypted representations of passwords. In /etc/pam.d/common-auth, the password section of the file controls which PAM modules execute during a password change. Set the pam_unix.so module in the password section to include the argument sha512, as shown below: auth required pam_unix.so sha512 other arguments... This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default. SLES-12-010200 SV-91785r3_rule CCI-000803 IA-7 SRG-OS-000120-GPOS-00061 Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kepy in plain text. This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult. _{ensure_pam_module_options '/etc/pam.d/common-auth' 'auth' 'required' 'pam_unix.so' 'sha512' '' ''} It is impossible to fully protect a system from an attacker with physical access, so securing the space in which the system is located should be considered a necessary step. However, there are some steps which, if taken, make it more difficult for an attacker to quickly or undetectably modify a system from its console. SLES-12-010610 By default, SystemD will reboot the system if the Ctrl-Alt-Del key sequence is pressed. To configure the system to ignore the Ctrl-Alt-Del key sequence from the command line instead of rebooting the system, do either of the following: ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target or systemctl mask ctrl-alt-del.target Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file, as this file may be restored during future system updates. Disabling the Ctrl-Alt-Del key sequence in /etc/init/control-alt-delete.conf DOES NOT disable the Ctrl-Alt-Del key sequence if running in runlevel 6 (e.g. in GNOME, KDE, etc.)! The Ctrl-Alt-Del key sequence will only be disabled if running in the non-graphical runlevel 3. SLES-12-010610 SV-91867r3_rule 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 3.4.5 CCI-000366 164.308(a)(1)(ii)(B) 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.310(a)(1) 164.310(a)(2)(i) 164.310(a)(2)(ii) 164.310(a)(2)(iii) 164.310(b) 164.310(c) 164.310(d)(1) 164.310(d)(2)(iii) 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 SRG-OS-000480-GPOS-00227 A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. systemctl mask ctrl-alt-del.target When a user must temporarily leave an account logged-in, screen locking should be employed to prevent passersby from abusing the account. User education and training is particularly important for screen locking to be effective, and policies can be implemented to reinforce this. Automatic screen locking is only meant as a safeguard for those cases where a user forgot to lock the screen. A console screen locking mechanism is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operation system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. SLES-12-010070 The SUSE operating system must have vlock installed to allow for session locking. The vlock package can be installed with the following command: $ sudo zypper install vlock SLES-12-010070 SV-91755r2_rule CCI-000056 CCI-000058 CCI-000060 AC-11(a) AC-11(b) AC-11(1) A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Regardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system. The use of hardware tokens such as smart cards for system login provides stronger, two-factor authentication than using a username and password. In Red Hat Enterprise Linux servers and workstations, hardware token login is not enabled by default and must be enabled in the system settings. Choose the Smart Card Driver in use by your organization. For DoD, choose the cac driver. If your driver is not listed and you don't want to use the default driver, use the other option and manually specify your driver. default acos5 akis asepcos atrust-acos authentic belpic cac cardos coolkey cyberflex dnie entersafe epass2003 flex gemsafeV1 gids gpk iasecc incrypto34 isoApplet itacns jpki MaskTech mcrd muscle myeid npa oberthur openpgp None PIV-II rutoken_ecp rutoken sc-hsm setcos starcos tcos westcos SLES-12-030500 Configure the operating system to implement multifactor authentication by installing the required packages with the following command: The pam_pkcs11 mozilla-nss mozilla-nss-tools pcsc-ccid pcsc-lite pcsc-tools opensc coolkey package can be installed with the following command: $ sudo zypper install pam_pkcs11 mozilla-nss mozilla-nss-tools pcsc-ccid pcsc-lite pcsc-tools opensc coolkey CCI-001948 CCI-001953 CCI-001954 IA-2(11) IA-2(12) SLES-12-030500 SV-92203r3_rule CCI-001954 SRG-OS-000375-GPOS-00160 Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. To enable smart card authentication, consult the documentation at: https://www.suse.com/c/configuring-smart-card-authentication-suse-linux-enterprise/ 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 CCI-000765 CCI-000766 CCI-000767 CCI-000768 CCI-000771 CCI-000772 CCI-000884 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-2(1) PR.AC-1 PR.AC-6 PR.AC-7 Req-8.3 SRG-OS-000104-GPOS-00051 SRG-OS-000106-GPOS-00053 SRG-OS-000107-GPOS-00054 SRG-OS-000109-GPOS-00056 SRG-OS-000108-GPOS-00055 SRG-OS-000108-GPOS-00057 SRG-OS-000108-GPOS-00058 Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials. SLES-12-030510 Configure the operating system to do certificate status checking for PKI authentication. Modify all of the cert_policy lines in /etc/pam_pkcs11/pam_pkcs11.conf to include ocsp_on like so: cert_policy = ca, ocsp_on, signature; CCI-001948 CCI-001953 CCI-001954 IA-2(11) IA-2(12) SLES-12-030510 SV-92205r2_rule CCI-001954 SRG-OS-000375-GPOS-00160 Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. _{package_install pam_pkcs11 # Enable pcscd.socket systemd activation socket service_command enable pcscd.socket # Perform /etc/pam_pkcs11/pam_pkcs11.conf settings below # Define selected constants for later reuse SP="[:space:]" PAM_PKCS11_CONF="/etc/pam_pkcs11/pam_pkcs11.conf" # Ensure OCSP is turned on in $PAM_PKCS11_CONF # 1) First replace any occurrence of 'none' value of 'cert_policy' key setting with the correct configuration sed -i "s/^[$SP]*cert_policy[$SP]\+=[$SP]\+none;/\t\tcert_policy = ca, ocsp_on, signature;/g" "$PAM_PKCS11_CONF" # 2) Then append 'ocsp_on' value setting to each 'cert_policy' key in $PAM_PKCS11_CONF configuration line, # which does not contain it yet sed -i "/ocsp_on/! s/^[$SP]*cert_policy[$SP]\+=[$SP]\+\(.*\);/\t\tcert_policy = \1, ocsp_on;/" "$PAM_PKCS11_CONF" true} SLES-12-030520 This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). Check that the pam_pkcs11.so option is configured in the etc/pam.d/common-auth file with the following command: # grep pam_pkcs11.so /etc/pam.d/common-auth auth sufficient pam_pkcs11.so For general information about enabling smart card authentication, consult the documentation at: https://www.suse.com/c/configuring-smart-card-authentication-suse-linux-enterprise/ SLES-12-030520 SV-92207r3_rule CCI-000187 CCI-000765 CCI-000766 CCI-000767 CCI-000768 CCI-001948 CCI-001953 CCI-001954 IA-5(2)(c) IA-2(1) IA-2(2) IA-2(3) IA-2(4) IA-2(11) IA-2(12) Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials. Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. fname=$(mktemp -p /etc/pam.d common-auth-XXXXXXXX) chown --reference=/etc/pam.d/common-auth "$fname" chmod --reference=/etc/pam.d/common-auth "$fname" IFS=' ' # we want to add the pam_pkcs11 module at the beginning of the file, after the first comment comments_over=0 while read line ; do if ! [[ "$line" == \#* ]] && [[ "$comments_over" -eq 0 ]] ; then echo 'auth sufficient pam_pkcs11.so' comments_over=1 fi printf "%s\n" "$line" done < /etc/pam.d/common-auth > "$fname" [[ "$comments_over" -eq 0 ]] && echo 'auth sufficient pam_pkcs11.so' >> "$fname" mv "$fname" /etc/pam.d/common-auth SLES-12-030530 Configure the operating system to do certificate status checking for PKI authentication. Modify all of the cert_policy lines in /etc/pam_pkcs11/pam_pkcs11.conf to include ca like so: cert_policy = ca, ocsp_on, signature; SLES-12-030530 SV-92209r1_rule CCI-000185 CCI-001991 IA-5(2)(a) IA-5(2)(d) Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. # Perform /etc/pam_pkcs11/pam_pkcs11.conf settings below # Define selected constants for later reuse SP="[:space:]" PAM_PKCS11_CONF="/etc/pam_pkcs11/pam_pkcs11.conf" _{package_install pam_pkcs11 # Ensure OCSP is turned on in $PAM_PKCS11_CONF # 1) First replace any occurrence of 'none' value of 'cert_policy' key setting with the correct configuration sed -i "s/^[$SP]*cert_policy[$SP]\+=[$SP]\+none;/\t\tcert_policy = ca, ocsp_on, signature;/g" "$PAM_PKCS11_CONF" # 2) Then append 'ca' value setting to each 'cert_policy' key in $PAM_PKCS11_CONF configuration line, # which does not contain it yet sed -i "/ca/! s/^[$SP]*cert_policy[$SP]\+=[$SP]\+\(.*\);/\t\tcert_policy = \1, ca;/" "$PAM_PKCS11_CONF" true} Conventionally, Unix shell accounts are accessed by providing a username and password to a login program, which tests these values for correctness using the /etc/passwd and /etc/shadow files. Password-based login is vulnerable to guessing of weak passwords, and to sniffing and man-in-the-middle attacks against passwords entered over a network or at an insecure console. Therefore, mechanisms for accessing accounts by entering usernames and passwords should be restricted to those which are operationally necessary. SLES-12-010640, SLES-12-010650 Change user IDs (UIDs), or delete accounts, so each has a unique name. SLES-12-010640 SV-91873r2_rule SLES-12-010650 SV-91875r2_rule CCI-000764 IA-2 IA-8 To assure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system. Accounts can be configured to be automatically disabled after a certain time period, meaning that they will require administrator interaction to become usable again. Expiration of accounts after inactivity can be set for all accounts by default and also on a per-account basis, such as for accounts that are known to be temporary. To configure automatic expiration of an account following the expiration of its password (that is, after the password has expired and not been changed), run the following command, substituting NUM_DAYS and USER appropriately: $ sudo chage -I NUM_DAYS USER Accounts, such as temporary accounts, can also be configured to expire on an explicitly-set date with the -E option. The file /etc/default/useradd controls default settings for all newly-created accounts created with the system's normal command line utilities. This will only apply to newly created accounts The number of days to wait after a password expires, until the account will be permanently disabled. 0 180 30 35 40 60 90 35 SLES-12-010340 To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in /etc/default/useradd: INACTIVE= A value of 35 is recommended; however, this profile expects that the value is set to . If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the useradd man page for more information. Determining the inactivity timeout must be done with careful consideration of the length of a "normal" period of inactivity for users in the particular environment. Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users. SLES-12-010340 SV-91823r1_rule 1 12 13 14 15 16 18 3 5 7 8 5.6.2.1.1 DSS01.03 DSS03.05 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.5.6 CCI-000017 CCI-000795 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 6.2 A.12.4.1 A.12.4.3 A.18.1.4 A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-2(2) AC-2(3) IA-4(e) DE.CM-1 DE.CM-3 PR.AC-1 PR.AC-4 PR.AC-6 PR.AC-7 Req-8.1.4 SRG-OS-000118-GPOS-00060 SRG-OS-000003-VMM-000030 SRG-OS-000118-VMM-000590 Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials. var_account_disable_post_pw_expiration="_{" replace_or_append '/etc/default/useradd' '^INACTIVE' "$var_account_disable_post_pw_expiration" '' '%s=%s'} SLES-12-010360 Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts. In the event temporary or emergency accounts are required, configure the system to terminate them after a documented time period. For every temporary and emergency account, run the following command to set an expiration date on it, substituting USER and YYYY-MM-DD appropriately: $ sudo chage -E YYYY-MM-DD USER YYYY-MM-DD indicates the documented expiration date for the account. For U.S. Government systems, the operating system must be configured to automatically terminate these types of accounts after a period of 72 hours. SLES-12-010360 SV-91825r2_rule 1 12 13 14 15 16 18 3 5 7 8 DSS01.03 DSS03.05 DSS05.04 DSS05.05 DSS05.07 DSS06.03 CCI-000016 CCI-001682 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 SR 1.1 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 6.2 A.12.4.1 A.12.4.3 A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-2(2) AC-2(3) DE.CM-1 DE.CM-3 PR.AC-1 PR.AC-4 PR.AC-6 SRG-OS-000002-GPOS-00153 SRG-OS-000002-VMM-000020 SRG-OS-000123-VMM-000620 If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation. Change usernames, or delete accounts, so each has a unique name. 5.5.2 CCI-000770 CCI-000804 Req-8.1.1 Unique usernames allow for accountability on the system. Implement an automated system for managing user accounts that minimizes the risk of errors, either intentional or deliberate. This system should integrate with an existing enterprise user management system, such as one based on Identity Management tools such as Active Directory, Kerberos, Directory Server, etc. A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. Enterprise environments make user account management challenging and complex. A user management process requiring administrators to manually address account management functions adds risk of potential oversight. SLES-12-010270 Configure all user accounts to enforce 24 hours/1 day or greater as the minimum password age. Check the minimum time period between password changes for each user account with the following command: # sudo cat /etc/shadow | cut -d ':' -f1,4 | grep -v 1 | grep -v ":$" smithj:1 Change the minimum time period between password changes for each user account to "1" day with this command, replacing [USER] with the user account that must be changed: # sudo passwd -n 1 [USER] SLES-12-010270 SV-91809r1_rule CCI-000198 IA-5(1)(d) IA-5(1).1(v) Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. for user in $( awk -F':' '$4==0 { print $1 }' < /etc/shadow ) ; do passwd -n 1 "$user" done SLES-12-010290 Configure all user accounts to enforce 24 hours/1 day or greater as the maximum password age. Check the maximum time period between password changes for each user account with the following command: # sudo awk -F':' '$5 > _{{ print $1, $5 }' < /etc/shadow smithj 90} Change the maximum time period between password changes for each user account to day with this command, replacing [USER] with the user account that must be changed: # sudo passwd -x _[USER] SLES-12-010290 SV-91813r1_rule CCI-000199 IA-5(1)(d) IA-5(1).1(v) Enforcing a maximum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. var_accounts_maximum_age_login_defs="_{" for user in $( awk -F':' '$5 > '"$var_accounts_maximum_age_login_defs"' { print $1 }' < /etc/shadow ) ; do passwd -x "$var_accounts_maximum_age_login_defs" "$user" done} SLES-12-010330 Emergency accounts are privileged accounts that are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. Check to see if an emergency administrator account password or account expires with the following command: # sudo chage -l [Emergency_Administrator] Password expires:never If Password expires or Account expires is set to anything other than never, this is a finding. SLES-12-010330 SV-91821r2_rule CCI-001682 AC-2(2) Emergency accounts are different from infrequently used accounts (i.e., local logon accounts used by the organization's system administrators when network or normal logon/access is not available). Infrequently used accounts are not subject to automatic termination dates. Emergency accounts are accounts created in response to crisis situations, usually for use by maintenance personnel. The automatic expiration or disabling time period may be extended as needed until the crisis is resolved; however, it must not be extended indefinitely. A permanent account should be established for privileged users who need long-term maintenance accounts. To address access requirements the SUSE operating system can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements. SLES-12-010660 Temporary passwords for SUSE operating system logons must require an immediate change to a permanent password. Verify that a policy exists that ensures when a user is created, it is creating using a method that forces a user to change their password upon their next login. SLES-12-010660 SV-91877r1_rule CCI-002041 IA-5(1)(f) Without providing this capability, an account may be created without a password. Nonrepudiation cannot be guaranteed once an account is created if a user is not forced to change the temporary password upon initial logon. Temporary passwords are typically used to allow access when new accounts are created or passwords are changed. It is common practice for administrators to create temporary passwords for user accounts that allow the users to log on, yet force them to change the password once they have successfully authenticated. The file /etc/login.defs controls several password-related settings. Programs such as passwd, su, and login consult /etc/login.defs to determine behavior with regard to password aging, expiration warnings, and length. See the man page login.defs(5) for more information. Users should be forced to change their passwords, in order to decrease the utility of compromised passwords. However, the need to change passwords often should be balanced against the risk that users will reuse or write down passwords if forced to change them too often. Forcing password changes every 90-360 days, depending on the environment, is recommended. Set the appropriate value as PASS_MAX_DAYS and apply it to existing accounts with the -M flag. The PASS_MIN_DAYS (-m) setting prevents password changes for 7 days after the first change, to discourage password cycling. If you use this setting, train users to contact an administrator for an emergency password change in case a new password becomes compromised. The PASS_WARN_AGE (-W) setting gives users 7 days of warnings at login time that their passwords are about to expire. For example, for each existing human user USER, expiration parameters could be adjusted to a 180 day maximum password age, 7 day minimum password age, and 7 day warning period with the following command: $ sudo chage -M 180 -m 7 -W 7 USER Maximum age of password in days This will only apply to newly created accounts 120 180 60 90 60 Minimum age of password in days This will only apply to newly created accounts 0 1 2 5 7 7 Minimum number of characters in password This will only check new passwords 10 12 14 15 6 8 15 The number of days' warning given before a password expires. This will only apply to newly created accounts 0 14 7 7 SLES-12-010280 To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line: PASS_MAX_DAYS A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is . SLES-12-010280 SV-91811r2_rule IA-5(1)(d) IA-5(1).1(v) 5.4.1.1 1 12 15 16 5 5.6.2.1 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.5.6 CCI-000199 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(f) IA-5(g) IA-5(1)(d) PR.AC-1 PR.AC-6 PR.AC-7 Req-8.2.4 SRG-OS-000076-GPOS-00044 Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise. var_accounts_maximum_age_login_defs="_{" grep -q ^PASS_MAX_DAYS /etc/login.defs && \ sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS $var_accounts_maximum_age_login_defs/g" /etc/login.defs if ! [ $? -eq 0 ]; then echo "PASS_MAX_DAYS $var_accounts_maximum_age_login_defs" >> /etc/login.defs fi} SLES-12-010260 To specify password minimum age for new accounts, edit the file /etc/login.defs and add or correct the following line: PASS_MIN_DAYS A value of 1 day is considered sufficient for many environments. The DoD requirement is 1. The profile requirement is . IA-5(1)(d) IA-5(1).1(v) SLES-12-010260 SV-91807r2_rule 1 12 15 16 5 5.6.2.1.1 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.5.8 CCI-000198 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(f) IA-5(1)(d) PR.AC-1 PR.AC-6 PR.AC-7 SRG-OS-000075-GPOS-00043 Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement. var_accounts_minimum_age_login_defs="_{" grep -q ^PASS_MIN_DAYS /etc/login.defs && \ sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS $var_accounts_minimum_age_login_defs/g" /etc/login.defs if ! [ $? -eq 0 ]; then echo "PASS_MIN_DAYS $var_accounts_minimum_age_login_defs" >> /etc/login.defs fi} To specify password length requirements for new accounts, edit the file /etc/login.defs and add or correct the following line: PASS_MIN_LEN The DoD requirement is 15. The FISMA requirement is 12. The profile requirement is . If a program consults /etc/login.defs and also another PAM module (such as pam_pwquality) during a password change operation, then the most restrictive must be satisfied. See PAM section for more information about enforcing password quality requirements. 1 12 15 16 5 5.6.2.1 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.5.7 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(f) IA-5(1)(a) PR.AC-1 PR.AC-6 PR.AC-7 FMT_MOF_EXT.1 Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result. To specify how many days prior to password expiration that a warning will be issued to users, edit the file /etc/login.defs and add or correct the following line: PASS_WARN_AGE The DoD requirement is 7. The profile requirement is . 1 12 13 14 15 16 18 3 5 7 8 DSS01.03 DSS03.05 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.5.8 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 6.2 A.12.4.1 A.12.4.3 A.18.1.4 A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-2(2) IA-5(f) DE.CM-1 DE.CM-3 PR.AC-1 PR.AC-4 PR.AC-6 PR.AC-7 Setting the password warning age enables users to make the change at a practical time. By default, password hashes for local accounts are stored in the second field (colon-separated) in /etc/shadow. This file should be readable only by processes running with root credentials, preventing users from casually accessing others' password hashes and attempting to crack them. However, it remains possible to misconfigure the system and store password hashes in world-readable files such as /etc/passwd, or to even store passwords themselves in plaintext on the system. Using system-provided tools for password change/creation should allow administrators to avoid such misconfiguration. If any password hashes are stored in /etc/passwd (in the second field, instead of an x or *), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account should be deleted entirely. 1 12 15 16 5 5.5.2 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.5.10 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-5(h) PR.AC-1 PR.AC-6 PR.AC-7 Req-8.2.1 The hashes for all user account passwords should be stored in the file /etc/shadow and never in /etc/passwd, which is readable by all users. Add a group to the system for each GID referenced without a corresponding group. 1 12 15 16 5 5.5.2 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 CCI-000764 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-2 PR.AC-1 PR.AC-6 PR.AC-7 Req-8.5.a SRG-OS-000104-GPOS-00051 If a user is assigned the Group Identifier (GID) of a group not existing on the system, and a group with the Gruop Identifier (GID) is subsequently created, the user may have unintended rights to any files associated with the group. SLES-12-010231 If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/common-password and /etc/pam.d/common-auth to prevent logins with empty passwords. CCI-000196 IA-5(1)(c) SLES-12-010231 SV-96499r1_rule 1 12 13 14 15 16 18 3 5 5.5.2 APO01.06 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.02 DSS06.03 DSS06.10 3.1.1 3.1.5 CCI-000366 164.308(a)(1)(ii)(B) 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.310(a)(1) 164.310(a)(2)(i) 164.310(a)(2)(ii) 164.310(a)(2)(iii) 164.310(b) 164.310(c) 164.310(d)(1) 164.310(d)(2)(iii) 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.18.1.4 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-6 IA-5(b) IA-5(c) IA-5(1)(a) PR.AC-1 PR.AC-4 PR.AC-6 PR.AC-7 PR.DS-5 FIA_AFL.1 Req-8.2.3 SRG-OS-000480-GPOS-00227 If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. sed --follow-symlinks -i 's/\<nullok\>//g' /etc/pam.d/system-auth sed --follow-symlinks -i 's/\<nullok\>//g' /etc/pam.d/password-auth The .netrc files contain login information used to auto-login into FTP servers and reside in the user's home directory. These files may contain unencrypted passwords to remote FTP servers making them susceptible to access by unauthorized users and should not be used. Any .netrc files should be removed. 1 11 12 14 15 16 18 3 5 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.06 DSS06.10 CCI-000196 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 A.18.1.4 A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 IA-5(h) AC-3 PR.AC-1 PR.AC-4 PR.AC-6 PR.AC-7 PR.PT-3 Unencrypted passwords for remote FTP servers may be stored in .netrc files. DoD policy requires passwords be encrypted in storage and not used in access scripts. SLES-12-010220 Verify the SUSE operating system requires the shadow password suite configuration be set to encrypt interactive user passwords using a strong cryptographic hash. Check that the interactive user account passwords are using a strong password hash with the following command: # sudo cut -d: -f2 /etc/shadow $6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/ Password hashes ! or * indicate inactive accounts not available for logon and are not evaluated. If any interactive user password hash does not begin with $6, this is a finding. SLES-12-010220 SV-91795r2_rule IA-5(h) The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy. Direct root logins should be allowed only for emergency use. In normal situations, the administrator should access the system via a unique unprivileged account, and then use su or sudo to execute privileged commands. Discouraging administrators from accessing the root account directly ensures an audit trail in organizations with multiple administrators. Locking down the channels through which root can connect directly also reduces opportunities for password-guessing against the root account. The login program uses the file /etc/securetty to determine which interfaces should allow root logins. The virtual devices /dev/console and /dev/tty* represent the system consoles (accessible via the Ctrl-Alt-F1 through Ctrl-Alt-F6 keyboard sequences on a default installation). The default securetty file also contains /dev/vc/*. These are likely to be deprecated in most environments, but may be retained for compatibility. Root should also be prohibited from connecting via network protocols. Other sections of this document include guidance describing how to prevent root from logging in via SSH. If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed. If the account is associated with system commands or applications the UID should be changed to one greater than "0" but less than "1000." Otherwise assign a UID greater than "1000" that has not already been assigned. 6.2.5 1 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.02 DSS06.03 DSS06.10 3.1.1 3.1.5 CCI-000366 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.18.1.4 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-6 IA-2 IA-2(1) IA-4 PR.AC-1 PR.AC-4 PR.AC-6 PR.AC-7 PR.DS-5 SRG-OS-000480-GPOS-00227 An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner. To further limit access to the root account, administrators can disable root logins at the console by editing the /etc/securetty file. This file lists all devices the root user is allowed to login to. If the file does not exist at all, the root user can login through any communication device on the system, whether via the console or via a raw network interface. This is dangerous as user can login to the system as root via Telnet, which sends the password in plain text over the network. By default, SUSE Linux Enterprise 12's /etc/securetty file only allows the root user to login at the console physically attached to the system. To prevent root from logging in, remove the contents of this file. To prevent direct root logins, remove the contents of this file by typing the following command: $ sudo echo > /etc/securetty 5.5 1 12 15 16 5 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.1.1 3.1.6 164.308(a)(1)(ii)(B) 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.310(a)(1) 164.310(a)(2)(i) 164.310(a)(2)(ii) 164.310(a)(2)(iii) 164.310(b) 164.310(c) 164.310(d)(1) 164.310(d)(2)(iii) 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-2 IA-2(1) PR.AC-1 PR.AC-6 PR.AC-7 Disabling direct root logins ensures proper accountability and multifactor authentication to privileged accounts. Users will first login, then escalate to privileged (root) access via su / sudo. This is required for FISMA Low and FISMA Moderate systems. echo > /etc/securetty Some accounts are not associated with a human user of the system, and exist to perform some administrative function. An attacker should not be able to log into these accounts. System accounts are those user accounts with a user ID less than UID_MIN, where value of the UID_MIN directive is set in /etc/login.defs configuration file. In the default configuration UID_MIN is set to 500, thus system accounts are those user accounts with a user ID less than 500. If any system account SYSACCT (other than root) has an unlocked password, disable it with the command: $ sudo passwd -l SYSACCT IA-2 Disabling authentication for default system accounts makes it more difficult for attackers to make use of them to compromise a system.false To restrict root logins on serial ports, ensure lines of this form do not appear in /etc/securetty: ttyS0 ttyS1 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 3.1.1 3.1.5 CCI-000770 164.308(a)(1)(ii)(B) 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.310(a)(1) 164.310(a)(2)(i) 164.310(a)(2)(ii) 164.310(a)(2)(iii) 164.310(b) 164.310(c) 164.310(d)(1) 164.310(d)(2)(iii) 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6(2) IA-2 PR.AC-4 PR.DS-5 Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account. sed -i '/ttyS/d' /etc/securetty To restrict root logins through the (deprecated) virtual console devices, ensure lines of this form do not appear in /etc/securetty: vc/1 vc/2 vc/3 vc/4 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 3.1.1 3.1.5 CCI-000770 164.308(a)(1)(ii)(B) 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.310(a)(1) 164.310(a)(2)(i) 164.310(a)(2)(ii) 164.310(a)(2)(iii) 164.310(b) 164.310(c) 164.310(d)(1) 164.310(d)(2)(iii) 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6(2) IA-2 PR.AC-4 PR.DS-5 Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account. sed -i '/^vc\//d' /etc/securetty When a user logs into a Unix account, the system configures the user's session by reading a number of files. Many of these files are located in the user's home directory, and may have weak permissions as a result of user error or misconfiguration. If an attacker can modify or even read certain types of account configuration information, they can often gain full access to the affected user's account. Therefore, it is important to test and correct configuration file permissions for interactive accounts, particularly those of privileged users such as root or system administrators. Maximum time in seconds between fail login attempts before re-prompting. 1 2 3 4 5 4 Maximum number of concurrent sessions by a user 1 10 15 20 3 5 1 In an interactive shell, the value is interpreted as the number of seconds to wait for input after issueing the primary prompt. Bash terminates after waiting for that number of seconds if input does not arrive. 1800 600 900 300 600 SLES-12-010720 All local interactive user accounts, upon creation, should be assigned a home directory. Configure the operating system to assign home directories to all new local interactive users by setting the CREATE_HOME parameter in /etc/login.defs to yes as follows: CREATE_HOME yes CCI-000366 CM-6(b) SLES-12-010720 SV-91895r1_rule SRG-OS-000480-GPOS-00227 If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. if ! grep -q ^CREATE_HOME /etc/login.defs; then echo "CREATE_HOME yes" >> /etc/login.defs else sed -i "s/^\(CREATE_HOME\).*/\1 yes/g" /etc/login.defs fi SLES-12-010140 To ensure the logon failure delay controlled by /etc/login.defs is set properly, add or correct the FAIL_DELAY setting in /etc/login.defs to read as follows: FAIL_DELAY SLES-12-010140 SV-91769r1_rule 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 CCI-000366 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 AC-7(b) CM-6(b) PR.IP-1 SRG-OS-000480-GPOS-00226 Increasing the time between a failed authentication attempt and re-prompting to enter credentials helps to slow a single-threaded brute force attack. # Set variables var_accounts_fail_delay="_{" replace_or_append '/etc/login.defs' '^FAIL_DELAY' "$var_accounts_fail_delay" '' '%s %s'} SLES-12-010120 Limiting the number of allowed users and sessions per user can limit risks related to Denial of Service attacks. This addresses concurrent sessions for a single account and does not address concurrent sessions by a single user via multiple accounts. To set the number of concurrent sessions per user add the following line in /etc/security/limits.conf: * hard maxlogins SLES-12-010120 SV-91765r2_rule 14 15 18 9 5.5.2.2 DSS01.05 DSS05.02 CCI-000054 4.3.3.4 SR 3.1 SR 3.8 A.13.1.1 A.13.1.3 A.13.2.1 A.14.1.2 A.14.1.3 AC-10 PR.AC-5 SRG-OS-000027-GPOS-00008 SRG-OS-000027-VMM-000080 Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions. var_accounts_max_concurrent_login_sessions="_{" if grep -q '^[^#]*\<maxlogins\>' /etc/security/limits.d/*.conf; then sed -i "/^[^#]*\<maxlogins\>/ s/maxlogins.*/maxlogins $var_accounts_max_concurrent_login_sessions/" /etc/security/limits.d/*.conf elif grep -q '^[^#]*\<maxlogins\>' /etc/security/limits.conf; then sed -i "/^[^#]*\<maxlogins\>/ s/maxlogins.*/maxlogins $var_accounts_max_concurrent_login_sessions/" /etc/security/limits.conf else echo "* hard maxlogins $var_accounts_max_concurrent_login_sessions" >> /etc/security/limits.conf fi} SLES-12-010090 Setting the TMOUT option in /etc/profile ensures that all user sessions will terminate based on inactivity. The TMOUT setting in /etc/profile.d/autologout.sh should read as follows: TMOUT= _{readonly TMOUT export TMOUT} CCI-000057 AC-11(a) SLES-12-010090 SV-91759r1_rule 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 3.1.11 CCI-001133 CCI-000361 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-12 SC-10 PR.AC-7 FMT_MOF_EXT.1 SRG-OS-000163-GPOS-00072 SRG-OS-000163-VMM-000700 SRG-OS-000279-VMM-001010 Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. var_accounts_tmout="_{" replace_or_append '/etc/profile' '^TMOUT' "$var_accounts_tmout" '' '%s=%s'} SLES-12-010780 Set the mode on files being executed by the user initialization files with the following command: $ sudo chmod g-w,o-w FILE SLES-12-010780 SV-91921r1_rule CCI-000366 SRG-OS-000480-GPOS-00227 If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level. SLES-12-010770 Ensure that all interactive user initialization files executable search path statements do not contain statements that will reference a working directory other than the users home directory. SLES-12-010770 SV-91915r3_rule CCI-000366 SRG-OS-000480-GPOS-00227 The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the users home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO). SLES-12-010710 Assign home directories to all interactive users that currently do not have a home directory assigned. SLES-12-010710 SV-91893r1_rule CM-6(b) CCI-000366 SRG-OS-000480-GPOS-00227 If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. SLES-12-010730 Create home directories to all interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in /etc/passwd: $ sudo mkdir /home/USER SLES-12-010730 SV-91899r1_rule CM-6(b) CCI-000366 SRG-OS-000480-GPOS-00227 If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access. SLES-12-010750 Change the group of a local interactive users files and directories to a group that the interactive user is a member of. To change the group owner of a local interactive users files and directories, use the following command: $ sudo chgrp USER_GROUP /home/USER/FILE_DIR CM-6(b) SLES-12-010750 SV-91907r2_rule CCI-000366 SRG-OS-000480-GPOS-00227 If a local interactive users files are group-owned by a group of which the user is not a member, unintended users may be able to access them. SLES-12-010760 Set the mode of the user initialization files to 0740 or less permissive with the following command: $ sudo chmod g-wx,o= /home/USER/.INIT_FILE CM-6(b) SLES-12-010760 SV-91911r2_rule CCI-000366 SRG-OS-000480-GPOS-00227 Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon. SLES-12-010740 Change the mode of interactive users home directories to 0750. To change the mode of interactive users home directory, use the following command: $ sudo chmod 0750 /home/USER CM-6(b) SLES-12-010740 SV-91903r3_rule CCI-000366 SRG-OS-000480-GPOS-00227 Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users. for dir in $(getent passwd | awk -F: '$3 >= 1000 {print $6}') ; do perms=$(stat -c '%A' "$dir") if [[ "$perms" == ?????w???? ]] || [[ "$perms" == ???????r?? ]] || [[ "$perms" == ????????w? ]] || [[ "$perms" == ?????????x ]] ; then chmod g-w,o= "$dir" fi done For each human user of the system, view the permissions of the user's home directory: # ls -ld /home/USER Ensure that the directory is not group-writable and that it is not world-readable. If necessary, repair the permissions: # chmod g-w /home/USER # chmod o-rwx /home/USER This action may involve modifying user home directories. Notify your user community, and solicit input if appropriate, before making this type of change. 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 CCI-000225 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6(7) PR.AC-4 PR.DS-5 User home directories contain many configuration files which affect the behavior of a user's account. No user should ever have write permission to another user's home directory. Group shared directories can be configured in sub-directories or elsewhere in the filesystem if they are needed. Typically, user home directories should not be world-readable, as it would disclose file names to other users. If a subset of users need read access to one another's home directories, this can be provided using groups or ACLs. The active path of the root account can be obtained by starting a new root shell and running: # echo $PATH This will produce a colon-separated list of directories in the path. Certain path elements could be considered dangerous, as they could lead to root executing unknown or untrusted programs, which could contain malicious code. Since root may sometimes work inside untrusted directories, the . character, which represents the current directory, should never be in the root path, nor should any directory which can be written to by an unprivileged or semi-privileged (system) user. It is a good practice for administrators to always execute privileged commands by typing the full path to the command. For each element in root's path, run: # ls -ld DIR and ensure that write permissions are disabled for group and other. 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 CCI-000366 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 CM-6(b) PR.IP-1 Such entries increase the risk that root could execute code provided by unprivileged users, and potentially malicious code. Ensure that none of the directories in root's path is equal to a single . character, or that it contains any instances that lead to relative path traversal, such as .. or beginning a path without the slash (/) character. Also ensure that there are no "empty" elements in the path, such as in these examples: PATH=:/bin PATH=/bin: PATH=/bin::/sbin These empty elements have the same effect as a single . character. 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 CCI-000366 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 CM-6(b) PR.IP-1 Including these entries increases the risk that root could execute code from an untrusted location. The umask setting controls the default permissions for the creation of new files. With a default umask setting of 077, files and directories created by users will not be readable by any other user on the system. Users who wish to make specific files group- or world-readable can accomplish this by using the chmod command. Additionally, users can make all their files readable to their group by default by setting a umask of 027 in their shell configuration files. If default per-user groups exist (that is, if every user has a default group whose name is the same as that user's username and whose only member is the user), then it may even be safe for users to select a umask of 007, making it very easy to intentionally share files with groups of which the user is a member. Enter default user umask 007 022 027 077 027 SLES-12-010620 To ensure the default umask controlled by /etc/login.defs is set properly, add or correct the UMASK setting in /etc/login.defs to read as follows: UMASK SLES-12-010620 SV-91869r1_rule 11 18 3 9 APO13.01 BAI03.01 BAI03.02 BAI03.03 BAI10.01 BAI10.02 BAI10.03 BAI10.05 CCI-000366 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.1.1 A.14.2.1 A.14.2.2 A.14.2.3 A.14.2.4 A.14.2.5 A.6.1.5 CM-6(b) SA-8 PR.IP-1 PR.IP-2 SRG-OS-000480-GPOS-00228 The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and written to by unauthorized users. var_accounts_user_umask="_{" replace_or_append '/etc/login.defs' '^UMASK' "$var_accounts_user_umask" '' '%s %s'} To ensure the default umask controlled by /etc/profile is set properly, add or correct the umask setting in /etc/profile to read as follows: umask 5.4.4 18 APO13.01 BAI03.01 BAI03.02 BAI03.03 CCI-000366 4.3.4.3.3 A.14.1.1 A.14.2.1 A.14.2.5 A.6.1.5 SA-8 PR.IP-2 The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. Remove the UMASK environment variable from all interactive users initialization files. CCI-001814 SRG-OS-000480-GPOS-00227 The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 700 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be 0. This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system. The audit service provides substantial capabilities for recording system activities. By default, the service audits about SELinux AVC denials and certain types of security-relevant events such as system logins, account modifications, and authentication events performed by programs such as sudo. Under its default configuration, auditd has modest disk space requirements, and should not noticeably impact system performance. NOTE: The Linux Audit daemon auditd can be configured to use the augenrules program to read audit rules files (*.rules) located in /etc/audit/rules.d location and compile them to create the resulting form of the /etc/audit/audit.rules configuration file during the daemon startup (default configuration). Alternatively, the auditd daemon can use the auditctl utility to read audit rules from the /etc/audit/audit.rules configuration file during daemon startup, and load them into the kernel. The expected behavior is configured via the appropriate ExecStartPost directive setting in the /usr/lib/systemd/system/auditd.service configuration file. To instruct the auditd daemon to use the augenrules program to read audit rules (default configuration), use the following setting: ExecStartPost=-/sbin/augenrules --load in the /usr/lib/systemd/system/auditd.service configuration file. In order to instruct the auditd daemon to use the auditctl utility to read audit rules, use the following setting: ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules in the /usr/lib/systemd/system/auditd.service configuration file. Refer to [Service] section of the /usr/lib/systemd/system/auditd.service configuration file for further details. Government networks often have substantial auditing requirements and auditd can be configured to meet these requirements. Examining some example audit records demonstrates how the Linux audit system satisfies common requirements. The following example from Fedora Documentation available at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html#sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages shows the substantial amount of information captured in a two typical "raw" audit messages, followed by a breakdown of the most important fields. In this example the message is SELinux-related and reports an AVC denial (and the associated system call) that occurred when the Apache HTTP Server attempted to access the /var/www/html/file1 file (labeled with the samba_share_t type): type=AVC msg=audit(1226874073.147:96): avc: denied { getattr } for pid=2465 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file type=SYSCALL msg=audit(1226874073.147:96): arch=40000003 syscall=196 success=no exit=-13 a0=b98df198 a1=bfec85dc a2=54dff4 a3=2008171 items=0 ppid=2463 pid=2465 auid=502 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=6 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) msg=audit(1226874073.147:96)The number in parentheses is the unformatted time stamp (Epoch time) for the event, which can be converted to standard time by using the date command. { getattr }The item in braces indicates the permission that was denied. getattr indicates the source process was trying to read the target file's status information. This occurs before reading files. This action is denied due to the file being accessed having the wrong label. Commonly seen permissions include getattr, read, and write.comm="httpd"The executable that launched the process. The full path of the executable is found in the exe= section of the system call (SYSCALL) message, which in this case, is exe="/usr/sbin/httpd". path="/var/www/html/file1"The path to the object (target) the process attempted to access. scontext="unconfined_u:system_r:httpd_t:s0"The SELinux context of the process that attempted the denied action. In this case, it is the SELinux context of the Apache HTTP Server, which is running in the httpd_t domain. tcontext="unconfined_u:object_r:samba_share_t:s0"The SELinux context of the object (target) the process attempted to access. In this case, it is the SELinux context of file1. Note: the samba_share_t type is not accessible to processes running in the httpd_t domain. From the system call (SYSCALL) message, two items are of interest: success=no: indicates whether the denial (AVC) was enforced or not. success=no indicates the system call was not successful (SELinux denied access). success=yes indicates the system call was successful - this can be seen for permissive domains or unconfined domains, such as initrc_t and kernel_t. exe="/usr/sbin/httpd": the full path to the executable that launched the process, which in this case, is exe="/usr/sbin/httpd". The auditd service should be installed. NT28(R50) The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparision with potential local access control policy such as SELinux policy. SLES-12-020010 The auditd service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The auditd service can be enabled with the following command: $ sudo systemctl enable auditd.service SLES-12-020010 SV-91985r1_rule 4.1.2 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.3.1 3.3.2 3.3.6 CCI-000126 CCI-000130 CCI-000131 CCI-000132 CCI-000133 CCI-000134 164.308(a)(1)(ii)(D) 164.308(a)(5)(ii)(C) 164.310(a)(2)(iv) 164.310(d)(2)(iii) 164.312(b) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-2(g) AU-3 AC-17(1) AU-1(b) AU-10 AU-12(a) AU-12(c) AU-14(1) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 Req-10.1 SRG-OS-000038-GPOS-00016 SRG-OS-000039-GPOS-00017 SRG-OS-000042-GPOS-00021 SRG-OS-000254-GPOS-00095 SRG-OS-000255-GPOS-00096 SRG-OS-000037-VMM-000150 SRG-OS-000063-VMM-000310 SRG-OS-000038-VMM-000160 SRG-OS-000039-VMM-000170 SRG-OS-000040-VMM-000180 SRG-OS-000041-VMM-000190 Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Ensuring the auditd service is active ensures audit records generated by the kernel are appropriately recorded. Additionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. _{package_install 'audit' || exit 1 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" start 'auditd.service' "$SYSTEMCTL_EXEC" enable 'auditd.service'} - name: Enable service auditd service: name: auditd enabled: 'yes' state: started when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - service_auditd_enabled - high_severity - enable_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-AC-2(g) - NIST-800-53-AU-3 - NIST-800-53-AC-17(1) - NIST-800-53-AU-1(b) - NIST-800-53-AU-10 - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-AU-14(1) - NIST-800-53-IR-5 - NIST-800-171-3.3.1 - NIST-800-171-3.3.2 - NIST-800-171-3.3.6 - PCI-DSS-Req-10.1 - CJIS-5.4.1.1 - DISA-STIG-020010 SLES-12-020000 The audit service should be installed. SLES-12-020000 SV-91983r3_rule CCI-000172 AU-12(c) AU-7(a) AU-7(b) AU-8(b) AU-12(3) CM-5(1) AU-12.1(iv) The audit service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparision with potential local access control policy such as SELinux policy. _{package_install audit} - name: Ensure audit is installed package: name: audit state: present when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - package_audit_installed - medium_severity - enable_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-AU-12(c) - NIST-800-53-AU-7(a) - NIST-800-53-AU-7(b) - NIST-800-53-AU-8(b) - NIST-800-53-AU-12(3) - NIST-800-53-CM-5(1) - NIST-800-53-AU-12.1(iv) - DISA-STIG-020000 include install_audit class install_audit { package { 'audit': ensure => 'installed', } } SLES-12-020070 The audit-audispd-plugins service should be installed. SLES-12-020070 SV-91997r1_rule CCI-001851 AU-4(1) The audit-audispd-plugins service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparision with potential local access control policy such as AppArmor policy. _{package_install audit-audispd-plugins} - name: Ensure audit-audispd-plugins is installed package: name: audit-audispd-plugins state: present when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - package_audit-audispd-plugins_installed - medium_severity - enable_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-AU-4(1) - DISA-STIG-020070 include install_audit-audispd-plugins class install_audit-audispd-plugins { package { 'audit-audispd-plugins': ensure => 'installed', } } The auditd program can perform comprehensive monitoring of system activity. This section describes recommended configuration settings for comprehensive auditing, but a full description of the auditing system's capabilities is beyond the scope of this guide. The mailing list linux-audit@redhat.com exists to facilitate community discussion of the auditing system. The audit subsystem supports extensive collection of events, including: Tracing of arbitrary system calls (identified by name or number) on entry or exit.Filtering by PID, UID, call success, system call argument (with some limitations), etc.Monitoring of specific files for modifications to the file's contents or metadata. Auditing rules at startup are controlled by the file /etc/audit/audit.rules. Add rules to it to meet the auditing requirements for your organization. Each line in /etc/audit/audit.rules represents a series of arguments that can be passed to auditctl and can be individually tested during runtime. See documentation in /usr/share/doc/audit-VERSION and in the related man pages for more details. If copying any example audit rulesets from /usr/share/doc/audit-VERSION, be sure to comment out the lines containing arch= which are not appropriate for your system's architecture. Then review and understand the following rules, ensuring rules are activated as needed for the appropriate architecture. After reviewing all the rules, reading the following sections, and editing as needed, the new rules can be activated as follows: $ sudo service auditd restart If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d in order to make the auditd configuration immutable: -e 2 If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file in order to make the auditd configuration immutable: -e 2 With this setting, a reboot will be required to change any audit rules. 4.1.18 1 11 12 13 14 15 16 18 19 3 4 5 6 7 8 5.4.1.1 APO01.06 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 BAI03.05 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 DSS06.02 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.3.1 3.4.3 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.310(a)(2)(iv) 164.312(d) 164.310(d)(2)(iii) 164.312(b) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.7.3 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 5.2 SR 6.1 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 AU-1(b) AU-2(a) AU-2(c) AU-2(d) IR-5 DE.AE-3 DE.AE-5 ID.SC-4 PR.AC-4 PR.DS-5 PR.PT-1 RS.AN-1 RS.AN-4 Req-10.5.2 Making the audit configuration immutable prevents accidental as well as malicious modification of the audit rules, although it may be problematic if legitimate changes are needed during system operation If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/selinux/ -p wa -k MAC-policy If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/selinux/ -p wa -k MAC-policy 5.2.7 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.8 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.5 The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited. At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export 5.2.13 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-3(1) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 Req-10.2.7 SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification 5.2.6 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 Req-10.5.5 The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited. The audit system already collects process information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing such process information: -w /var/run/utmp -p wa -k session -w /var/log/btmp -p wa -k session -w /var/log/wtmp -p wa -k session If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for attempted manual edits of files involved in storing such process information: -w /var/run/utmp -p wa -k session -w /var/log/btmp -p wa -k session -w /var/log/wtmp -p wa -k session 5.2.9 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.3 Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions 1 11 12 13 14 15 16 18 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS06.03 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000126 CCI-000130 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.2.2 4.3.3.3.9 4.3.3.5.1 4.3.3.5.2 4.3.3.5.8 4.3.3.6.6 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.1 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.1.2 A.6.2.1 A.6.2.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-2(7)(b) AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-3(1) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-1 PR.AC-3 PR.AC-4 PR.AC-6 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.2 Req-10.2.5.b SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 SRG-OS-000462-VMM-001840 SRG-OS-000471-VMM-001910 The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification This rule checks for multiple syscalls related to account changes; it was written with DISA STIG in mind. Other policies should use a separate rule for each syscall that needs to be checked. For example: audit_rules_usergroup_modification_groupaudit_rules_usergroup_modification_gshadowaudit_rules_usergroup_modification_passwd 5.2.5 1 11 12 13 14 15 16 18 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS06.03 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000018 CCI-000172 CCI-001403 CCI-002130 4.2.3.10 4.3.2.6.7 4.3.3.2.2 4.3.3.3.9 4.3.3.5.1 4.3.3.5.2 4.3.3.5.8 4.3.3.6.6 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.1 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.1.2 A.6.2.1 A.6.2.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-2(4) AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-1 PR.AC-3 PR.AC-4 PR.AC-6 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 Req-10.2.5 SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000241-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000476-GPOS-00221 In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_watch_rule "auditctl" "/etc/group" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "augenrules" "/etc/group" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "auditctl" "/etc/passwd" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "augenrules" "/etc/passwd" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "auditctl" "/etc/gshadow" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "augenrules" "/etc/gshadow" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "auditctl" "/etc/shadow" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "augenrules" "/etc/shadow" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "auditctl" "/etc/security/opasswd" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "augenrules" "/etc/security/opasswd" "wa" "audit_rules_usergroup_modification"} SLES-12-020210 If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification SLES-12-020210 SV-92013r2_rule 5.2.5 1 11 12 13 14 15 16 18 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS06.03 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-001683 CCI-001684 CCI-001685 CCI-001686 CCI-002130 CCI-002132 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.2.2 4.3.3.3.9 4.3.3.5.1 4.3.3.5.2 4.3.3.5.8 4.3.3.6.6 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.1 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.1.2 A.6.2.1 A.6.2.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-2(4) AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-1 PR.AC-3 PR.AC-4 PR.AC-6 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.5 SRG-OS-000004-GPOS-00004 SRG-OS-000004-VMM-000040 SRG-OS-000239-VMM-000810 SRG-OS-000240-VMM-000820 SRG-OS-000241-VMM-000830 SRG-OS-000274-VMM-000960 SRG-OS-000275-VMM-000970 SRG-OS-000276-VMM-000980 SRG-OS-000277-VMM-000990 SRG-OS-000303-VMM-001090 SRG-OS-000304-VMM-001100 SRG-OS-000476-VMM-001960 In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_watch_rule "auditctl" "/etc/group" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "augenrules" "/etc/group" "wa" "audit_rules_usergroup_modification"} SLES-12-020590 If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/gshadow -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/gshadow -p wa -k audit_rules_usergroup_modification SLES-12-020590 SV-92089r1_rule 5.2.5 1 11 12 13 14 15 16 18 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS06.03 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-001683 CCI-001684 CCI-001685 CCI-001686 CCI-002130 CCI-002132 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.2.2 4.3.3.3.9 4.3.3.5.1 4.3.3.5.2 4.3.3.5.8 4.3.3.6.6 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.1 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.1.2 A.6.2.1 A.6.2.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-2(4) AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-1 PR.AC-3 PR.AC-4 PR.AC-6 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.5 SRG-OS-000004-GPOS-00004 SRG-OS-000004-VMM-000040 SRG-OS-000239-VMM-000810 SRG-OS-000240-VMM-000820 SRG-OS-000241-VMM-000830 SRG-OS-000274-VMM-000960 SRG-OS-000275-VMM-000970 SRG-OS-000276-VMM-000980 SRG-OS-000277-VMM-000990 SRG-OS-000303-VMM-001090 SRG-OS-000304-VMM-001100 SRG-OS-000476-VMM-001960 In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_watch_rule "auditctl" "/etc/gshadow" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "augenrules" "/etc/gshadow" "wa" "audit_rules_usergroup_modification"} SLES-12-020230 If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification SLES-12-020230 SV-92017r2_rule 5.2.5 1 11 12 13 14 15 16 18 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS06.03 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-001683 CCI-001684 CCI-001685 CCI-001686 CCI-002130 CCI-002132 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.2.2 4.3.3.3.9 4.3.3.5.1 4.3.3.5.2 4.3.3.5.8 4.3.3.6.6 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.1 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.1.2 A.6.2.1 A.6.2.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-2(4) AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-1 PR.AC-3 PR.AC-4 PR.AC-6 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.5 SRG-OS-000003-GPOS-00004 SRG-OS-000004-VMM-000040 SRG-OS-000239-VMM-000810 SRG-OS-000240-VMM-000820 SRG-OS-000241-VMM-000830 SRG-OS-000274-VMM-000960 SRG-OS-000275-VMM-000970 SRG-OS-000276-VMM-000980 SRG-OS-000277-VMM-000990 SRG-OS-000303-VMM-001090 SRG-OS-000304-VMM-001100 SRG-OS-000476-VMM-001960 In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_watch_rule "auditctl" "/etc/security/opasswd" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "augenrules" "/etc/security/opasswd" "wa" "audit_rules_usergroup_modification"} SLES-12-020200 If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/passwd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/passwd -p wa -k audit_rules_usergroup_modification SLES-12-020200 SV-92011r1_rule 5.2.5 1 11 12 13 14 15 16 18 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS06.03 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-001683 CCI-001684 CCI-001685 CCI-001686 CCI-002130 CCI-002132 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.2.2 4.3.3.3.9 4.3.3.5.1 4.3.3.5.2 4.3.3.5.8 4.3.3.6.6 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.1 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.1.2 A.6.2.1 A.6.2.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-2(4) AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-1 PR.AC-3 PR.AC-4 PR.AC-6 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.5 SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000476-GPOS-00221 SRG-OS-000004-VMM-000040 SRG-OS-000239-VMM-000810 SRG-OS-000240-VMM-000820 SRG-OS-000241-VMM-000830 SRG-OS-000274-VMM-000960 SRG-OS-000275-VMM-000970 SRG-OS-000276-VMM-000980 SRG-OS-000277-VMM-000990 SRG-OS-000303-VMM-001090 SRG-OS-000304-VMM-001100 SRG-OS-000476-VMM-001960 In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_watch_rule "auditctl" "/etc/passwd" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "augenrules" "/etc/passwd" "wa" "audit_rules_usergroup_modification"} SLES-12-020220 If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/shadow -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/shadow -p wa -k audit_rules_usergroup_modification SLES-12-020220 SV-92015r3_rule 5.2.5 1 11 12 13 14 15 16 18 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS06.03 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-001683 CCI-001684 CCI-001685 CCI-001686 CCI-002130 CCI-002132 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.2.2 4.3.3.3.9 4.3.3.5.1 4.3.3.5.2 4.3.3.5.8 4.3.3.6.6 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.1 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.1.2 A.6.2.1 A.6.2.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-2(4) AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-1 PR.AC-3 PR.AC-4 PR.AC-6 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.5 SRG-OS-000004-GPOS-00004 SRG-OS-000004-VMM-000040 SRG-OS-000239-VMM-000810 SRG-OS-000240-VMM-000820 SRG-OS-000241-VMM-000830 SRG-OS-000274-VMM-000960 SRG-OS-000275-VMM-000970 SRG-OS-000276-VMM-000980 SRG-OS-000277-VMM-000990 SRG-OS-000303-VMM-001090 SRG-OS-000304-VMM-001100 SRG-OS-000476-VMM-001960 In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_watch_rule "auditctl" "/etc/shadow" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "augenrules" "/etc/shadow" "wa" "audit_rules_usergroup_modification"} The audit system should collect access events to read audit log directory. The following audit rule will assure that access to audit log directory are collected. -a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the rule to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the rule to /etc/audit/audit.rules file. FAU_GEN.1.1.c Attempts to read the logs should be recorded, suspicious access to audit log files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.' If log_group in /etc/audit/auditd.conf is set to a group other than the root group account, change the mode of the audit log files with the following command: $ sudo chmod 0750 /var/log/audit Otherwise, change the mode of the audit log files with the following command: $ sudo chmod 0700 /var/log/audit 1 11 12 13 14 15 16 18 19 3 4 5 6 7 8 APO01.06 APO11.04 APO12.06 BAI03.05 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 DSS06.02 MEA02.01 4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.3.7.3 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 5.2 SR 6.1 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.16.1.4 A.16.1.5 A.16.1.7 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 AU-1(b) AU-9 IR-5 DE.AE-3 DE.AE-5 PR.AC-4 PR.DS-5 PR.PT-1 RS.AN-1 RS.AN-4 If users can write to audit logs, audit trails can be modified or destroyed. All audit logs must be owned by root user and group. By default, the path for audit log is /var/log/audit/. To properly set the owner of /var/log/audit, run the command: $ sudo chown root /var/log/audit To properly set the owner of /var/log/audit/*, run the command: $ sudo chown root /var/log/audit/* 1 11 12 13 14 15 16 18 19 3 4 5 6 7 8 5.4.1.1 APO01.06 APO11.04 APO12.06 BAI03.05 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 DSS06.02 MEA02.01 3.3.1 CCI-000163 4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.3.7.3 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 5.2 SR 6.1 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.16.1.4 A.16.1.5 A.16.1.7 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 AU-1(b) AU-9 IR-5 DE.AE-3 DE.AE-5 PR.AC-4 PR.DS-5 PR.PT-1 RS.AN-1 RS.AN-4 Req-10.5.1 SRG-OS-000058-GPOS-00028 Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. if LC_ALL=C grep -m 1 -q ^log_group /etc/audit/auditd.conf; then GROUP=$(awk -F "=" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ') if ! [ "${GROUP}" == 'root' ] ; then chown root.${GROUP} /var/log/audit chown root.${GROUP} /var/log/audit/audit.log* else chown root.root /var/log/audit chown root.root /var/log/audit/audit.log* fi else chown root.root /var/log/audit chown root.root /var/log/audit/audit.log* fi SLES-12-020240 Verify the SUSE operating system generates an audit record when privileged functions are executed. Find relevant setuid and setgid programs using the following command once for each local system partition, replacing "[PARTITION]" with each local system partition: # sudo find [PARTITION] -xdev -type f \( -perm -4000 -o -perm -2000 \) 2>/dev/null Verify all of the programs found with the command above are listed in the audit file by running the following command for every program found, replacing "[FILE_PATH]" with each program to include the full path: # grep [FILE_PATH] /etc/audit/audit.rules -w [SETUID_FILE_PATH] -p wa -k privilege_function All setuid and setgid programs on the system must have a corresponding audit rule, or there must be an audit rule for the subdirectory that contains the setuid/setgid file. Note that these rules can be configured in a number of ways while still achieving the desired effect. SLES-12-020240 SV-92019r1_rule CCI-001814 CCI-001875 CCI-001877 CCI-001878 CCI-001879 CCI-001880 CCI-001881 CCI-001882 CCI-001889 CCI-001914 CCI-002234 CM-5(1) AU-7(a) AU-7(b) AU-8(b) AU-12(3) AU-6(9) Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. IFS=' ' for fs in $(df --local --output=target | tail -n +2) ; do for f in $(find "$fs" -xdev -type f \( -perm -4000 -o -perm -2000 \) \( -perm -100 -o -perm -10 -o -perm -1 \) ) ; do fix_audit_watch_rule auditctl "$f" "xwa" "audit_rules_usergroup_modification" fix_audit_watch_rule augenrules "$f" "xwa" "audit_rules_usergroup_modification" done done By default, SUSE Linux Enterprise 12 ships an audit rule to disable syscall auditing for performance reasons. To make sure that syscall auditing works, this line must be removed from /etc/audit/rules.d/audit.rules and /etc/audit/audit.rules: -a task,never Audit rules for syscalls do not take effect unless this line is removed. for f in /etc/audit/audit.rules /etc/audit/rules.d/*.rules ; do sed -E -i --follow-symlinks 's/^(\s*-a\s+task,never)/#\1/' "$f" done At a minimum, the audit system should collect file permission changes for all users and root. Note that the "-F arch=b32" lines should be present even on a 64 bit system. These commands identify system calls for auditing. Even if the system is 64 bit it can still execute 32 bit system calls. Additionally, these rules can be configured in a number of ways while still achieving the desired effect. An example of this is that the "-S" calls could be split up and placed on separate lines, however, this is less efficient. Add the following to /etc/audit/audit.rules: -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If your system is 64 bit then these lines should be duplicated and the arch=b32 replaced with arch=b64 as follows: -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod SLES-12-020460 At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. CCI-000130 CCI-000169 CCI-000172 CCI-002884 AU-3 AU-12(a) AU-12(c) MA-4(1)(a) SLES-12-020460 SV-92063r2_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000126 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.5 SRG-OS-000064-GPOS-00033 SRG-OS-000392-GPOS-00172 SRG-OS-000458-GPOS-00203 SRG-OS-000458-VMM-001810 SRG-OS-000474-VMM-001940 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system # the umount syscall only exists for the 32bit architecture, so only ever generate a 32bit rule for it if [ "$(getconf LONG_BIT)" = "32" ] || [ 'chmod' = umount ] ; then RULE_ARCHS=("b32") else RULE_ARCHS=("b32" "b64") fi for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S chmod.*" GROUP="perm_mod" FULL_RULE="-a always,exit -F arch=$ARCH -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} SLES-12-020420 At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. CCI-000130 CCI-000169 CCI-000172 CCI-002884 AU-3 AU-12(a) AU-12(c) MA-4(1)(a) SLES-12-020420 SV-92055r2_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000126 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.5 SRG-OS-000064-GPOS-00033 SRG-OS-000392-GPOS-00172 SRG-OS-000458-GPOS-00203 SRG-OS-000474-GPOS-00219 SRG-OS-000458-VMM-001810 SRG-OS-000474-VMM-001940 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system # the umount syscall only exists for the 32bit architecture, so only ever generate a 32bit rule for it if [ "$(getconf LONG_BIT)" = "32" ] || [ 'chown' = umount ] ; then RULE_ARCHS=("b32") else RULE_ARCHS=("b32" "b64") fi for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S chown.*" GROUP="perm_mod" FULL_RULE="-a always,exit -F arch=$ARCH -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} SLES-12-020470 At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. CCI-000130 CCI-000169 CCI-000172 CCI-002884 AU-3 AU-12(a) AU-12(c) MA-4(1)(a) SLES-12-020470 SV-92065r2_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000126 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.5 SRG-OS-000064-GPOS-00033 SRG-OS-000392-GPOS-00172 SRG-OS-000458-GPOS-00203 SRG-OS-000458-VMM-001810 SRG-OS-000474-VMM-001940 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system # the umount syscall only exists for the 32bit architecture, so only ever generate a 32bit rule for it if [ "$(getconf LONG_BIT)" = "32" ] || [ 'fchmod' = umount ] ; then RULE_ARCHS=("b32") else RULE_ARCHS=("b32" "b64") fi for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S fchmod.*" GROUP="perm_mod" FULL_RULE="-a always,exit -F arch=$ARCH -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} SLES-12-020480 At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. CCI-000130 CCI-000169 CCI-000172 CCI-002884 AU-3 AU-12(a) AU-12(c) MA-4(1)(a) SLES-12-020480 SV-92067r2_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000126 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.5 SRG-OS-000064-GPOS-00033 SRG-OS-000392-GPOS-00172 SRG-OS-000458-GPOS-00203 SRG-OS-000458-VMM-001810 SRG-OS-000474-VMM-001940 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system # the umount syscall only exists for the 32bit architecture, so only ever generate a 32bit rule for it if [ "$(getconf LONG_BIT)" = "32" ] || [ 'fchmodat' = umount ] ; then RULE_ARCHS=("b32") else RULE_ARCHS=("b32" "b64") fi for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S fchmodat.*" GROUP="perm_mod" FULL_RULE="-a always,exit -F arch=$ARCH -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} SLES-12-020430 At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. CCI-000130 CCI-000169 CCI-000172 CCI-002884 AU-3 AU-12(a) AU-12(c) MA-4(1)(a) SLES-12-020430 SV-92057r2_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000126 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.5 SRG-OS-000064-GPOS-00033 SRG-OS-000392-GPOS-00172 SRG-OS-000458-GPOS-00203 SRG-OS-000474-GPOS-00219 SRG-OS-000458-VMM-001810 SRG-OS-000474-VMM-001940 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system # the umount syscall only exists for the 32bit architecture, so only ever generate a 32bit rule for it if [ "$(getconf LONG_BIT)" = "32" ] || [ 'fchown' = umount ] ; then RULE_ARCHS=("b32") else RULE_ARCHS=("b32" "b64") fi for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S fchown.*" GROUP="perm_mod" FULL_RULE="-a always,exit -F arch=$ARCH -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} SLES-12-020450 At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. CCI-000130 CCI-000169 CCI-000172 CCI-002884 AU-3 AU-12(a) AU-12(c) MA-4(1)(a) SLES-12-020450 SV-92061r2_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000126 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.5 SRG-OS-000064-GPOS-00033 SRG-OS-000392-GPOS-00172 SRG-OS-000458-GPOS-00203 SRG-OS-000474-GPOS-00219 SRG-OS-000458-VMM-001810 SRG-OS-000474-VMM-001940 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system # the umount syscall only exists for the 32bit architecture, so only ever generate a 32bit rule for it if [ "$(getconf LONG_BIT)" = "32" ] || [ 'fchownat' = umount ] ; then RULE_ARCHS=("b32") else RULE_ARCHS=("b32" "b64") fi for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S fchownat.*" GROUP="perm_mod" FULL_RULE="-a always,exit -F arch=$ARCH -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} SLES-12-020410 At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. CCI-000130 CCI-000169 CCI-000172 CCI-002884 AU-3 AU-12(a) AU-12(c) MA-4(1)(a) SLES-12-020410 SV-92053r2_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.5 SRG-OS-000064-GPOS-00033 SRG-OS-000392-GPOS-00172 SRG-OS-000458-GPOS-00203 SRG-OS-000458-VMM-001810 SRG-OS-000474-VMM-001940 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system # the umount syscall only exists for the 32bit architecture, so only ever generate a 32bit rule for it if [ "$(getconf LONG_BIT)" = "32" ] || [ 'fremovexattr' = umount ] ; then RULE_ARCHS=("b32") else RULE_ARCHS=("b32" "b64") fi for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S fremovexattr.*" GROUP="perm_mod" FULL_RULE="-a always,exit -F arch=$ARCH -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} SLES-12-020380 At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. CCI-000130 CCI-000169 CCI-000172 CCI-002884 AU-3 AU-12(a) AU-12(c) MA-4(1)(a) SLES-12-020380 SV-92047r2_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000126 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.5 SRG-OS-000064-GPOS-00033 SRG-OS-000392-GPOS-00172 SRG-OS-000458-GPOS-00203 SRG-OS-000458-VMM-001810 SRG-OS-000474-VMM-001940 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system # the umount syscall only exists for the 32bit architecture, so only ever generate a 32bit rule for it if [ "$(getconf LONG_BIT)" = "32" ] || [ 'fsetxattr' = umount ] ; then RULE_ARCHS=("b32") else RULE_ARCHS=("b32" "b64") fi for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S fsetxattr.*" GROUP="perm_mod" FULL_RULE="-a always,exit -F arch=$ARCH -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} SLES-12-020440 At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. CCI-000130 CCI-000169 CCI-000172 CCI-002884 AU-3 AU-12(a) AU-12(c) MA-4(1)(a) SLES-12-020440 SV-92059r2_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000126 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.5 SRG-OS-000064-GPOS-00033 SRG-OS-000392-GPOS-00172 SRG-OS-000458-GPOS-00203 SRG-OS-000474-GPOS-00219 SRG-OS-000458-VMM-001810 SRG-OS-000474-VMM-001940 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system # the umount syscall only exists for the 32bit architecture, so only ever generate a 32bit rule for it if [ "$(getconf LONG_BIT)" = "32" ] || [ 'lchown' = umount ] ; then RULE_ARCHS=("b32") else RULE_ARCHS=("b32" "b64") fi for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S lchown.*" GROUP="perm_mod" FULL_RULE="-a always,exit -F arch=$ARCH -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} SLES-12-020400 At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. CCI-000130 CCI-000169 CCI-000172 CCI-002884 AU-3 AU-12(a) AU-12(c) MA-4(1)(a) SLES-12-020400 SV-92051r2_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.5 SRG-OS-000064-GPOS-00033 SRG-OS-000392-GPOS-00172 SRG-OS-000458-GPOS-00203 SRG-OS-000458-VMM-001810 SRG-OS-000474-VMM-001940 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system # the umount syscall only exists for the 32bit architecture, so only ever generate a 32bit rule for it if [ "$(getconf LONG_BIT)" = "32" ] || [ 'lremovexattr' = umount ] ; then RULE_ARCHS=("b32") else RULE_ARCHS=("b32" "b64") fi for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S lremovexattr.*" GROUP="perm_mod" FULL_RULE="-a always,exit -F arch=$ARCH -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000126 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.5 SRG-OS-000064-GPOS-00033 SRG-OS-000392-GPOS-00172 SRG-OS-000458-GPOS-00203 SRG-OS-000474-GPOS-00219 SRG-OS-000458-VMM-001810 SRG-OS-000474-VMM-001940 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system # the umount syscall only exists for the 32bit architecture, so only ever generate a 32bit rule for it if [ "$(getconf LONG_BIT)" = "32" ] || [ 'lsetxattr' = umount ] ; then RULE_ARCHS=("b32") else RULE_ARCHS=("b32" "b64") fi for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S lsetxattr.*" GROUP="perm_mod" FULL_RULE="-a always,exit -F arch=$ARCH -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} SLES-12-020390 At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. CCI-000130 CCI-000169 CCI-000172 CCI-002884 AU-3 AU-12(a) AU-12(c) MA-4(1)(a) SLES-12-020390 SV-92049r2_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.5 SRG-OS-000064-GPOS-00033 SRG-OS-000392-GPOS-00172 SRG-OS-000458-GPOS-00203 SRG-OS-000458-VMM-001810 SRG-OS-000474-VMM-001940 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system # the umount syscall only exists for the 32bit architecture, so only ever generate a 32bit rule for it if [ "$(getconf LONG_BIT)" = "32" ] || [ 'removexattr' = umount ] ; then RULE_ARCHS=("b32") else RULE_ARCHS=("b32" "b64") fi for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S removexattr.*" GROUP="perm_mod" FULL_RULE="-a always,exit -F arch=$ARCH -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} SLES-12-020370 At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. CCI-000130 CCI-000169 CCI-000172 CCI-002884 AU-3 AU-12(a) AU-12(c) MA-4(1)(a) SLES-12-020370 SV-92045r2_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000126 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.5 SRG-OS-000064-GPOS-00033 SRG-OS-000392-GPOS-00172 SRG-OS-000458-GPOS-00203 SRG-OS-000458-VMM-001810 SRG-OS-000474-VMM-001940 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system # the umount syscall only exists for the 32bit architecture, so only ever generate a 32bit rule for it if [ "$(getconf LONG_BIT)" = "32" ] || [ 'setxattr' = umount ] ; then RULE_ARCHS=("b32") else RULE_ARCHS=("b32" "b64") fi for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S setxattr.*" GROUP="perm_mod" FULL_RULE="-a always,exit -F arch=$ARCH -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} SLES-12-020290 At a minimum, the audit system should collect file system mount changes. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -F key=privileged-mount If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -F key=privileged-mount If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -F key=privileged-mount If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -F key=privileged-mount Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. CCI-000130 CCI-000169 CCI-000172 CCI-002884 AU-3 AU-12(a) AU-12(c) MA-4(1)(a) SLES-12-020290 SV-92029r2_rule The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system # the umount syscall only exists for the 32bit architecture, so only ever generate a 32bit rule for it if [ "$(getconf LONG_BIT)" = "32" ] || [ 'mount' = umount ] ; then RULE_ARCHS=("b32") else RULE_ARCHS=("b32" "b64") fi for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S mount.*" GROUP="perm_mod" FULL_RULE="-a always,exit -F arch=$ARCH -S mount -F auid>=1000 -F auid!=unset -F key=perm_mod" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} SLES-12-020300 At a minimum, the audit system should collect file system umount changes. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -F key=privileged-umount If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -F key=privileged-umount Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. CCI-000130 CCI-000169 CCI-000172 CCI-002884 AU-3 AU-12(a) AU-12(c) MA-4(1)(a) SLES-12-020300 SV-92031r2_rule The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system # the umount syscall only exists for the 32bit architecture, so only ever generate a 32bit rule for it if [ "$(getconf LONG_BIT)" = "32" ] || [ 'umount' = umount ] ; then RULE_ARCHS=("b32") else RULE_ARCHS=("b32" "b64") fi for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S umount.*" GROUP="perm_mod" FULL_RULE="-a always,exit -F arch=$ARCH -S umount -F auid>=1000 -F auid!=unset -F key=perm_mod" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} At a minimum, the audit system should collect file system umount2 changes. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=privileged-umount2 If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=privileged-umount2 If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=privileged-umount2 If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=privileged-umount2 Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. CCI-000130 CCI-000169 CCI-000172 CCI-002884 AU-3 AU-12(a) AU-12(c) MA-4(1)(a) The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system # the umount syscall only exists for the 32bit architecture, so only ever generate a 32bit rule for it if [ "$(getconf LONG_BIT)" = "32" ] || [ 'umount2' = umount ] ; then RULE_ARCHS=("b32") else RULE_ARCHS=("b32" "b64") fi for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S umount2.*" GROUP="perm_mod" FULL_RULE="-a always,exit -F arch=$ARCH -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} At a minimum, the audit system should collect the execution of SELinux privileged commands for all users and root. SLES-12-020630 At a minimum, the audit system should collect any execution attempt of the chcon command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change SLES-12-020630 SV-92097r2_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 FAU_GEN.1.1.c SRG-OS-000392-GPOS-00172 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000463-VMM-001850 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. PATTERN="-a always,exit -F path=/usr/bin/chcon\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} SLES-12-020620 At a minimum, the audit system should collect any execution attempt of the chacl command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k prim_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k prim_mod SLES-12-020620 SV-92095r2_rule CCI-000130 CCI-000169 CCI-000172 CCI-002884 AU-3 AU-12(a) AU-12(c) MA-4(1)(a) Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). PATTERN="-a always,exit -F path=/usr/bin/chacl\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} SLES-12-020600 At a minimum, the audit system should collect any execution attempt of the chmod command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=unset -k prim_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=unset -k prim_mod SLES-12-020600 SV-92091r2_rule CCI-000130 CCI-000169 CCI-000172 CCI-002884 AU-3 AU-12(a) AU-12(c) MA-4(1)(a) Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). PATTERN="-a always,exit -F path=/usr/bin/chmod\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} SLES-12-020710 At a minimum, the audit system should collect any execution attempt of the crontab command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k prim_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k prim_mod SLES-12-020710 SV-92113r2_rule CCI-000130 CCI-000169 CCI-000172 CCI-002884 AU-3 AU-12(a) AU-12(c) MA-4(1)(a) Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). PATTERN="-a always,exit -F path=/usr/bin/crontab\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} SLES-12-020640 At a minimum, the audit system should collect any execution attempt of the rm command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=unset -k prim_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=unset -k prim_mod SLES-12-020640 SV-92099r2_rule CCI-000130 CCI-000169 CCI-000172 CCI-002884 AU-3 AU-12(a) AU-12(c) MA-4(1)(a) Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). PATTERN="-a always,exit -F path=/usr/bin/rm\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} SLES-12-020610 At a minimum, the audit system should collect any execution attempt of the setfacl command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k prim_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k prim_mod SLES-12-020610 SV-92093r2_rule CCI-000130 CCI-000169 CCI-000172 CCI-002884 AU-3 AU-12(a) AU-12(c) MA-4(1)(a) Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). PATTERN="-a always,exit -F path=/usr/bin/setfacl\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} SLES-12-020310 At a minimum, the audit system should collect any execution attempt of the ssh-agent command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent SLES-12-020310 SV-92033r2_rule CCI-000130 CCI-000169 CCI-000172 CCI-002884 AU-3 AU-12(a) AU-12(c) MA-4(1)(a) Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). PATTERN="-a always,exit -F path=/usr/bin/ssh-agent\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -F key=delete At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=unset -F key=delete This rule checks for multiple syscalls related to file deletion; it was written with DISA STIG in mind. Other policies should use a separate rule for each syscall that needs to be checked. For example: audit_rules_file_deletion_events_rmdiraudit_rules_file_deletion_events_unlinkaudit_rules_file_deletion_events_unlinkat 5.2.14 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000366 CCI-000172 CCI-002884 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.7 Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. To capture kernel module loading and unloading events, use following lines, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module,delete_module -F key=modules Place to add the lines depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the lines to file /etc/audit/audit.rules. To capture kernel module loading and unloading events, use following lines, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module,finit_module,create_module,delete_module -F key=modules The place to add the lines depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the lines to file /etc/audit/audit.rules. This rule checks for multiple syscalls related to kernel module loading and unloading; it was written with DISA STIG in mind. Other policies should use a separate rule for each syscall that needs to be checked. For example: audit_rules_kernel_module_loading_insmodaudit_rules_kernel_module_loading_rmmodaudit_rules_kernel_module_loading_modprobe 5.2.17 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 Req-10.2.7 The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. SLES-12-020730 To capture kernel module unloading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S delete_module -F key=modules Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules. SLES-12-020730 SV-92117r2_rule 5.2.17 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.7 SRG-OS-000471-GPOS-00216 SRG-OS-000477-GPOS-00222 SRG-OS-000477-VMM-001970 The removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system # Note: 32-bit and 64-bit kernel syscall numbers not always line up => # it's required on a 64-bit system to check also for the presence # of 32-bit's equivalent of the corresponding rule. # (See `man 7 audit.rules` for details ) [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S delete_module \(-F key=\|-k \).*" GROUP="modules" FULL_RULE="-a always,exit -F arch=$ARCH -S delete_module -k modules" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} SLES-12-020740 If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S finit_module -F key=modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S finit_module -F key=modules SLES-12-020740 SV-92119r2_rule 5.2.17 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.7 SRG-OS-000471-GPOS-00216 SRG-OS-000477-GPOS-00222 SRG-OS-000477-VMM-001970 The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system # Note: 32-bit and 64-bit kernel syscall numbers not always line up => # it's required on a 64-bit system to check also for the presence # of 32-bit's equivalent of the corresponding rule. # (See `man 7 audit.rules` for details ) [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S finit_module \(-F key=\|-k \).*" GROUP="modules" FULL_RULE="-a always,exit -F arch=$ARCH -S finit_module -k modules" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} SLES-12-020750 To capture kernel module loading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S init_module -F key=modules Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules. SLES-12-020750 SV-92121r2_rule 5.2.17 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.7 SRG-OS-000471-GPOS-00216 SRG-OS-000477-GPOS-00222 SRG-OS-000477-VMM-001970 The addition of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system # Note: 32-bit and 64-bit kernel syscall numbers not always line up => # it's required on a 64-bit system to check also for the presence # of 32-bit's equivalent of the corresponding rule. # (See `man 7 audit.rules` for details ) [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S init_module \(-F key=\|-k \).*" GROUP="modules" FULL_RULE="-a always,exit -F arch=$ARCH -S init_module -k modules" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock -p wa -k logins -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w /var/run/faillock -p wa -k logins -w /var/log/lastlog -p wa -k logins This rule checks for multiple syscalls related to login events; it was written with DISA STIG in mind. Other policies should use a separate rule for each syscall that needs to be checked. For example: audit_rules_login_events_tallylogaudit_rules_login_events_faillockaudit_rules_login_events_lastlog 5.2.8 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 Req-10.2.3 Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. SLES-12-020660 The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/lastlog -p wa -k logins SLES-12-020660 SV-92103r1_rule 5.2.8 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 CCI-000126 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.3 SRG-OS-000392-GPOS-00172 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218 SRG-OS-000473-VMM-001930 SRG-OS-000470-VMM-001900 Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_watch_rule "auditctl" "/var/log/lastlog" "wa" "logins" fix_audit_watch_rule "augenrules" "/var/log/lastlog" "wa" "logins"} SLES-12-020650 The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins SLES-12-020650 SV-92101r1_rule 5.2.8 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 CCI-000126 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.3 SRG-OS-000392-GPOS-00172 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218 SRG-OS-000473-VMM-001930 SRG-OS-000470-VMM-001900 Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_watch_rule "auditctl" "/var/log/tallylog" "wa" "logins" fix_audit_watch_rule "augenrules" "/var/log/tallylog" "wa" "logins"} SLES-12-020760 The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing failed logon events: -w /var/log/faillog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing failed logon events: -w /var/log/faillog -p wa -k logins SLES-12-020760 SV-92123r1_rule CCI-000172 CCI-002884 CCI-000126 AU-3 MA-4(1)(a) AU-12(a) AU-12(c) Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_watch_rule "auditctl" "/var/log/faillog" "wa" "logins" fix_audit_watch_rule "augenrules" "/var/log/faillog" "wa" "logins"} At a minimum, the audit system should collect the execution of privileged commands for all users and root. At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged This rule checks for multiple syscalls related to privileged commands; it was written with DISA STIG in mind. Other policies should use a separate rule for each syscall that needs to be checked. For example: audit_rules_privileged_commands_suaudit_rules_privileged_commands_umountaudit_rules_privileged_commands_passwd 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO08.04 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.05 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-002234 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.5 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.3.4.5.9 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 3.9 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.1 A.16.1.2 A.16.1.3 A.16.1.4 A.16.1.5 A.16.1.7 A.6.1.3 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-2(4) AU-6(9) AU-12(a) AU-12(c) IR-5 DE.AE-2 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 DE.DP-4 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 RS.CO-2 Req-10.2.2 SRG-OS-000327-GPOS-00127 SRG-OS-000471-VMM-001910 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. SLES-12-020690 At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged SLES-12-020690 SV-92109r2_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 SRG-OS-000471-VMM-001910 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. PATTERN="-a always,exit -F path=/usr/bin/chage\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} SLES-12-020580 At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged SLES-12-020580 SV-92087r2_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 SRG-OS-000471-VMM-001910 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. PATTERN="-a always,exit -F path=/usr/bin/chsh\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} SLES-12-020560 At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged SLES-12-020560 SV-92083r2_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 FAU_GEN.1.1.c SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 SRG-OS-000471-VMM-001910 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. PATTERN="-a always,exit -F path=/usr/bin/gpasswd\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} SLES-12-020570 At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged SLES-12-020570 SV-92085r2_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 FAU_GEN.1.1.c SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 SRG-OS-000471-VMM-001910 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. PATTERN="-a always,exit -F path=/usr/bin/newgrp\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} SLES-12-020720 At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged SLES-12-020720 SV-92115r2_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 SRG-OS-000471-VMM-001910 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. PATTERN="-a always,exit -F path=/sbin/pam_timestamp_check\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} SLES-12-020550 At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged SLES-12-020550 SV-92081r2_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 FAU_GEN.1.1.c SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 SRG-OS-000471-VMM-001910 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. PATTERN="-a always,exit -F path=/usr/bin/passwd\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} SLES-12-020320 At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/lib/ssh/key-sign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/lib/ssh/key-sign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged CCI-000130 CCI-000169 CCI-000172 CCI-002884 AU-3 AU-12(a) AU-12(c) MA-4(1)(a) SLES-12-020320 SV-92035r2_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 FAU_GEN.1.1.c SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 SRG-OS-000471-VMM-001910 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. PATTERN="-a always,exit -F path=/usr/lib/ssh/ssh-keysign\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/lib/ssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} SLES-12-020250 At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged SLES-12-020250 SV-92021r2_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 FAU_GEN.1.1.c SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 SRG-OS-000471-VMM-001910 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. PATTERN="-a always,exit -F path=/usr/bin/su\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} SLES-12-020260 At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged SLES-12-020260 SV-92023r2_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 FAU_GEN.1.1.c SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 SRG-OS-000471-VMM-001910 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. PATTERN="-a always,exit -F path=/usr/bin/sudo\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} SLES-12-020270 At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged SLES-12-020270 SV-92025r2_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 FAU_GEN.1.1.c SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 SRG-OS-000471-VMM-001910 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. PATTERN="-a always,exit -F path=/usr/bin/sudoedit\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} SLES-12-020680 At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged SLES-12-020680 SV-92107r2_rule 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000135 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 AU-3(1) AU-12(c) DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.PT-1 FAU_GEN.1.1.c SRG-OS-000042-GPOS-00020 SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215 SRG-OS-000471-VMM-001910 Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. PATTERN="-a always,exit -F path=/sbin/unix_chkpwd\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} SLES-12-020280 At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-chfn If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-chfn SLES-12-020280 SV-92027r2_rule CCI-000130 CCI-000169 CCI-000172 CCI-002884 AU-3 AU-12(a) AU-12(c) MA-4(1)(a) Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). PATTERN="-a always,exit -F path=/usr/bin/chfn\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} SLES-12-020330 At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -w /sbin/insmod -p x -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -w /sbin/insmod -p x -k modules SLES-12-020330 SV-92037r1_rule CCI-000130 CCI-000169 CCI-000172 CCI-002884 AU-3 AU-12(a) AU-12(c) MA-4(1)(a) Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). PATTERN="-a always,exit -F path=/sbin/insmod\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/sbin/insmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} SLES-12-020360 At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -w /usr/bin/kmod -p x -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -w /usr/bin/kmod -p x -k modules SLES-12-020360 SV-92043r1_rule CCI-000130 CCI-000169 CCI-000172 CCI-002884 AU-3 AU-12(a) AU-12(c) MA-4(1)(a) Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). PATTERN="-a always,exit -F path=/usr/bin/kmod\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} SLES-12-020350 At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -w /sbin/modprobe -p x -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -w /sbin/modprobe -p x -k modules SLES-12-020350 SV-92041r1_rule CCI-000130 CCI-000169 CCI-000172 CCI-002884 AU-3 AU-12(a) AU-12(c) MA-4(1)(a) Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). PATTERN="-a always,exit -F path=/sbin/modprobe\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/sbin/modprobe -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} SLES-12-020670 At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/passmass -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passmass If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/passmass -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passmass SLES-12-020670 SV-92105r2_rule CCI-000130 CCI-000169 CCI-000172 CCI-002884 AU-3 AU-12(a) AU-12(c) MA-4(1)(a) Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). PATTERN="-a always,exit -F path=/usr/bin/passmass\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/bin/passmass -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} SLES-12-020340 At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -w /sbin/rmmod -p x -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -w /sbin/rmmod -p x -k modules SLES-12-020340 SV-92039r1_rule CCI-000130 CCI-000169 CCI-000172 CCI-002884 AU-3 AU-12(a) AU-12(c) MA-4(1)(a) Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). PATTERN="-a always,exit -F path=/sbin/rmmod\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/sbin/rmmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} SLES-12-020700 At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod SLES-12-020700 SV-92111r2_rule CCI-000130 CCI-000169 CCI-000172 CCI-002884 AU-3 AU-12(a) AU-12(c) MA-4(1)(a) Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). PATTERN="-a always,exit -F path=/usr/sbin/usermod\\s\\+.*" GROUP="privileged" # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ARCH="" FULL_RULE="-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"} Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time. All changes to the system time should be audited. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules 5.2.4 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-001487 CCI-000169 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 Req-10.4.2.b Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules 5.2.4 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-001487 CCI-000169 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 Req-10.4.2.b Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules 5.2.4 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-001487 CCI-000169 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 Req-10.4.2.b Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d for both 32 bit and 64 bit systems: -a always,exit -F arch=b32 -S stime -F key=audit_time_rules Since the 64 bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32 bit and 64 bit systems). If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file for both 32 bit and 64 bit systems: -a always,exit -F arch=b32 -S stime -F key=audit_time_rules Since the 64 bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32 bit and 64 bit systems). The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined system calls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-001487 CCI-000169 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 Req-10.4.2.b Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used. 5.2.4 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-001487 CCI-000169 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(b) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 Req-10.4.2.b Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. At a minimum, the audit system should collect unauthorized file accesses for all users and root. Note that the "-F arch=b32" lines should be present even on a 64 bit system. These commands identify system calls for auditing. Even if the system is 64 bit it can still execute 32 bit system calls. Additionally, these rules can be configured in a number of ways while still achieving the desired effect. An example of this is that the "-S" calls could be split up and placed on separate lines, however, this is less efficient. Add the following to /etc/audit/audit.rules: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If your system is 64 bit then these lines should be duplicated and the arch=b32 replaced with arch=b64 as follows: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access At a minimum the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access This rule checks for multiple syscalls related to unsuccessful file modification; it was written with DISA STIG in mind. Other policies should use a separate rule for each syscall that needs to be checked. For example: audit_rules_unsuccessful_file_modification_openaudit_rules_unsuccessful_file_modification_ftruncateaudit_rules_unsuccessful_file_modification_creat 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 5.4.1.1 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 Req-10.2.4 Req-10.2.1 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. SLES-12-020520 At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. CCI-000130 CCI-000169 CCI-000172 CCI-002884 AU-3 AU-12(a) AU-12(c) SLES-12-020520 SV-92075r2_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 SRG-OS-000458-VMM-001810 SRG-OS-000461-VMM-001830 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S creat -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S creat -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} SLES-12-020510 At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S ftruncate -F exiu=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. CCI-000130 CCI-000169 CCI-000172 CCI-002884 AU-3 AU-12(a) AU-12(c) SLES-12-020510 SV-92073r2_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 SRG-OS-000458-VMM-001810 SRG-OS-000461-VMM-001830 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S ftruncate -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S ftruncate -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} SLES-12-020490 At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. CCI-000130 CCI-000169 CCI-000172 CCI-002884 AU-3 AU-12(a) AU-12(c) SLES-12-020490 SV-92069r2_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 SRG-OS-000458-VMM-001810 SRG-OS-000461-VMM-001830 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S open -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S open -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} SLES-12-020540 At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. CCI-000130 CCI-000169 CCI-000172 CCI-002884 AU-3 AU-12(a) AU-12(c) SLES-12-020540 SV-92079r2_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 SRG-OS-000458-VMM-001810 SRG-OS-000461-VMM-001830 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S open_by_handle_at -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S open_by_handle_at -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} SLES-12-020530 At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. CCI-000130 CCI-000169 CCI-000172 CCI-002884 AU-3 AU-12(a) AU-12(c) SLES-12-020530 SV-92077r2_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 SRG-OS-000458-VMM-001810 SRG-OS-000461-VMM-001830 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S openat -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S openat -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} SLES-12-020500 At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. CCI-000130 CCI-000169 CCI-000172 CCI-002884 AU-3 AU-12(a) AU-12(c) SLES-12-020500 SV-92071r2_rule 5.2.10 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 3.1.7 CCI-000172 CCI-002884 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2 AC-17(7) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-12(a) AU-12(c) IR-5 DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.4 Req-10.2.1 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000392-GPOS-00172 SRG-OS-000458-VMM-001810 SRG-OS-000461-VMM-001830 Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S truncate -F exit=-EACCES.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' _{fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S truncate -F exit=-EPERM.*" GROUP="access" FULL_RULE="-a always,exit -F arch=$ARCH -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done} The audit system writes data to /var/log/audit/audit.log. By default, auditd rotates 5 logs by size (6MB), retaining a maximum of 30MB of data in total, and refuses to write entries when the disk is too full. This minimizes the risk of audit data filling its partition and impacting other services. This also minimizes the risk of the audit daemon temporarily disabling the system if it cannot write audit log (which it can be configured to do). For a busy system or a system which is thoroughly auditing system activity, the default settings for data retention may be insufficient. The log file size needed will depend heavily on what types of events are being audited. First configure auditing to log all the events of interest. Then monitor the log size manually for awhile to determine what file size will allow you to keep the required data for the correct time period. Using a dedicated partition for /var/log/audit prevents the auditd logs from disrupting system functionality if they fill, and, more importantly, prevents other activity in /var from filling the partition and stopping the audit trail. (The audit logs are size-limited and therefore unlikely to grow without bound unless configured to do so.) Some machines may have requirements that no actions occur which cannot be audited. If this is the case, then auditd can be configured to halt the machine if it runs out of space. Note: Since older logs are rotated, configuring auditd this way does not prevent older logs from being rotated away before they can be viewed. If your system is configured to halt when logging cannot be performed, make sure this can never happen under normal circumstances! Ensure that /var/log/audit is on its own partition, and that this partition is larger than the maximum amount of data auditd will retain normally. The setting for disk_full_action in /etc/audisp/audisp-remote.conf single email exec halt single suspend syslog The setting for network_failure_action in /etc/audisp/audisp-remote.conf single email exec halt single suspend syslog The setting for remote_server in /etc/audisp/audisp-remote.conf myhost.mydomain.com The setting for action_mail_acct in /etc/audit/auditd.conf admin root root The setting for admin_space_left_action in /etc/audit/auditd.conf single email exec halt single suspend syslog rotate The setting for disk_error_action in /etc/audit/auditd.conf single email exec halt single syslog The setting for disk_full_action in /etc/audit/auditd.conf single email exec halt single syslog The setting for flush in /etc/audit/auditd.conf data data incremental incremental_async none sync The setting for max_log_size in /etc/audit/auditd.conf 1 10 20 5 6 6 The setting for max_log_file_action in /etc/audit/auditd.conf rotate keep_logs rotate suspend syslog The setting for num_logs in /etc/audit/auditd.conf 0 1 2 3 4 5 5 The setting for space_left_action in /etc/audit/auditd.conf email email exec halt single suspend syslog rotate The setting for space_left (MB) in /etc/audit/auditd.conf 1000 100 250 500 750 100 SLES-12-020090 Configure the audispd plugin to off-load audit records onto a different system or media from the system being audited. Set the remote_server option in /etc/audisp/audisp-remote.conf with an IP address or hostname of the system that the audispd plugin should send audit records to. For example: remote_server = AU-4(1) SLES-12-020090 SV-92001r1_rule CCI-001851 FAU_GEN.1.1.c SRG-OS-000342-GPOS-00133 SRG-OS-000051-VMM-000230 SRG-OS-000058-VMM-000270 SRG-OS-000059-VMM-000280 SRG-OS-000479-VMM-001990 SRG-OS-000479-VMM-001990 Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. var_audispd_remote_server="_{" if [[ "$var_audispd_remote_server" = "myhost.mydomain.com" ]] ; then echo "Refusing to set the audispd remote server to the unusable default value. Please configure the 'var_audispd_remote_server' variable before continuing." >&2 exit 1 fi AUDITCONFIG=/etc/audisp/audisp-remote.conf replace_or_append $AUDITCONFIG '^remote_server' "$var_audispd_remote_server" ""} SLES-12-020110 Configure the action the operating system takes if the disk the audit records are written to becomes full. Edit the file /etc/audisp/audisp-remote.conf. Add or modify the following line, substituting ACTION appropriately: disk_full_action = ACTION Set this value to single to cause the system to switch to single user mode for corrective action. Acceptable values also include syslog and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. AU-4(1) SLES-12-020110 SV-92005r1_rule CCI-001851 SRG-OS-000342-GPOS-00133 Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records. _{package_install audit-audispd-plugins || exit 1 AUDITCONFIG=/etc/audisp/audisp-remote.conf replace_or_append $AUDITCONFIG '^disk_full_action' "single" ""} SLES-12-020080 Configure the operating system to encrypt the transfer of off-loaded audit records onto a different system or media from the system being audited. Uncomment the enable_krb5 option in /etc/audisp/audisp-remote.conf, and set it with the following line: enable_krb5 = yes AU-4(1) SLES-12-020080 SV-91999r2_rule CCI-001851 FAU_GEN.1.1.c SRG-OS-000342-GPOS-00133 Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. _{package_install audit-audispd-plugins || exit 1 AUDISP_REMOTE_CONFIG="/etc/audisp/audisp-remote.conf" option="^enable_krb5" value="yes" replace_or_append $AUDISP_REMOTE_CONFIG "$option" "$value" ""} SLES-12-020100 Configure the action the operating system takes if there is an error sending audit records to a remote system. Edit the file /etc/audisp/audisp-remote.conf. Add or modify the following line, substituting ACTION appropriately: network_failure_action = ACTION Set this value to single to cause the system to switch to single user mode for corrective action. Acceptable values also include syslog and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. AU-4(1) SLES-12-020100 SV-92003r2_rule CCI-001851 SRG-OS-000342-GPOS-00133 Taking appropriate action when there is an error sending audit records to a remote system will minimize the possibility of losing audit records. _{package_install audit-audispd-plugins || exit 1 replace_or_append '/etc/audisp/audisp-remote.conf' '^network_failure_action' syslog} To configure the auditd service to use the syslog plug-in of the audispd audit event multiplexor, set the active line in /etc/audisp/plugins.d/syslog.conf to yes. Restart the auditd service: $ sudo service auditd restart 1 11 12 13 14 15 16 19 3 4 5 6 7 8 5.4.1.1 APO11.04 APO12.06 BAI03.05 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 MEA02.01 3.3.1 CCI-000136 164.308(a)(1)(ii)(D) 164.308(a)(5)(ii)(B) 164.308(a)(5)(ii)(C) 164.308(a)(6)(ii) 164.308(a)(8) 164.310(d)(2)(iii) 164.312(b) 164.314(a)(2)(i)(C) 164.314(a)(2)(iii) 4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.16.1.4 A.16.1.5 A.16.1.7 AU-1(b) AU-3(2) IR-5 DE.AE-3 DE.AE-5 PR.PT-1 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.5.3 SRG-OS-000051-VMM-000230 SRG-OS-000058-VMM-000270 SRG-OS-000059-VMM-000280 SRG-OS-000479-VMM-001990 SRG-OS-000479-VMM-001990 The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server var_syslog_active="yes" AUDISP_SYSLOGCONFIG=/etc/audisp/plugins.d/syslog.conf _{replace_or_append $AUDISP_SYSLOGCONFIG '^active' "$var_syslog_active" ""} The auditd service can be configured to take an action when there is a disk error. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately: disk_error_action = ACTION Set this value to single to cause the system to switch to single-user mode for corrective action. Acceptable values also include syslog, exec, single, and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page. 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 APO11.04 APO12.06 APO13.01 BAI03.05 BAI04.04 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 MEA02.01 4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 7.1 SR 7.2 A.12.1.3 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.16.1.4 A.16.1.5 A.16.1.7 A.17.2.1 AU-1(b) AU-4 AU-5(b) IR-5 DE.AE-3 DE.AE-5 PR.DS-4 PR.PT-1 RS.AN-1 RS.AN-4 Taking appropriate action in case of disk errors will minimize the possibility of losing audit records. SLES-12-020060 The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately: disk_full_action = ACTION Set this value to single to cause the system to switch to single-user mode for corrective action. Acceptable values also include syslog, single, and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page. SLES-12-020060 SV-91995r1_rule 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 APO11.04 APO12.06 APO13.01 BAI03.05 BAI04.04 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 MEA02.01 4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 7.1 SR 7.2 A.12.1.3 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.16.1.4 A.16.1.5 A.16.1.7 A.17.2.1 AU-1(b) AU-4 AU-5(b) IR-5 DE.AE-3 DE.AE-5 PR.DS-4 PR.PT-1 RS.AN-1 RS.AN-4 Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records. var_auditd_disk_full_action="_{" replace_or_append /etc/audit/auditd.conf '^disk_full_action' "$var_auditd_disk_full_action" ""} SLES-12-020040 The auditd service can be configured to send email to a designated account in certain situations. Add or correct the following line in /etc/audit/auditd.conf to ensure that administrators are notified via email for those situations: action_mail_acct = CCI-000139 AU-5(a) SLES-12-020040 SV-91991r2_rule 5.2.1.2 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 5.4.1.1 APO11.04 APO12.06 APO13.01 BAI03.05 BAI04.04 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 MEA02.01 3.3.1 CCI-000139 CCI-001855 164.312(a)(2)(ii) 4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 7.1 SR 7.2 A.12.1.3 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.16.1.4 A.16.1.5 A.16.1.7 A.17.2.1 AU-1(b) AU-4 AU-5(1) AU-5(a) IR-5 DE.AE-3 DE.AE-5 PR.DS-4 PR.PT-1 RS.AN-1 RS.AN-4 Req-10.7.a SRG-OS-000343-GPOS-00134 SRG-OS-000046-VMM-000210 SRG-OS-000343-VMM-001240 Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action. var_auditd_action_mail_acct="_{" AUDITCONFIG=/etc/audit/auditd.conf replace_or_append $AUDITCONFIG '^action_mail_acct' "$var_auditd_action_mail_acct" ""} The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately: admin_space_left_action = ACTION Set this value to single to cause the system to switch to single user mode for corrective action. Acceptable values also include suspend and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page. 5.2.1.2 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 5.4.1.1 APO11.04 APO12.06 APO13.01 BAI03.05 BAI04.04 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 MEA02.01 3.3.1 CCI-000140 CCI-001343 164.312(a)(2)(ii) 4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 7.1 SR 7.2 A.12.1.3 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.16.1.4 A.16.1.5 A.16.1.7 A.17.2.1 AU-1(b) AU-4 AU-5(b) IR-5 DE.AE-3 DE.AE-5 PR.DS-4 PR.PT-1 RS.AN-1 RS.AN-4 Req-10.7 Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur. Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting the correct value of _{for STOREMB: max_log_file = STOREMB Set the value to 6 (MB) or higher for general-purpose systems. Larger values, of course, support retention of even more audit data.} 5.2.1.1 1 11 12 13 14 15 16 19 3 4 5 6 7 8 5.4.1.1 APO11.04 APO12.06 BAI03.05 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 MEA02.01 4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.16.1.4 A.16.1.5 A.16.1.7 AU-1(b) AU-11 IR-5 DE.AE-3 DE.AE-5 PR.PT-1 RS.AN-1 RS.AN-4 Req-10.7 The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained. The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action taken by auditd, add or correct the line in /etc/audit/auditd.conf: max_log_file_action = ACTION Possible values for ACTION are described in the auditd.conf man page. These include: syslogsuspendrotatekeep_logs Set the ACTION to rotate to ensure log rotation occurs. This is the default. The setting is case-insensitive. 5.2.1.3 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 5.4.1.1 APO11.04 APO12.06 APO13.01 BAI03.05 BAI04.04 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 MEA02.01 164.312(a)(2)(ii) 4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 7.1 SR 7.2 A.12.1.3 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.16.1.4 A.16.1.5 A.16.1.7 A.17.2.1 AU-1(b) AU-4 AU-11 IR-5 DE.AE-3 DE.AE-5 PR.DS-4 PR.PT-1 RS.AN-1 RS.AN-4 Req-10.7 Automatically rotating logs (by setting this to rotate) minimizes the chances of the system unexpectedly running out of disk space by being overwhelmed with log data. However, for systems that must never discard log data, or which use external processes to transfer it and reclaim space, keep_logs can be employed. Determine how many log files auditd should retain when it rotates logs. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting NUMLOGS with the correct value of _{: num_logs = NUMLOGS Set the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation.} 1 11 12 13 14 15 16 19 3 4 5 6 7 8 5.4.1.1 APO11.04 APO12.06 BAI03.05 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 MEA02.01 3.3.1 4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.16.1.4 A.16.1.5 A.16.1.7 AU-1(b) AU-11 IR-5 DE.AE-3 DE.AE-5 PR.PT-1 RS.AN-1 RS.AN-4 Req-10.7 The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained. var_auditd_num_logs="_{" AUDITCONFIG=/etc/audit/auditd.conf replace_or_append $AUDITCONFIG '^num_logs' "$var_auditd_num_logs" ""} SLES-12-020030 The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting SIZE_in_MB appropriately: space_left = SIZE_in_MB Where SIZE_in_MB is at least 25% of the capacity of partition storing /var/log/audit. AU-5(1) SLES-12-020030 SV-91989r1_rule 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 APO11.04 APO12.06 APO13.01 BAI03.05 BAI04.04 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 MEA02.01 CCI-001855 4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 7.1 SR 7.2 A.12.1.3 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.16.1.4 A.16.1.5 A.16.1.7 A.17.2.1 AU-1(b) AU-4 AU-5(b) IR-5 AU-5(1) DE.AE-3 DE.AE-5 PR.DS-4 PR.PT-1 RS.AN-1 RS.AN-4 Req-10.7 SRG-OS-000343-GPOS-00134 SRG-OS-000343-VMM-001240 Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. divide_round_up() { dividend="$1" divisor="$2" # to round up instead of truncate the result, we add (divisor - 1) to the dividend echo $((($dividend + $divisor - 1) / $divisor)) } partition_size=$(df -B1M --output=size /var/log/audit | awk 'NR==2 {print $1}') # threshold is 1 quarter of the partition size space_left=$(divide_round_up "$partition_size" 4) _{replace_or_append '/etc/audit/auditd.conf' '^space_left' "$space_left" ''} The auditd service can be configured to take an action when disk space starts to run low. Edit the file /etc/audit/auditd.conf. Modify the following line, substituting ACTION appropriately: space_left_action = ACTION Possible values for ACTION are described in the auditd.conf man page. These include: syslogemailexecsuspendsinglehalt Set this to email (instead of the default, which is suspend) as it is more likely to get prompt attention. Acceptable values also include suspend, single, and halt. 5.2.1.2 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 5.4.1.1 APO11.04 APO12.06 APO13.01 BAI03.05 BAI04.04 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 MEA02.01 3.3.1 CCI-001855 164.312(a)(2)(ii) 4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 7.1 SR 7.2 A.12.1.3 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.16.1.4 A.16.1.5 A.16.1.7 A.17.2.1 AU-1(b) AU-4 AU-5(1) AU-5(b) IR-5 DE.AE-3 DE.AE-5 PR.DS-4 PR.PT-1 RS.AN-1 RS.AN-4 Req-10.7 SRG-OS-000343-GPOS-00134 SRG-OS-000343-VMM-001240 Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. SLES-12-020020 The SUSE operating system must allocate audit record storage capacity to store at least one weeks worth of audit records when audit records are not immediately sent to a central audit record storage facility. The partition size needed to capture a week's worth of audit records is based on the activity level of the system and the total storage capacity available. In normal circumstances, 10.0 GB of storage space for audit records will be sufficient. Check the size of the partition that audit records are written to with the following command: # df -h /var/log/audit/ /dev/sda2 24G 10.4G 13.6G 43% /var/log/audit SLES-12-020020 SV-91987r3_rule CCI-001851 FAU_GEN.1.1.c SRG-OS-000342-GPOS-00133 SRG-OS-000051-VMM-000230 SRG-OS-000058-VMM-000270 SRG-OS-000059-VMM-000280 SRG-OS-000479-VMM-001990 SRG-OS-000479-VMM-001990 Information stored in one location is vulnerable to accidental or incidental deletion or alteration.Off-loading is a common process in information systems with limited audit storage capacity. During the boot process, the boot loader is responsible for starting the execution of the kernel and passing options to it. The boot loader allows for the selection of different kernels - possibly on different partitions or media. The default Red Hat Enterprise Linux boot loader for x86 systems is called GRUB. Options it can pass to the kernel include single-user mode, which provides root access without any authentication, and the ability to disable SELinux. To prevent local users from modifying the boot parameters and endangering security, protect the boot loader configuration with a password and ensure its configuration file's permissions are set properly. During the boot process, the boot loader is responsible for starting the execution of the kernel and passing options to it. The boot loader allows for the selection of different kernels - possibly on different partitions or media. The default SUSE Linux Enterprise 12 boot loader for x86 systems is called GRUB2. Options it can pass to the kernel include single-user mode, which provides root access without any authentication, and the ability to disable SELinux. To prevent local users from modifying the boot parameters and endangering security, protect the boot loader configuration with a password and ensure its configuration file's permissions are set properly. On x86 architecture supporting VT-d, the IOMMU manages the access control policy between the hardware devices and some of the system critical units such as the memory. NT28(R11) On x86 architectures, activating the I/OMMU prevents the system from arbritrary accesses potentially made by hardware devices. SLES-12-010430 The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. To do so, select a superuser account name and password and modify the /etc/grub.d/01_users configuration file with the new account name. Since plaintext passwords are a security risk, generate a hash for the pasword by running the following command: $ grub2-mkpasswd-pbkdf2 When prompted, enter the password that was selected. NOTE: It is recommended not to use common administrator account names like root, admin, or administrator for the grub2 superuser account. Change the superuser to a different username (The default is 'root'). $ sed -i s/root/bootuser/g /etc/grub.d/01_users To meet FISMA Moderate, the bootloader superuser account and password MUST differ from the root account and password. Once the superuser account and password have been added, update the grub.cfg file by running: grub2-mkconfig -o /boot/grub2/grub.cfg NOTE: Do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file. To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation must be automated as a component of machine provisioning, or followed manually as outlined above. SLES-12-010430 SV-91839r3_rule 1.4.2 1 11 12 14 15 16 18 3 5 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.06 DSS06.10 3.4.5 CCI-000213 164.308(a)(1)(ii)(B) 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.310(a)(1) 164.310(a)(2)(i) 164.310(a)(2)(ii) 164.310(a)(2)(iii) 164.310(b) 164.310(c) 164.310(d)(1) 164.310(d)(2)(iii) 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 A.18.1.4 A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 IA-2 IA-2(1) IA-5(e) AC-3 PR.AC-1 PR.AC-4 PR.AC-6 PR.AC-7 PR.PT-3 FIA_AFL.1 SRG-OS-000080-GPOS-00048 Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. SLES-12-010440 The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. To do so, select a superuser account name and password and and modify the /etc/grub.d/01_users configuration file with the new account name. Since plaintext passwords are a security risk, generate a hash for the pasword by running the following command: $ grub2-mkpasswd-pbkdf2 When prompted, enter the password that was selected. NOTE: It is recommended not to use common administrator account names like root, admin, or administrator for the grub2 superuser account. Change the superuser to a different username (The default is 'root'). $ sed -i s/root/bootuser/g /etc/grub.d/01_users To meet FISMA Moderate, the bootloader superuser account and password MUST differ from the root account and password. Once the superuser account and password have been added, update the grub.cfg file by running: grub2-mkconfig -o /boot/efi/EFI/sles/grub.cfg NOTE: Do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file. To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation must be automated as a component of machine provisioning, or followed manually as outlined above. SLES-12-010440 SV-91841r3_rule 1.4.2 11 12 14 15 16 18 3 5 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.03 DSS06.06 3.4.5 CCI-000213 164.308(a)(1)(ii)(B) 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.310(a)(1) 164.310(a)(2)(i) 164.310(a)(2)(ii) 164.310(a)(2)(iii) 164.310(b) 164.310(c) 164.310(d)(1) 164.310(d)(2)(iii) 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-3 PR.AC-4 PR.AC-6 PR.PT-3 FIA_AFL.1 SRG-OS-000080-GPOS-00048 Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. The I/O operations of the Linux kernel block layer due to their inherently unpredictable execution times have been traditionally considered as a reliable source to contribute to random-number entropy pool of the Linux kernel. This has changed with introduction of solid-state storage devices (SSDs) though. For each solid-state drive on the system, run: # echo 0 > /sys/block/DRIVE/queue/add_random In contrast to traditional electromechanical magnetic disks, containing spinning disks and / or movable read / write heads, the solid-state storage devices (SSDs) do not contain moving / mechanical components. Therefore the I/O operation completion times are much more predictable for them. The syslog service has been the default Unix logging mechanism for many years. It has a number of downsides, including inconsistent log format, lack of authentication for received messages, and lack of authentication, encryption, or reliable transport for messages sent over a network. However, due to its long history, syslog is a de facto standard which is supported by almost all Unix applications. In SUSE Linux Enterprise 12, rsyslog has replaced ksyslogd as the syslog daemon of choice, and it includes some additional security features such as reliable, connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server. This section discusses how to configure rsyslog for best effect, and how to use tools provided with the system to maintain and monitor logs. Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ sudo zypper install rsyslog NT28(R5) NT28(R46) 4.2.3 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 CCI-001311 CCI-001312 164.312(a)(2)(ii) 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-9(2) PR.PT-1 The rsyslog package provides the rsyslog daemon, which provides system logging services. _{package_install rsyslog} - name: Ensure rsyslog is installed package: name: rsyslog state: present when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - package_rsyslog_installed - medium_severity - enable_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-AU-9(2) include install_rsyslog class install_rsyslog { package { 'rsyslog': ensure => 'installed', } } The rsyslog service provides syslog-style logging by default on SUSE Linux Enterprise 12. The rsyslog service can be enabled with the following command: $ sudo systemctl enable rsyslog.service NT28(R5) NT28(R46) 4.2.1.1 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO13.01 BAI03.05 BAI04.04 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 CCI-001311 CCI-001312 CCI-001557 CCI-001851 164.312(a)(2)(ii) 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 SR 7.1 SR 7.2 A.12.1.3 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 A.17.2.1 AU-4(1) AU-12 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.DS-4 PR.PT-1 The rsyslog service must be running in order to provide logging services, which are essential to system administration. _{package_install 'rsyslog' || exit 1 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" start 'rsyslog.service' "$SYSTEMCTL_EXEC" enable 'rsyslog.service'} - name: Enable service rsyslog service: name: rsyslog enabled: 'yes' state: started when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - service_rsyslog_enabled - medium_severity - enable_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-AU-4(1) - NIST-800-53-AU-12 SLES-12-030310 Ensure that the system real-time clock (RTC) is set to Coordinated Universal Time (UTC). SLES-12-030310 SV-92173r1_rule CCI-001890 AU-8(b) SRG-OS-000359-GPOS-00146 If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. Time stamps generated by the operating system include date and time. Time is commonly expressed in UTC, a modern continuation of GMT, or local time with an offset from UTC. LOCAL_TZ=`timedatectl status | grep -c "RTC in local TZ: yes"` if [ $LOCAL_TZ -eq 1 ]; then timedatectl set-local-rtc 0 --adjust-system-clock fi Is this system the central log server? If so, edit the file /etc/logwatch/conf/logwatch.conf as shown below. The file /etc/rsyslog.conf controls where log message are written. These are controlled by lines called rules, which consist of a selector and an action. These rules are often customized depending on the role of the system, the requirements of the environment, and whatever may enable the administrator to most effectively make use of log data. The default rules in SUSE Linux Enterprise 12 are: *.info;mail.none;authpriv.none;cron.none /var/log/messages authpriv.* /var/log/secure mail.* -/var/log/maillog cron.* /var/log/cron *.emerg * uucp,news.crit /var/log/spooler local7.* /var/log/boot.log See the man page rsyslog.conf(5) for more information. Note that the rsyslog daemon can be configured to use a timestamp format that some log processing programs may not understand. If this occurs, edit the file /etc/rsyslog.conf and add or edit the following line: $ ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat Specify group owner of all logfiles specified in /etc/rsyslog.conf. root adm root Specify user owner of all logfiles specified in /etc/rsyslog.conf. root adm root The group-owner of all log files written by rsyslog should be . These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's group owner: $ ls -l LOGFILE If the owner is not , run the following command to correct this: $ sudo chgrp _LOGFILE 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 CCI-001314 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 SI-11 PR.AC-4 PR.DS-5 Req-10.5.1 Req-10.5.2 The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access. The owner of all log files written by rsyslog should be . These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's owner: $ ls -l LOGFILE If the owner is not , run the following command to correct this: $ sudo chown _LOGFILE 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 CCI-001314 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 SI-11 PR.AC-4 PR.DS-5 Req-10.5.1 Req-10.5.2 The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access. The file permissions for all log files written by rsyslog should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's permissions: $ ls -l LOGFILE If the permissions are not 600 or more restrictive, run the following command to correct this: $ sudo chmod 0600 LOGFILE" 4.2.1.3 CCI-001314 SI-11 Req-10.5.1 Req-10.5.2 Log files can contain valuable information regarding system configuration. If the system log files are not protected unauthorized users could change the logged data, eliminating their forensic value. Edit the file /etc/logrotate.d/syslog. Find the first line, which should look like this (wrapped for clarity): /var/log/messages /var/log/secure /var/log/maillog /var/log/spooler \ /var/log/boot.log /var/log/cron { Edit this line so that it contains a one-space-separated listing of each log file referenced in /etc/rsyslog.conf. All logs in use on a system must be rotated regularly, or the log files will consume disk space over time, eventually interfering with system operation. The file /etc/logrotate.d/syslog is the configuration file used by the logrotate program to maintain all log files written by syslog. By default, it rotates logs weekly and stores four archival copies of each log. These settings can be modified by editing /etc/logrotate.conf, but the defaults are sufficient for purposes of this guide. Note that logrotate is run nightly by the cron job /etc/cron.daily/logrotate. If particularly active logs need to be rotated more often than once a day, some other mechanism must be used. The logrotate utility allows for the automatic rotation of log files. The frequency of rotation is specified in /etc/logrotate.conf, which triggers a cron task. To configure logrotate to run daily, add or correct the following line in /etc/logrotate.conf: # rotate log files frequency daily 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 CCI-000366 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-9 PR.PT-1 Req-10.7 Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full. LOGROTATE_CONF_FILE="/etc/logrotate.conf" CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate" # daily rotation is configured grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE # remove any line configuring weekly, monthly or yearly rotation sed -i -r "/^(weekly|monthly|yearly)$/d" $LOGROTATE_CONF_FILE # configure cron.daily if not already if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then echo "#!/bin/sh" > $CRON_DAILY_LOGROTATE_FILE echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE fi By default, rsyslog does not listen over the network for log messages. If needed, modules can be enabled to allow the rsyslog daemon to receive messages from other systems and for the system thus to act as a log server. If the system is not a log server, then lines concerning these modules should remain commented out. syslog-ng can be installed in replacement of rsyslog. The syslog-ng-core package can be installed with the following command: $ sudo zypper install syslog-ng-core NT28(R46) NT28(R5) 5.1.1 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 CCI-001311 CCI-001312 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-9(2) PR.PT-1 The syslog-ng-core package provides the syslog-ng daemon, which provides system logging services. The rsyslog daemon should not accept remote messages unless the system acts as a log server. If the system needs to act as a central log server, add the following lines to /etc/rsyslog.conf to enable reception of messages over TCP: $ModLoad imtcp $InputTCPServerRun 514 4.2.1.5 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-9 PR.PT-1 If the system needs to act as a log server, this ensures that it can receive messages over a reliable TCP connection. The rsyslog daemon should not accept remote messages unless the system acts as a log server. If the system needs to act as a central log server, add the following lines to /etc/rsyslog.conf to enable reception of messages over UDP: $ModLoad imudp $UDPServerRun 514 4.2.1.5 1 14 15 16 3 5 6 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA02.01 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 AU-9 PR.PT-1 Many devices, such as switches, routers, and other Unix-like systems, may only support the traditional syslog transmission over UDP. If the system must act as a log server, this enables it to receive their messages as well. The syslog-ng service (in replacement of rsyslog) provides syslog-style logging by default on Debian 8. The syslog-ng service can be enabled with the following command: $ sudo systemctl enable syslog-ng.service NT28(R46) NT28(R5) 5.1.2 1 12 13 14 15 16 2 3 5 6 7 8 9 APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO13.01 BAI03.05 BAI04.04 DSS01.03 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 6.2 SR 7.1 SR 7.2 A.12.1.3 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.14.2.7 A.15.2.1 A.15.2.2 A.17.2.1 AU-4(1) AU-12 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.DS-4 PR.PT-1 The syslog-ng service must be running in order to provide logging services, which are essential to system administration. If system logs are to be useful in detecting malicious activities, it is necessary to send logs to a remote server. An intruder who has compromised the root account on a system may delete the log entries which indicate that the system was attacked before they are seen by an administrator. However, it is recommended that logs be stored on the local host in addition to being sent to the loghost, especially if rsyslog has been configured to use the UDP protocol to send messages over a network. UDP does not guarantee reliable delivery, and moderately busy sites will lose log messages occasionally, especially in periods of high traffic which may be the result of an attack. In addition, remote rsyslog messages are not authenticated in any way by default, so it is easy for an attacker to introduce spurious messages to the central log server. Also, some problems cause loss of network connectivity, which will prevent the sending of messages to the central server. For all of these reasons, it is better to store log messages both centrally and on each host, so that they can be correlated if necessary. Specify an URI or IP address of a remote host where the log messages will be sent and stored. logcollector SLES-12-030340 To configure rsyslog to send logs to a remote log server, open /etc/rsyslog.conf and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting loghost.example.com appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments. To use UDP for log message delivery: *.* @loghost.example.com To use TCP for log message delivery: *.* @@loghost.example.com To use RELP for log message delivery: *.* :omrelp:loghost.example.com There must be a resolvable DNS CNAME or Alias record set to "_{" for logs to be sent correctly to the centralized logging utility.} CCI-001851 AU-4(1) SRG-OS-000479-GPOS-00224 SLES-12-030340 SV-92179r1_rule NT28(R7) 4.2.1.4 1 13 14 15 16 2 3 5 6 APO11.04 APO13.01 BAI03.05 BAI04.04 DSS05.04 DSS05.07 MEA02.01 CCI-000366 CCI-001348 CCI-000136 CCI-001851 164.308(a)(1)(ii)(D) 164.308(a)(5)(ii)(B) 164.308(a)(5)(ii)(C) 164.308(a)(6)(ii) 164.308(a)(8) 164.310(d)(2)(iii) 164.312(b) 164.314(a)(2)(i)(C) 164.314(a)(2)(iii) 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 7.1 SR 7.2 A.12.1.3 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.17.2.1 AU-3(2) AU-4(1) AU-9 PR.DS-4 PR.PT-1 FAU_GEN.1.1.c SRG-OS-000480-GPOS-00227 SRG-OS-000032-VMM-000130 A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise. rsyslog_remote_loghost_address="_{" if [[ "$rsyslog_remote_loghost_address" = "logcollector" ]] ; then echo 'Refusing to configure the set the remote host to the default value. Please set rsyslog_remote_loghost_address to a sensible value before continuing.' >&2 exit 1 fi replace_or_append '/etc/rsyslog.conf' '^\*\.\*' "@@$rsyslog_remote_loghost_address" '' '%s %s'} Most systems must be connected to a network of some sort, and this brings with it the substantial risk of network attack. This section discusses the security impact of decisions about networking which must be made when configuring a system. This section also discusses firewalls, network access controls, and other network security frameworks, which allow system-level rules to be written that can limit an attackers' ability to connect to your system. These rules can specify that network traffic should be allowed or denied from certain IP addresses, hosts, and networks. The rules can also specify which of the system's network services are available to particular hosts or networks. SLES-12-030440 The system should not be acting as a network sniffer, which can capture all traffic on the network to which it is connected. Run the following to determine if any interface is running in promiscuous mode: $ ip link | grep PROMISC CM-6(b) SLES-12-030440 SV-92199r2_rule 1 11 14 3 9 APO11.06 APO12.06 BAI03.10 BAI09.01 BAI09.02 BAI09.03 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.05 DSS04.05 DSS05.02 DSS05.05 DSS06.06 CCI-000366 4.2.3.4 4.3.3.3.7 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.4.3.4 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 SR 7.8 A.11.1.2 A.11.2.4 A.11.2.5 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.16.1.6 A.8.1.1 A.8.1.2 A.9.1.2 CM-7 CM-7(2).1(i) MA-3 DE.DP-5 ID.AM-1 PR.IP-1 PR.MA-1 PR.PT-3 SRG-OS-000480-GPOS-00227 Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow them to collect information such as logon IDs, passwords, and key exchanges between systems. If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information Systems Security Manager (ISSM) and restricted to only authorized personnel. The dynamic firewall daemon firewalld provides a dynamically managed firewall with support for network “zones” to assign a level of trust to a network and its associated connections and interfaces. It has support for IPv4 and IPv6 firewall settings. It supports Ethernet bridges and has a separation of runtime and permanent configuration options. It also has an interface for services or applications to add firewall rules directly. A graphical configuration tool, firewall-config, is used to configure firewalld, which in turn uses iptables tool to communicate with Netfilter in the kernel which implements packet filtering. The firewall service provided by firewalld is dynamic rather than static because changes to the configuration can be made at anytime and are immediately implemented. There is no need to save or apply the changes. No unintended disruption of existing network connections occurs as no part of the firewall has to be reloaded. Firewalls can be used to separate networks into different zones based on the level of trust the user has decided to place on the devices and traffic within that network. NetworkManager informs firewalld to which zone an interface belongs. An interface's assigned zone can be changed by NetworkManager or via the firewall-config tool. The zone settings in /etc/firewalld/ are a range of preset settings which can be quickly applied to a network interface. These are the zones provided by firewalld sorted according to the default trust level of the zones from untrusted to trusted: dropAny incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.blockAny incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated from within the system are possible.publicFor use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.externalFor use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.dmzFor computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.workFor use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.homeFor use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.internalFor use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.trustedAll network connections are accepted. It is possible to designate one of these zones to be the default zone. When interface connections are added to NetworkManager, they are assigned to the default zone. On installation, the default zone in firewalld is set to be the public zone. To find out all the settings of a zone, for example the public zone, enter the following command as root: # firewall-cmd --zone=public --list-all Example output of this command might look like the following: # firewall-cmd --zone=public --list-all public interfaces: services: mdns dhcpv6-client ssh ports: forward-ports: icmp-blocks: source-quench To view the network zones currently active, enter the following command as root: # firewall-cmd --get-service The following listing displays the result of this command on common SUSE Linux Enterprise 12 system: # firewall-cmd --get-service amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https Finally to view the network zones that will be active after the next firewalld service reload, enter the following command as root: # firewall-cmd --get-service --permanent The default rules can be strengthened. The system scripts that activate the firewall rules expect them to be defined in configuration files under the /etc/firewalld/services and /etc/firewalld/zones directories. The following recommendations describe how to strengthen the default ruleset configuration file. An alternative to editing this configuration file is to create a shell script that makes calls to the firewall-cmd program to load in rules under the /etc/firewalld/services and /etc/firewalld/zones directories. Instructions apply to both unless otherwise noted. Language and address conventions for regular firewalld rules are used throughout this section. The program firewall-config allows additional services to penetrate the default firewall rules and automatically adjusts the firewalld ruleset(s). Support for Internet Protocol Security (IPsec) A host-based firewall called netfilter is included as part of the Linux kernel distributed with the system. It is activated by default. This firewall is controlled by the program iptables, and the entire capability is frequently referred to by this name. An analogous program called ip6tables handles filtering for IPv6. Unlike TCP Wrappers, which depends on the network server program to support and respect the rules written, netfilter filtering occurs at the kernel level, before a program can even process the data from the network packet. As such, any program on the system is affected by the rules written. This section provides basic information about strengthening the iptables and ip6tables configurations included with the system. For more complete information that may allow the construction of a sophisticated ruleset tailored to your environment, please consult the references at the end of this section. View the currently-enforced iptables rules by running the command: $ sudo iptables -nL --line-numbers The command is analogous for ip6tables. If the firewall does not appear to be active (i.e., no rules appear), activate it and ensure that it starts at boot by issuing the following commands (and analogously for ip6tables): $ sudo service iptables restart The default iptables rules are: Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) num target prot opt source destination The ip6tables default rules are essentially the same. The ip6tables service can be enabled with the following command: $ sudo systemctl enable ip6tables.service 1 11 12 13 14 15 16 18 3 4 6 8 9 APO01.06 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.05 DSS03.01 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.06 4.2.3.4 4.3.3.4 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-4 CA-3(c) CM-7 DE.AE-1 ID.AM-3 PR.AC-5 PR.DS-5 PR.IP-1 PR.PT-3 PR.PT-4 The ip6tables service provides the system's host-based firewalling capability for IPv6 and ICMPv6. The iptables service can be enabled with the following command: $ sudo systemctl enable iptables.service 1 11 12 13 14 15 16 18 3 4 6 8 9 APO01.06 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.05 DSS03.01 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.06 4.2.3.4 4.3.3.4 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-4 CA-3(c) CM-7 DE.AE-1 ID.AM-3 PR.AC-5 PR.DS-5 PR.IP-1 PR.PT-3 PR.PT-4 The iptables service provides the system's host-based firewalling capability for IPv4 and ICMP. To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in /etc/sysconfig/ip6tables: :INPUT DROP [0:0] If changes were required, reload the ip6tables rules: $ sudo service ip6tables reload 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 In ip6tables, the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to DROP implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted. The default rules can be strengthened. The system scripts that activate the firewall rules expect them to be defined in the configuration files iptables and ip6tables in the directory /etc/sysconfig. Many of the lines in these files are similar to the command line arguments that would be provided to the programs /sbin/iptables or /sbin/ip6tables - but some are quite different. The following recommendations describe how to strengthen the default ruleset configuration file. An alternative to editing this configuration file is to create a shell script that makes calls to the iptables program to load in rules, and then invokes service iptables save to write those loaded rules to /etc/sysconfig/iptables. The following alterations can be made directly to /etc/sysconfig/iptables and /etc/sysconfig/ip6tables. Instructions apply to both unless otherwise noted. Language and address conventions for regular iptables are used throughout this section; configuration for ip6tables will be either analogous or explicitly covered. The program system-config-securitylevel allows additional services to penetrate the default firewall rules and automatically adjusts /etc/sysconfig/iptables. This program is only useful if the default ruleset meets your security requirements. Otherwise, this program should not be used to make changes to the firewall configuration because it re-writes the saved configuration file. To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in /etc/sysconfig/iptables: :INPUT DROP [0:0] 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 In iptables the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to DROP implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted. To set the default policy to DROP (instead of ACCEPT) for the built-in FORWARD chain which processes packets that will be forwarded from one interface to another, add or correct the following line in /etc/sysconfig/iptables: :FORWARD DROP [0:0] 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 In iptables, the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to DROP implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted. In /etc/sysconfig/iptables, the accepted ICMP messages types can be restricted. To accept only ICMP echo reply, destination unreachable, and time exceeded messages, remove the line: -A INPUT -p icmp --icmp-type any -j ACCEPT and insert the lines: -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT To allow the system to respond to pings, also insert the following line: -A INPUT -p icmp --icmp-type echo-request -j ACCEPT Ping responses can also be limited to certain networks or hosts by using the -s option in the previous rule. Because IPv6 depends so heavily on ICMPv6, it is preferable to deny the ICMPv6 packets you know you don't need (e.g. ping requests) in /etc/sysconfig/ip6tables, while letting everything else through: -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP If you are going to statically configure the system's address, it should ignore Router Advertisements which could add another IPv6 address to the interface or alter important network settings: -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j DROP Restricting ICMPv6 message types in /etc/sysconfig/ip6tables is not recommended because the operation of IPv6 depends heavily on ICMPv6. Thus, great care must be taken if any other ICMPv6 types are blocked. Packets with non-routable source addresses should be rejected, as they may indicate spoofing. Because the modified policy will reject non-matching packets, you only need to add these rules if you are interested in also logging these spoofing or suspicious attempts before they are dropped. If you do choose to log various suspicious traffic, add identical rules with a target of DROP after each LOG. To log and then drop these IPv4 packets, insert the following rules in /etc/sysconfig/iptables (excepting any that are intentionally used): -A INPUT -s 10.0.0.0/8 -j LOG --log-prefix "IP DROP SPOOF A: " -A INPUT -s 172.16.0.0/12 -j LOG --log-prefix "IP DROP SPOOF B: " -A INPUT -s 192.168.0.0/16 -j LOG --log-prefix "IP DROP SPOOF C: " -A INPUT -s 224.0.0.0/4 -j LOG --log-prefix "IP DROP MULTICAST D: " -A INPUT -s 240.0.0.0/5 -j LOG --log-prefix "IP DROP SPOOF E: " -A INPUT -d 127.0.0.0/8 -j LOG --log-prefix "IP DROP LOOPBACK: " Similarly, you might wish to log packets containing some IPv6 reserved addresses if they are not expected on your network: -A INPUT -i eth0 -s ::1 -j LOG --log-prefix "IPv6 DROP LOOPBACK: " -A INPUT -s 2002:E000::/20 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " -A INPUT -s 2002:7F00::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " -A INPUT -s 2002:0000::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " -A INPUT -s 2002:FF00::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " -A INPUT -s 2002:0A00::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " -A INPUT -s 2002:AC10::/28 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " -A INPUT -s 2002:C0A8::/32 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " If you are not expecting to see site-local multicast or auto-tunneled traffic, you can log those: -A INPUT -s FF05::/16 -j LOG --log-prefix "IPv6 SITE-LOCAL MULTICAST: " -A INPUT -s ::0.0.0.0/96 -j LOG --log-prefix "IPv4 COMPATIBLE IPv6 ADDR: " If you wish to block multicasts to all link-local nodes (e.g. if you are not using router auto-configuration and do not plan to have any services that multicast to the entire local network), you can block the link-local all-nodes multicast address (before accepting incoming ICMPv6): -A INPUT -d FF02::1 -j LOG --log-prefix "Link-local All-Nodes Multicast: " However, if you're going to allow IPv4 compatible IPv6 addresses (of the form ::0.0.0.0/96), you should then consider logging the non-routable IPv4-compatible addresses: -A INPUT -s ::0.0.0.0/104 -j LOG --log-prefix "IP NON-ROUTABLE ADDR: " -A INPUT -s ::127.0.0.0/104 -j LOG --log-prefix "IP DROP LOOPBACK: " -A INPUT -s ::224.0.0.0.0/100 -j LOG --log-prefix "IP DROP MULTICAST D: " -A INPUT -s ::255.0.0.0/104 -j LOG --log-prefix "IP BROADCAST: " If you are not expecting to see any IPv4 (or IPv4-compatible) traffic on your network, consider logging it before it gets dropped: -A INPUT -s ::FFFF:0.0.0.0/96 -j LOG --log-prefix "IPv4 MAPPED IPv6 ADDR: " -A INPUT -s 2002::/16 -j LOG --log-prefix "IPv6 6to4 ADDR: " The following rule will log all traffic originating from a site-local address, which is deprecated address space: -A INPUT -s FEC0::/10 -j LOG --log-prefix "SITE-LOCAL ADDRESS TRAFFIC: " The system includes support for Internet Protocol version 6. A major and often-mentioned improvement over IPv4 is its enormous increase in the number of available addresses. Another important feature is its support for automatic configuration of many network settings. A major feature of IPv6 is the extent to which systems implementing it can automatically configure their networking devices using information from the network. From a security perspective, manually configuring important configuration information is preferable to accepting it from the network in an unauthenticated fashion. Disable the system's acceptance of router advertisements and redirects by adding or correcting the following line in /etc/sysconfig/network (note that this does not disable sending router solicitations): IPV6_AUTOCONF=no Toggle global IPv6 auto-configuration (only, if global forwarding is disabled) no no yes Accept all router advertisements? 0 0 1 Toggle ICMP Redirect Acceptance 0 0 1 Trackers could be using source-routed packets to generate traffic that seems to be intra-net, but actually was created outside and has been redirected. 0 0 1 Toggle IPv6 Forwarding 0 0 1 Accept default router advertisements by default? 0 0 1 Toggle ICMP Redirect Acceptance By Default 0 0 1 Trackers could be using source-routed packets to generate traffic that seems to be intra-net, but actually was created outside and has been redirected. 0 0 1 SLES-12-030361 To set the runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_source_route = 0 CM-6(b) SLES-12-030361 SV-96517r1_rule 1 12 13 14 15 16 18 4 6 8 9 APO01.06 APO13.01 DSS01.05 DSS03.01 DSS05.02 DSS05.04 DSS05.07 DSS06.02 3.1.20 CCI-000366 4.2.3.4 4.3.3.4 4.4.3.3 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-4 DE.AE-1 ID.AM-3 PR.AC-5 PR.DS-5 PR.PT-4 SRG-OS-000480-GPOS-00227 Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required. sysctl_net_ipv6_conf_all_accept_source_route_value="_{" # # Set runtime for net.ipv6.conf.all.accept_source_route # /sbin/sysctl -q -n -w net.ipv6.conf.all.accept_source_route=$sysctl_net_ipv6_conf_all_accept_source_route_value # # If net.ipv6.conf.all.accept_source_route present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv6.conf.all.accept_source_route = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.all.accept_source_route' "$sysctl_net_ipv6_conf_all_accept_source_route_value" ''} - name: XCCDF Value sysctl_net_ipv6_conf_all_accept_source_route_value # promote to variable set_fact: sysctl_net_ipv6_conf_all_accept_source_route_value: !!str _{tags: - always - name: Ensure sysctl net.ipv6.conf.all.accept_source_route is set sysctl: name: net.ipv6.conf.all.accept_source_route value: '{{ sysctl_net_ipv6_conf_all_accept_source_route_value }}' state: present reload: true when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - sysctl_net_ipv6_conf_all_accept_source_route - medium_severity - disable_strategy - low_complexity - medium_disruption - reboot_required - NIST-800-53-AC-4 - NIST-800-171-3.1.20 - DISA-STIG-030361} SLES-12-030401 To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_redirects = 0 CCI-000366 CM-6(b) SLES-12-030401 SV-96519r1_rule 3.3.2 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 3.1.20 CCI-001551 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 An illicit ICMP redirect message could result in a man-in-the-middle attack. sysctl_net_ipv6_conf_default_accept_redirects_value="_{" # # Set runtime for net.ipv6.conf.default.accept_redirects # /sbin/sysctl -q -n -w net.ipv6.conf.default.accept_redirects=$sysctl_net_ipv6_conf_default_accept_redirects_value # # If net.ipv6.conf.default.accept_redirects present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv6.conf.default.accept_redirects = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.default.accept_redirects' "$sysctl_net_ipv6_conf_default_accept_redirects_value" ''} - name: XCCDF Value sysctl_net_ipv6_conf_default_accept_redirects_value # promote to variable set_fact: sysctl_net_ipv6_conf_default_accept_redirects_value: !!str _{tags: - always - name: Ensure sysctl net.ipv6.conf.default.accept_redirects is set sysctl: name: net.ipv6.conf.default.accept_redirects value: '{{ sysctl_net_ipv6_conf_default_accept_redirects_value }}' state: present reload: true when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - sysctl_net_ipv6_conf_default_accept_redirects - medium_severity - disable_strategy - low_complexity - medium_disruption - reboot_required - NIST-800-53-CM-7 - NIST-800-171-3.1.20 - DISA-STIG-030401} To limit the configuration information requested from other systems and accepted from the network on a system that uses statically-configured IPv6 addresses, add the following lines to /etc/sysctl.conf: net.ipv6.conf.default.router_solicitations = 0 net.ipv6.conf.default.accept_ra_rtr_pref = 0 net.ipv6.conf.default.accept_ra_pinfo = 0 net.ipv6.conf.default.accept_ra_defrtr = 0 net.ipv6.conf.default.autoconf = 0 net.ipv6.conf.default.dad_transmits = 0 net.ipv6.conf.default.max_addresses = 1 The router_solicitations setting determines how many router solicitations are sent when bringing up the interface. If addresses are statically assigned, there is no need to send any solicitations. The accept_ra_pinfo setting controls whether the system will accept prefix info from the router. The accept_ra_defrtr setting controls whether the system will accept Hop Limit settings from a router advertisement. Setting it to 0 prevents a router from changing your default IPv6 Hop Limit for outgoing packets. The autoconf setting controls whether router advertisements can cause the system to assign a global unicast address to an interface. The dad_transmits setting determines how many neighbor solicitations to send out per address (global and link-local) when bringing up an interface to ensure the desired address is unique on the network. The max_addresses setting determines how many global unicast IPv6 addresses can be assigned to each interface. The default is 16, but it should be set to exactly the number of statically configured global addresses required. Despite configuration that suggests support for IPv6 has been disabled, link-local IPv6 address auto-configuration occurs even when only an IPv4 address is assigned. The only way to effectively prevent execution of the IPv6 networking stack is to instruct the system not to activate the IPv6 kernel module. To prevent the IPv6 kernel module (ipv6) from binding to the IPv6 networking stack, add the following line to /etc/modprobe.d/disabled.conf (or another file in /etc/modprobe.d): options ipv6 disable=1 This permits the IPv6 module to be loaded (and thus satisfy other modules that depend on it), while disabling support for the IPv6 protocol. 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Any unnecessary network stacks - including IPv6 - should be disabled, to reduce the vulnerability to exploitation. # Prevent the IPv6 kernel module (ipv6) from loading the IPv6 networking stack echo "options ipv6 disable=1" > /etc/modprobe.d/ipv6.conf # Since according to: https://access.redhat.com/solutions/72733 # "ipv6 disable=1" options doesn't always disable the IPv6 networking stack from # loading, instruct also sysctl configuration to disable IPv6 according to: # https://access.redhat.com/solutions/8709#rhel6disable declare -a IPV6_SETTINGS=("net.ipv6.conf.all.disable_ipv6" "net.ipv6.conf.default.disable_ipv6") for setting in ${IPV6_SETTINGS[@]} do # Set runtime =1 for setting /sbin/sysctl -q -n -w "$setting=1" # If setting is present in /etc/sysctl.conf, change value to "1" # else, add "$setting = 1" to /etc/sysctl.conf if grep -q ^"$setting" /etc/sysctl.conf ; then sed -i "s/^$setting.*/$setting = 1/g" /etc/sysctl.conf else echo "" >> /etc/sysctl.conf echo "# Set $setting = 1 per security requirements" >> /etc/sysctl.conf echo "$setting = 1" >> /etc/sysctl.conf fi done The sysctl utility is used to set parameters which affect the operation of the Linux kernel. Kernel parameters which affect networking and have security implications are described here. Certain kernel parameters should be set for systems which are acting as either hosts or routers to improve the system's ability defend against certain types of IPv4 protocol attacks. Disable ICMP Redirect Acceptance 0 0 1 Trackers could be using source-routed packets to generate traffic that seems to be intra-net, but actually was created outside and has been redirected. 0 0 1 Disable so you don't Log Spoofed Packets, Source Routed Packets, Redirect Packets 1 0 1 Enable to enforce sanity checking, also called ingress filtering or egress filtering. The point is to drop a packet if the source and destination IP addresses in the IP header do not make sense when considered in light of the physical interface on which it arrived. 1 0 1 Enable to prevent hijacking of routing path by only allowing redirects from gateways known in routing table. Disable to refuse acceptance of secure ICMP redirected packets on all interfaces. 0 0 1 Disable ICMP Redirect Acceptance? 0 0 1 Disable IP source routing? 0 0 1 Disable so you don't Log Spoofed Packets, Source Routed Packets, Redirect Packets 1 0 1 Enables source route verification 1 0 1 Enable to prevent hijacking of routing path by only allowing redirects from gateways known in routing table. Disable to refuse acceptance of secure ICMP redirected packages by default. 0 0 1 Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast 1 0 1 Enable to prevent unnecessary logging 1 0 1 Enable to turn on TCP SYN Cookie Protection 1 0 1 SLES-12-030390 To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.accept_redirects = 0 SLES-12-030390 SV-92189r3_rule 3.2.2 1 11 12 13 14 15 16 2 3 7 8 9 5.10.1.1 APO13.01 BAI04.04 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS03.05 DSS05.02 DSS05.05 DSS05.07 DSS06.06 3.1.20 CCI-000366 CCI-001503 CCI-001551 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 6.2 SR 7.1 SR 7.2 SR 7.6 A.12.1.2 A.12.1.3 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.17.2.1 A.9.1.2 CM-6(d) CM-7 SC-5 DE.CM-1 PR.DS-4 PR.IP-1 PR.PT-3 SRG-OS-000480-GPOS-00227 ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required. sysctl_net_ipv4_conf_all_accept_redirects_value="_{" # # Set runtime for net.ipv4.conf.all.accept_redirects # /sbin/sysctl -q -n -w net.ipv4.conf.all.accept_redirects=$sysctl_net_ipv4_conf_all_accept_redirects_value # # If net.ipv4.conf.all.accept_redirects present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.conf.all.accept_redirects = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.all.accept_redirects' "$sysctl_net_ipv4_conf_all_accept_redirects_value" ''} - name: XCCDF Value sysctl_net_ipv4_conf_all_accept_redirects_value # promote to variable set_fact: sysctl_net_ipv4_conf_all_accept_redirects_value: !!str _{tags: - always - name: Ensure sysctl net.ipv4.conf.all.accept_redirects is set sysctl: name: net.ipv4.conf.all.accept_redirects value: '{{ sysctl_net_ipv4_conf_all_accept_redirects_value }}' state: present reload: true when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - sysctl_net_ipv4_conf_all_accept_redirects - medium_severity - disable_strategy - low_complexity - medium_disruption - reboot_required - NIST-800-53-CM-6(d) - NIST-800-53-CM-7 - NIST-800-53-SC-5 - NIST-800-171-3.1.20 - CJIS-5.10.1.1 - DISA-STIG-030390} SLES-12-030360 To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.accept_source_route = 0 CM-6(b) SLES-12-030360 SV-92183r1_rule 3.2.1 1 11 12 13 14 15 16 18 2 3 4 6 7 8 9 APO01.06 APO13.01 BAI04.04 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS01.05 DSS03.01 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.06 3.1.20 CCI-000366 4.2.3.4 4.3.3.4 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.2 SR 7.1 SR 7.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.1.3 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.17.2.1 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-4 CM-7 SC-5 DE.AE-1 DE.CM-1 ID.AM-3 PR.AC-5 PR.DS-4 PR.DS-5 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000480-GPOS-00227 Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required. sysctl_net_ipv4_conf_all_accept_source_route_value="_{" # # Set runtime for net.ipv4.conf.all.accept_source_route # /sbin/sysctl -q -n -w net.ipv4.conf.all.accept_source_route=$sysctl_net_ipv4_conf_all_accept_source_route_value # # If net.ipv4.conf.all.accept_source_route present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.conf.all.accept_source_route = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.all.accept_source_route' "$sysctl_net_ipv4_conf_all_accept_source_route_value" ''} - name: XCCDF Value sysctl_net_ipv4_conf_all_accept_source_route_value # promote to variable set_fact: sysctl_net_ipv4_conf_all_accept_source_route_value: !!str _{tags: - always - name: Ensure sysctl net.ipv4.conf.all.accept_source_route is set sysctl: name: net.ipv4.conf.all.accept_source_route value: '{{ sysctl_net_ipv4_conf_all_accept_source_route_value }}' state: present reload: true when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - sysctl_net_ipv4_conf_all_accept_source_route - medium_severity - disable_strategy - low_complexity - medium_disruption - reboot_required - NIST-800-53-AC-4 - NIST-800-53-CM-7 - NIST-800-53-SC-5 - NIST-800-171-3.1.20 - DISA-STIG-030360} SLES-12-030400 To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_redirects = 0 SLES-12-030400 SV-92191r4_rule 3.2.2 1 11 12 13 14 15 16 18 2 3 4 6 7 8 9 5.10.1.1 APO01.06 APO13.01 BAI04.04 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS01.05 DSS03.01 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.06 3.1.20 CCI-001551 4.2.3.4 4.3.3.4 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.2 SR 7.1 SR 7.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.1.3 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.17.2.1 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-4 CM-7 SC-5 SC-7 DE.AE-1 DE.CM-1 ID.AM-3 PR.AC-5 PR.DS-4 PR.DS-5 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000480-GPOS-00227 ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required. sysctl_net_ipv4_conf_default_accept_redirects_value="_{" # # Set runtime for net.ipv4.conf.default.accept_redirects # /sbin/sysctl -q -n -w net.ipv4.conf.default.accept_redirects=$sysctl_net_ipv4_conf_default_accept_redirects_value # # If net.ipv4.conf.default.accept_redirects present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.conf.default.accept_redirects = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.default.accept_redirects' "$sysctl_net_ipv4_conf_default_accept_redirects_value" ''} - name: XCCDF Value sysctl_net_ipv4_conf_default_accept_redirects_value # promote to variable set_fact: sysctl_net_ipv4_conf_default_accept_redirects_value: !!str _{tags: - always - name: Ensure sysctl net.ipv4.conf.default.accept_redirects is set sysctl: name: net.ipv4.conf.default.accept_redirects value: '{{ sysctl_net_ipv4_conf_default_accept_redirects_value }}' state: present reload: true when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - sysctl_net_ipv4_conf_default_accept_redirects - medium_severity - disable_strategy - low_complexity - medium_disruption - reboot_required - NIST-800-53-AC-4 - NIST-800-53-CM-7 - NIST-800-53-SC-5 - NIST-800-53-SC-7 - NIST-800-171-3.1.20 - CJIS-5.10.1.1 - DISA-STIG-030400} SLES-12-030370 To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_source_route = 0 CCI-000366 CM-6(b) SLES-12-030370 SV-92185r3_rule 3.2.1 1 11 12 13 14 15 16 18 2 3 4 6 7 8 9 5.10.1.1 APO01.06 APO13.01 BAI04.04 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS01.05 DSS03.01 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.06 3.1.20 CCI-000366 CCI-001551 4.2.3.4 4.3.3.4 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.2 SR 7.1 SR 7.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.1.3 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.17.2.1 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-4 CM-7 SC-5 SC-7 DE.AE-1 DE.CM-1 ID.AM-3 PR.AC-5 PR.DS-4 PR.DS-5 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000480-GPOS-00227 Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required, such as when IPv4 forwarding is enabled and the system is legitimately functioning as a router. sysctl_net_ipv4_conf_default_accept_source_route_value="_{" # # Set runtime for net.ipv4.conf.default.accept_source_route # /sbin/sysctl -q -n -w net.ipv4.conf.default.accept_source_route=$sysctl_net_ipv4_conf_default_accept_source_route_value # # If net.ipv4.conf.default.accept_source_route present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.conf.default.accept_source_route = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.default.accept_source_route' "$sysctl_net_ipv4_conf_default_accept_source_route_value" ''} - name: XCCDF Value sysctl_net_ipv4_conf_default_accept_source_route_value # promote to variable set_fact: sysctl_net_ipv4_conf_default_accept_source_route_value: !!str _{tags: - always - name: Ensure sysctl net.ipv4.conf.default.accept_source_route is set sysctl: name: net.ipv4.conf.default.accept_source_route value: '{{ sysctl_net_ipv4_conf_default_accept_source_route_value }}' state: present reload: true when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - sysctl_net_ipv4_conf_default_accept_source_route - medium_severity - disable_strategy - low_complexity - medium_disruption - reboot_required - NIST-800-53-AC-4 - NIST-800-53-CM-7 - NIST-800-53-SC-5 - NIST-800-53-SC-7 - NIST-800-171-3.1.20 - CJIS-5.10.1.1 - DISA-STIG-030370} SLES-12-030380 To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.icmp_echo_ignore_broadcasts = 1 CM-6(b) SLES-12-030380 SV-92187r1_rule 3.2.5 1 11 12 13 14 15 16 18 2 3 4 6 7 8 9 5.10.1.1 APO01.06 APO13.01 BAI04.04 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS01.05 DSS03.01 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.06 3.1.20 CCI-000366 4.2.3.4 4.3.3.4 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.2 SR 7.1 SR 7.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.1.3 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.17.2.1 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-4 CM-7 SC-5 DE.AE-1 DE.CM-1 ID.AM-3 PR.AC-5 PR.DS-4 PR.DS-5 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000480-GPOS-00227 Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks. Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network. sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value="_{" # # Set runtime for net.ipv4.icmp_echo_ignore_broadcasts # /sbin/sysctl -q -n -w net.ipv4.icmp_echo_ignore_broadcasts=$sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value # # If net.ipv4.icmp_echo_ignore_broadcasts present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.icmp_echo_ignore_broadcasts = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv4.icmp_echo_ignore_broadcasts' "$sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value" ''} - name: XCCDF Value sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value # promote to variable set_fact: sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value: !!str _{tags: - always - name: Ensure sysctl net.ipv4.icmp_echo_ignore_broadcasts is set sysctl: name: net.ipv4.icmp_echo_ignore_broadcasts value: '{{ sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value }}' state: present reload: true when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - sysctl_net_ipv4_icmp_echo_ignore_broadcasts - medium_severity - disable_strategy - low_complexity - medium_disruption - reboot_required - NIST-800-53-AC-4 - NIST-800-53-CM-7 - NIST-800-53-SC-5 - NIST-800-171-3.1.20 - CJIS-5.10.1.1 - DISA-STIG-030380} SLES-12-030350 To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_syncookies=1 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.tcp_syncookies = 1 CCI-001095 SC-5(2) SRG-OS-000142-GPOS-00071 SLES-12-030350 SV-92181r1_rule 3.2.8 1 12 13 14 15 16 18 2 4 6 7 8 9 5.10.1.1 APO01.06 APO13.01 BAI04.04 DSS01.03 DSS01.05 DSS03.01 DSS03.05 DSS05.02 DSS05.04 DSS05.07 DSS06.02 3.1.20 CCI-000366 4.2.3.4 4.3.3.4 4.4.3.3 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.2 SR 7.1 SR 7.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.1.3 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.17.2.1 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-4 SC-5(1)(2) SC-5(2) SC-5(3) DE.AE-1 DE.CM-1 ID.AM-3 PR.AC-5 PR.DS-4 PR.DS-5 PR.PT-4 SRG-OS-000480-GPOS-00227 A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests. sysctl_net_ipv4_tcp_syncookies_value="_{" # # Set runtime for net.ipv4.tcp_syncookies # /sbin/sysctl -q -n -w net.ipv4.tcp_syncookies=$sysctl_net_ipv4_tcp_syncookies_value # # If net.ipv4.tcp_syncookies present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.tcp_syncookies = value" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^net.ipv4.tcp_syncookies' "$sysctl_net_ipv4_tcp_syncookies_value" ''} - name: XCCDF Value sysctl_net_ipv4_tcp_syncookies_value # promote to variable set_fact: sysctl_net_ipv4_tcp_syncookies_value: !!str _{tags: - always - name: Ensure sysctl net.ipv4.tcp_syncookies is set sysctl: name: net.ipv4.tcp_syncookies value: '{{ sysctl_net_ipv4_tcp_syncookies_value }}' state: present reload: true when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - sysctl_net_ipv4_tcp_syncookies - medium_severity - disable_strategy - low_complexity - medium_disruption - reboot_required - NIST-800-53-AC-4 - NIST-800-53-SC-5(1)(2) - NIST-800-53-SC-5(2) - NIST-800-53-SC-5(3) - NIST-800-171-3.1.20 - CJIS-5.10.1.1 - DISA-STIG-030350} If the system is not going to be used as a router, then setting certain kernel parameters ensure that the host will not perform routing of network traffic. SLES-12-030420 To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.send_redirects=0 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.send_redirects = 0 CM-6(b) SLES-12-030420 SV-92195r3_rule 3.1.2 1 11 12 13 14 15 16 18 2 3 4 6 7 8 9 5.10.1.1 APO01.06 APO13.01 BAI04.04 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS01.05 DSS03.01 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.06 3.1.20 CCI-000366 4.2.3.4 4.3.3.4 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.2 SR 7.1 SR 7.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.1.3 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.17.2.1 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-4 CM-7 SC-5(1) DE.AE-1 DE.CM-1 ID.AM-3 PR.AC-5 PR.DS-4 PR.DS-5 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000480-GPOS-00227 ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology. The ability to send ICMP redirects is only appropriate for systems acting as routers. # # Set runtime for net.ipv4.conf.all.send_redirects # /sbin/sysctl -q -n -w net.ipv4.conf.all.send_redirects=0 # # If net.ipv4.conf.all.send_redirects present in /etc/sysctl.conf, change value to "0" # else, add "net.ipv4.conf.all.send_redirects = 0" to /etc/sysctl.conf # _{replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.all.send_redirects' "0" ''} - name: Ensure sysctl net.ipv4.conf.all.send_redirects is set to 0 sysctl: name: net.ipv4.conf.all.send_redirects value: 0 state: present reload: true when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - sysctl_net_ipv4_conf_all_send_redirects - medium_severity - disable_strategy - low_complexity - medium_disruption - reboot_required - NIST-800-53-AC-4 - NIST-800-53-CM-7 - NIST-800-53-SC-5(1) - NIST-800-171-3.1.20 - CJIS-5.10.1.1 - DISA-STIG-030420 SLES-12-030410 To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.send_redirects=0 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.send_redirects = 0 CM-6(b) SLES-12-030410 SV-92193r4_rule 3.1.2 1 11 12 13 14 15 16 18 2 3 4 6 7 8 9 5.10.1.1 APO01.06 APO13.01 BAI04.04 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS01.05 DSS03.01 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.06 3.1.20 CCI-000366 4.2.3.4 4.3.3.4 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.2 SR 7.1 SR 7.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.1.3 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.17.2.1 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-4 CM-7 SC-5 SC-7 DE.AE-1 DE.CM-1 ID.AM-3 PR.AC-5 PR.DS-4 PR.DS-5 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000480-GPOS-00227 ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology. The ability to send ICMP redirects is only appropriate for systems acting as routers. # # Set runtime for net.ipv4.conf.default.send_redirects # /sbin/sysctl -q -n -w net.ipv4.conf.default.send_redirects=0 # # If net.ipv4.conf.default.send_redirects present in /etc/sysctl.conf, change value to "0" # else, add "net.ipv4.conf.default.send_redirects = 0" to /etc/sysctl.conf # _{replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.default.send_redirects' "0" ''} - name: Ensure sysctl net.ipv4.conf.default.send_redirects is set to 0 sysctl: name: net.ipv4.conf.default.send_redirects value: 0 state: present reload: true when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - sysctl_net_ipv4_conf_default_send_redirects - medium_severity - disable_strategy - low_complexity - medium_disruption - reboot_required - NIST-800-53-AC-4 - NIST-800-53-CM-7 - NIST-800-53-SC-5 - NIST-800-53-SC-7 - NIST-800-171-3.1.20 - CJIS-5.10.1.1 - DISA-STIG-030410 SLES-12-030430 To set the runtime status of the net.ipv4.ip_forward kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.ip_forward=0 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.ip_forward = 0 CM-6(b) SLES-12-030430 SV-92197r3_rule 3.1.1 1 11 12 13 14 15 16 2 3 7 8 9 APO13.01 BAI04.04 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS03.05 DSS05.02 DSS05.05 DSS05.07 DSS06.06 3.1.20 CCI-000366 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.2 SR 7.1 SR 7.2 SR 7.6 A.12.1.2 A.12.1.3 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.17.2.1 A.9.1.2 CM-7 SC-5 SC-32 DE.CM-1 PR.DS-4 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000480-GPOS-00227 Forwarding packets between different interfaces can facilitate unauthorized data transfers. The ability to forward packets is therefore only appropriate for routers. # # Set runtime for net.ipv4.ip_forward # /sbin/sysctl -q -n -w net.ipv4.ip_forward=0 # # If net.ipv4.ip_forward present in /etc/sysctl.conf, change value to "0" # else, add "net.ipv4.ip_forward = 0" to /etc/sysctl.conf # _{replace_or_append '/etc/sysctl.conf' '^net.ipv4.ip_forward' "0" ''} - name: Ensure sysctl net.ipv4.ip_forward is set to 0 sysctl: name: net.ipv4.ip_forward value: 0 state: present reload: true when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - sysctl_net_ipv4_ip_forward - medium_severity - disable_strategy - low_complexity - medium_disruption - reboot_required - NIST-800-53-CM-7 - NIST-800-53-SC-5 - NIST-800-53-SC-32 - NIST-800-171-3.1.20 - DISA-STIG-030430 The system includes support for several network protocols which are not commonly used. Although security vulnerabilities in kernel networking code are not frequently discovered, the consequences can be dramatic. Ensuring uncommon network protocols are disabled reduces the system's risk to attacks targeted at its implementation of those protocols. Although these protocols are not commonly used, avoid disruption in your network environment by ensuring they are not needed prior to disabling them. The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high- bandwidth, low-latency communications between nodes in a cluster. To configure the system to prevent the rds kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: install rds /bin/true 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Disabling RDS protects the system against exploitation of any flaws in its implementation. The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the system to prevent the tipc kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: install tipc /bin/true 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 Disabling TIPC protects the system against exploitation of any flaws in its implementation. Wireless networking, such as 802.11 (WiFi) and Bluetooth, can present a security risk to sensitive or classified systems and networks. Wireless networking hardware is much more likely to be included in laptop or portable systems than in desktops or servers. Removal of hardware provides the greatest assurance that the wireless capability remains disabled. Acquisition policies often include provisions to prevent the purchase of equipment that will be used in sensitive spaces and includes wireless capabilities. If it is impractical to remove the wireless hardware, and policy permits the device to enter sensitive spaces as long as wireless is disabled, efforts should instead focus on disabling wireless capability via software. If it is impossible to remove the wireless hardware from the device in question, disable as much of it as possible through software. The following methods can disable software support for wireless networking, but note that these methods do not prevent malicious software or careless users from re-activating the devices. SLES-12-030450 Deactivating wireless network interfaces should prevent normal usage of the wireless capability. Configure the system to disable wireless network interfaces by issuing the following command for every active <WIFI-INTERFACE> in the system: $ sudo wicked ifdown <WIFI-INTERFACE> Also remove the configuration files for every wifi adapter from /etc/wicked/ifconfig/<WIFI-INTERFACE>.xml to prevent future connections. CCI-001443 CCI-001444 CCI-002418 AC-18(1) SC-8 SLES-12-030450 SV-92201r1_rule 4.3.1 11 12 14 15 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06 3.1.16 CCI-000085 CCI-002418 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2 AC-17(8) AC-18(a) AC-18(d) AC-18(3) CM-7 PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4 SRG-OS-000424-GPOS-00188 The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources. Network interfaces expand the attack surface of the system. Unused interfaces are not monitored or controlled, and should be disabled. If the system does not require network communications but still needs to use the loopback interface, remove all files of the form ifcfg-interface except for ifcfg-lo from /etc/sysconfig/network-scripts: $ sudo rm /etc/sysconfig/network-scripts/ifcfg-interface If the system is a standalone machine with no need for network access or even communication over the loopback device, then disable this service. The network service can be disabled with the following command: $ sudo systemctl disable network.service Support for Transport Layer Security (TLS), and its predecessor, the Secure Sockets Layer (SSL), is included in Red Hat Enterprise Linux in the OpenSSL software (RPM package openssl). TLS provides encrypted and authenticated network communications, and many network services include support for it. TLS or SSL can be leveraged to avoid any plaintext transmission of sensitive data. For information on how to use OpenSSL, see http://www.openssl.org/docs/. Information on FIPS validation of OpenSSL is available at http://www.openssl.org/docs/fips.html and http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm. The SuSEfirewall2 provides a managed firewall. SLES-12-030040 The SuSEfirewall2 package can be installed with the following command: $ sudo zypper install SuSEfirewall2 The SuSEfirewall2 service can be enabled with the following command: $ sudo systemctl enable SuSEfirewall2.service Verify "SuSEfirewall2" is configured to protect the SUSE operating system against or limit the effects of DoS attacks. Run the following command: # grep -i fw_services_accept_ext /etc/sysconfig/SuSEfirewall2 FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh" If the "FW_SERVICES_ACCEPT_EXT" rule does not contain both the hitcount and blockseconds parameters, this is a finding. SLES-12-030040 SV-92133r3_rule CCI-002385 SC-5 DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. This requirement addresses the configuration of the SUSE operating system to mitigate the impact on system availability of DoS attacks that have occurred or are ongoing. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks. SLES-12-030030 Verify "SuSEfirewall2" is configured to protect the SUSE operating system against or limit the effects of DoS attacks. Run the following command: # grep -i fw_services_accept_ext /etc/sysconfig/SuSEfirewall2 FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh" If the "FW_SERVICES_ACCEPT_EXT" rule does not contain both the hitcount and blockseconds parameters, this is a finding. SLES-12-030030 SV-92131r1_rule CCI-000382 CCI-002080 CCI-002314 CM-7 CA-3(5) AC-17(1) To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. SUSE operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the SUSE operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or address authorized quality-of-life issues. The SuSEfirewall2 service can be enabled with the following command: $ sudo systemctl enable SuSEfirewall2.service CCI-000382 CM-7 CA-3(5) AC-17(1) To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. SUSE operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. _{package_install 'SuSEfirewall2' || exit 1 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" start 'SuSEfirewall2.service' "$SYSTEMCTL_EXEC" enable 'SuSEfirewall2.service'} - name: Enable service SuSEfirewall2 service: name: SuSEfirewall2 enabled: 'yes' state: started tags: - service_SuSEfirewall2_enabled - medium_severity - enable_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-CM-7 - NIST-800-53-CA-3(5) - NIST-800-53-AC-17(1) Traditional Unix security relies heavily on file and directory permissions to prevent unauthorized users from reading or modifying files to which they should not have access. Several of the commands in this section search filesystems for files or directories with certain characteristics, and are intended to be run on every local partition on a given system. When the variable PART appears in one of the commands below, it means that the command is intended to be run repeatedly, with the name of each local partition substituted for PART in turn. The following command prints a list of all xfs partitions on the local system, which is the default filesystem for SUSE Linux Enterprise 12 installations: $ mount -t xfs | awk '{print $3}' For any systems that use a different local filesystem type, modify this command as appropriate. Permissions for many files on a system must be set restrictively to ensure sensitive information is properly protected. This section discusses important permission restrictions which can be verified to ensure that no harmful discrepancies have arisen. SLES-12-010460 When the so-called 'sticky bit' is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may remove any file in the directory. Setting the sticky bit prevents users from removing each other's files. In cases where there is no reason for a directory to be world-writable, a better solution is to remove that permission rather than to set the sticky bit. However, if a directory is used by a particular application, consult that application's documentation instead of blindly changing modes. To set the sticky bit on a world-writable directory DIR, run the following command: $ sudo chmod +t DIR SLES-12-010460 SV-91845r2_rule 1.1.21 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure. The only authorized public directories are those temporary directories supplied with the system, or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system, by users for temporary file storage (such as /tmp), and for directories requiring global read/write access. df --local -P | awk {'if (NR!=1) print $6'} \ | xargs -I '{}' find '{}' -xdev -type d \ \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null \ | xargs chmod a+t Files containing sensitive informations should be protected by restrictive permissions. Most of the time, there is no need that these files need to be read by any non-root user To properly set the permissions of /boot/System.map-*, run the command: $ sudo chmod 0600 /boot/System.map-* NT28(R13) The System.map file contains information about kernel symbols and can give some hints to generate local exploitation. The SGID (set group id) bit should be set only on files that were installed via authorized means. A straightforward means of identifying unauthorized SGID files is determine if any were not installed as part of an RPM package, which is cryptographically verified. Investigate the origin of any unpackaged SGID files. 6.1.14 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6(1) PR.AC-4 PR.DS-5 Executable files with the SGID permission run with the privileges of the owner of the file. SGID files of uncertain provenance could allow for unprivileged users to elevate privileges. The presence of these files should be strictly controlled on the system. The SUID (set user id) bit should be set only on files that were installed via authorized means. A straightforward means of identifying unauthorized SGID files is determine if any were not installed as part of an RPM package, which is cryptographically verified. Investigate the origin of any unpackaged SUID files. 6.1.13 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6(1) PR.AC-4 PR.DS-5 Executable files with the SUID permission run with the privileges of the owner of the file. SUID files of uncertain provenance could allow for unprivileged users to elevate privileges. The presence of these files should be strictly controlled on the system. It is generally a good idea to remove global (other) write access to a file when it is discovered. However, check with documentation for specific applications before making changes. Also, monitor for recurring world-writable files, as these may be symptoms of a misconfigured application or user account. Finally, this applies to real files and not virtual files that are a part of pseudo file systems such as sysfs or procfs. 6.1.10 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 Data in world-writable files can be modified by any user on the system. In almost all circumstances, files can be configured using a combination of user and group permissions to support whatever legitimate access is needed without the risk caused by world-writable files. SLES-12-010700 If any files are not owned by a group, then the cause of their lack of group-ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate group. SLES-12-010700 SV-91889r2_rule 6.1.12 1 11 12 13 14 15 16 18 3 5 APO01.06 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.02 DSS06.03 DSS06.06 DSS06.10 CCI-002165 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.18.1.4 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5 AC-3(4) AC-6 IA-2 PR.AC-1 PR.AC-4 PR.AC-6 PR.AC-7 PR.DS-5 PR.PT-3 SRG-OS-000480-GPOS-00227 Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed. SLES-12-010690 If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate user. SLES-12-010690 SV-91883r3_rule 6.1.11 11 12 13 14 15 16 18 3 5 9 APO01.06 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.03 DSS06.06 CCI-002165 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 5.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.1 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-3(4) AC-6 CM-6(b) PR.AC-4 PR.AC-6 PR.DS-5 PR.IP-1 PR.PT-3 SRG-OS-000480-GPOS-00227 Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed. To set the runtime status of the fs.protected_hardlinks kernel parameter, run the following command: $ sudo sysctl -w fs.protected_hardlinks=1 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: fs.protected_hardlinks = 1 NT28(R23) 1.6.1 SI-11 Disallowing such hardlink mitigate vulnerabilities based on insecure file system accessed by privilegied programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). To set the runtime status of the fs.protected_symlinks kernel parameter, run the following command: $ sudo sysctl -w fs.protected_symlinks=1 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: fs.protected_symlinks = 1 NT28(R23) 1.6.1 SI-11 Disallowing such symlink mitigate vulnerabilities based on insecure file system accessed by privilegied programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). SLES-12-010830 All directories in local partitions which are world-writable should be group-owned by root, sys, bin or an application group. If any world-writable directories are not group-owned by such a group, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group. SLES-12-010830 SV-91949r1_rule CCI-000366 CM-6(b) SRG-OS-000480-GPOS-00227 If a world-writable directory has the sticky bit set and is not group-owned by a privileged Group Identifier (GID), unauthorized users may be able to modify files created by others. The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access. The default restrictive permissions for files which act as important security databases such as passwd, shadow, group, and gshadow files must be maintained. Many utilities need read access to the passwd file in order to function properly, but read access to the shadow file allows malicious attacks against system passwords, and should never be enabled. To properly set the group owner of /etc/group, run the command: $ sudo chgrp root /etc/group 6.1.4 12 13 14 15 16 18 3 5 5.5.2.2 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 Req-8.7.c The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security. chgrp 0 /etc/group - name: Test for existence /etc/group stat: path: /etc/group register: file_exists tags: - file_groupowner_etc_group - medium_severity - configure_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 - name: Ensure group owner 0 on /etc/group file: path: /etc/group group: 0 when: file_exists.stat is defined and file_exists.stat.exists tags: - file_groupowner_etc_group - medium_severity - configure_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 To properly set the group owner of /etc/gshadow, run the command: $ sudo chgrp root /etc/gshadow 6.1.5 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security. chgrp 0 /etc/gshadow - name: Test for existence /etc/gshadow stat: path: /etc/gshadow register: file_exists tags: - file_groupowner_etc_gshadow - medium_severity - configure_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-AC-6 - name: Ensure group owner 0 on /etc/gshadow file: path: /etc/gshadow group: 0 when: file_exists.stat is defined and file_exists.stat.exists tags: - file_groupowner_etc_gshadow - medium_severity - configure_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-AC-6 To properly set the group owner of /etc/passwd, run the command: $ sudo chgrp root /etc/passwd 6.1.2 12 13 14 15 16 18 3 5 5.5.2.2 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 Req-8.7.c The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security. chgrp 0 /etc/passwd - name: Test for existence /etc/passwd stat: path: /etc/passwd register: file_exists tags: - file_groupowner_etc_passwd - medium_severity - configure_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 - name: Ensure group owner 0 on /etc/passwd file: path: /etc/passwd group: 0 when: file_exists.stat is defined and file_exists.stat.exists tags: - file_groupowner_etc_passwd - medium_severity - configure_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 To properly set the group owner of /etc/shadow, run the command: $ sudo chgrp root /etc/shadow 6.1.3 12 13 14 15 16 18 3 5 5.5.2.2 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 Req-8.7.c The /etc/shadow file stores password hashes. Protection of this file is critical for system security. chgrp 0 /etc/shadow - name: Test for existence /etc/shadow stat: path: /etc/shadow register: file_exists tags: - file_groupowner_etc_shadow - medium_severity - configure_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 - name: Ensure group owner 0 on /etc/shadow file: path: /etc/shadow group: 0 when: file_exists.stat is defined and file_exists.stat.exists tags: - file_groupowner_etc_shadow - medium_severity - configure_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 To properly set the owner of /etc/group, run the command: $ sudo chown root /etc/group 6.1.4 12 13 14 15 16 18 3 5 5.5.2.2 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 Req-8.7.c The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security. chown 0 /etc/group - name: Test for existence /etc/group stat: path: /etc/group register: file_exists tags: - file_owner_etc_group - medium_severity - configure_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 - name: Ensure owner 0 on /etc/group file: path: /etc/group owner: 0 when: file_exists.stat is defined and file_exists.stat.exists tags: - file_owner_etc_group - medium_severity - configure_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 To properly set the owner of /etc/gshadow, run the command: $ sudo chown root /etc/gshadow 6.1.5 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security. chown 0 /etc/gshadow - name: Test for existence /etc/gshadow stat: path: /etc/gshadow register: file_exists tags: - file_owner_etc_gshadow - medium_severity - configure_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-AC-6 - name: Ensure owner 0 on /etc/gshadow file: path: /etc/gshadow owner: 0 when: file_exists.stat is defined and file_exists.stat.exists tags: - file_owner_etc_gshadow - medium_severity - configure_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-AC-6 To properly set the owner of /etc/passwd, run the command: $ sudo chown root /etc/passwd 6.1.2 12 13 14 15 16 18 3 5 5.5.2.2 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 Req-8.7.c The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security. chown 0 /etc/passwd - name: Test for existence /etc/passwd stat: path: /etc/passwd register: file_exists tags: - file_owner_etc_passwd - medium_severity - configure_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 - name: Ensure owner 0 on /etc/passwd file: path: /etc/passwd owner: 0 when: file_exists.stat is defined and file_exists.stat.exists tags: - file_owner_etc_passwd - medium_severity - configure_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 To properly set the owner of /etc/shadow, run the command: $ sudo chown root /etc/shadow 6.1.3 12 13 14 15 16 18 3 5 5.5.2.2 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 Req-8.7.c The /etc/shadow file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture. chown 0 /etc/shadow - name: Test for existence /etc/shadow stat: path: /etc/shadow register: file_exists tags: - file_owner_etc_shadow - medium_severity - configure_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 - name: Ensure owner 0 on /etc/shadow file: path: /etc/shadow owner: 0 when: file_exists.stat is defined and file_exists.stat.exists tags: - file_owner_etc_shadow - medium_severity - configure_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 To properly set the permissions of /etc/passwd, run the command: $ sudo chmod 0644 /etc/passwd 6.1.4 12 13 14 15 16 18 3 5 5.5.2.2 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 Req-8.7.c The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security. chmod 0644 /etc/group - name: Test for existence /etc/group stat: path: /etc/group register: file_exists tags: - file_permissions_etc_group - medium_severity - configure_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 - name: Ensure permission 0644 on /etc/group file: path: /etc/group mode: 420 when: file_exists.stat is defined and file_exists.stat.exists tags: - file_permissions_etc_group - medium_severity - configure_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 To properly set the permissions of /etc/gshadow, run the command: $ sudo chmod 0000 /etc/gshadow 6.1.5 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security. chmod 0000 /etc/gshadow - name: Test for existence /etc/gshadow stat: path: /etc/gshadow register: file_exists tags: - file_permissions_etc_gshadow - medium_severity - configure_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-AC-6 - name: Ensure permission 0000 on /etc/gshadow file: path: /etc/gshadow mode: 0 when: file_exists.stat is defined and file_exists.stat.exists tags: - file_permissions_etc_gshadow - medium_severity - configure_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-AC-6 To properly set the permissions of /etc/passwd, run the command: $ sudo chmod 0644 /etc/passwd 6.1.2 12 13 14 15 16 18 3 5 5.5.2.2 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 Req-8.7.c If the /etc/passwd file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security. chmod 0644 /etc/passwd - name: Test for existence /etc/passwd stat: path: /etc/passwd register: file_exists tags: - file_permissions_etc_passwd - medium_severity - configure_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 - name: Ensure permission 0644 on /etc/passwd file: path: /etc/passwd mode: 420 when: file_exists.stat is defined and file_exists.stat.exists tags: - file_permissions_etc_passwd - medium_severity - configure_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 To properly set the permissions of /etc/shadow, run the command: $ sudo chmod 0640 /etc/shadow 6.1.3 12 13 14 15 16 18 3 5 5.5.2.2 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 Req-8.7.c The /etc/shadow file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture. chmod 0000 /etc/shadow - name: Test for existence /etc/shadow stat: path: /etc/shadow register: file_exists tags: - file_permissions_etc_shadow - medium_severity - configure_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 - name: Ensure permission 0000 on /etc/shadow file: path: /etc/shadow mode: 0 when: file_exists.stat is defined and file_exists.stat.exists tags: - file_permissions_etc_shadow - medium_severity - configure_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-AC-6 - PCI-DSS-Req-8.7.c - CJIS-5.5.2.2 SLES-12-010300 To properly set the owner of /etc/security/opasswd, run the command: $ sudo chown root /etc/security/opasswd To properly set the group owner of /etc/security/opasswd, run the command: $ sudo chgrp root /etc/security/opasswd To properly set the permissions of /etc/security/opasswd, run the command: $ sudo chmod 0600 /etc/security/opasswd SLES-12-010300 SV-91815r1_rule CCI-000200 IA-5(1)(e) IA-5(1).1(v) The /etc/security/opasswd file stores old passwords to prevent password reuse. Protection of this file is critical for system security. [ -e /etc/security/opasswd ] || touch /etc/security/opasswd chown root /etc/security/opasswd chgrp root /etc/security/opasswd chmod 0600 /etc/security/opasswd Some directories contain files whose confidentiality or integrity is notably important and may also be susceptible to misconfiguration over time, particularly if unpackaged software is installed. As such, an argument exists to verify that files' permissions within these directories remain configured correctly and restrictively. System executables are stored in the following directories by default: /bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sbin All files in these directories should be owned by the root user. If any file FILE in these directories is found to be owned by a user other than root, correct its ownership with the following command: $ sudo chown root FILE 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted. System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules. All files in these directories should be owned by the root user. If the directory, or any file in these directories, is found to be owned by a user other than root correct its ownership with the following command: $ sudo chown root FILE 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system. System executables are stored in the following directories by default: /bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sbin All files in these directories should not be group-writable or world-writable. If any file FILE in these directories is found to be group-writable or world-writable, correct its permission with the following command: $ sudo chmod go-w FILE 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted. System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 Kernel modules, which can be added to the kernel during runtime, are stored in /lib/modules. All files in these directories should not be group-writable or world-writable. If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command: $ sudo chmod go-w FILE 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Restrictive permissions are necessary to protect the integrity of the system. Linux includes a number of facilities for the automated addition and removal of filesystems on a running system. These facilities may be necessary in many environments, but this capability also carries some risk -- whether direct risk from allowing users to introduce arbitrary filesystems, or risk that software flaws in the automated mount facility itself could allow an attacker to compromise the system. This command can be used to list the types of filesystems that are available to the currently executing kernel: $ find /lib/modules/`uname -r`/kernel/fs -type f -name '*.ko' If these filesystems are not required then they can be explicitly disabled in a configuratio file in /etc/modprobe.d. SLES-12-010590 The autofs daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as /misc/cd. However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS is required, it may be possible to configure filesystem mounts statically by editing /etc/fstab rather than relying on the automounter. The autofs service can be disabled with the following command: $ sudo systemctl disable autofs.service SLES-12-010590 SV-91863r2_rule 1.1.22 1 12 15 16 5 APO13.01 DSS01.04 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10 3.4.6 CCI-000366 CCI-000778 CCI-001958 164.308(a)(3)(i) 164.308(a)(3)(ii)(A) 164.310(d)(1) 164.310(d)(2) 164.312(a)(1) 164.312(a)(2)(iv) 164.312(b) 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.10 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.6 A.11.2.6 A.13.1.1 A.13.2.1 A.18.1.4 A.6.2.1 A.6.2.2 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 AC-19(a) AC-19(d) AC-19(e) IA-3 PR.AC-1 PR.AC-3 PR.AC-6 PR.AC-7 SRG-OS-000114-GPOS-00059 SRG-OS-000378-GPOS-00163 SRG-OS-000480-GPOS-00227 Disabling the automounter permits the administrator to statically control filesystem mounting through /etc/fstab. Additionally, automatically mounting filesystems permits easy introduction of unknown devices, thereby facilitating malicious activity. SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'autofs.service' "$SYSTEMCTL_EXEC" disable 'autofs.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^autofs.socket\>' && "$SYSTEMCTL_EXEC" disable 'autofs.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'autofs.service' - name: Disable service autofs service: name: autofs enabled: 'no' state: stopped register: service_result failed_when: service_result is failed and ('Could not find the requested service' not in service_result.msg) tags: - service_autofs_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-AC-19(a) - NIST-800-53-AC-19(d) - NIST-800-53-AC-19(e) - NIST-800-53-IA-3 - NIST-800-171-3.4.6 - DISA-STIG-010590 - name: Disable socket of service autofs if applicable service: name: autofs.socket enabled: 'no' state: stopped register: socket_result failed_when: socket_result is failed and ('Could not find the requested service' not in socket_result.msg) tags: - service_autofs_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-AC-19(a) - NIST-800-53-AC-19(d) - NIST-800-53-AC-19(e) - NIST-800-53-IA-3 - NIST-800-171-3.4.6 - DISA-STIG-010590 System partitions can be mounted with certain options that limit what files on those partitions can do. These options are set in the /etc/fstab configuration file, and can be used to make certain types of malicious behavior more difficult. This value is used by the checks mount_option_nodev_removable_partitions, mount_option_nodev_removable_partitions, and mount_option_nodev_removable_partitions to ensure that the correct mount options are set on partitions mounted from removable media such as CD-ROMs, USB keys, and floppy drives. This value should be modified to reflect any removable partitions that are required on the local system. /dev/cdrom The nodev mount option can be used to prevent creation of device files in /dev/shm. Legitimate character and block devices should not exist within temporary directories like /dev/shm. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm. 1.1.15 11 13 14 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS05.06 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.11.2.9 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.8.2.1 A.8.2.2 A.8.2.3 A.8.3.1 A.8.3.3 A.9.1.2 CM-7 MP-2 PR.IP-1 PR.PT-2 PR.PT-3 The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails. _{include_mount_options_functions function perform_remediation { # test "$mount_has_to_exist" = 'yes' if test "yes" = 'yes'; then assert_mount_point_in_fstab /dev/shm || { echo "Not remediating, because there is no record of /dev/shm in /etc/fstab" >&2; return 1; } fi ensure_mount_option_in_fstab "/dev/shm" "nodev" "" "" ensure_partition_is_mounted "/dev/shm" } perform_remediation} - name: get back device associated to mountpoint shell: 'set -o pipefail mount | grep '' /dev/shm '' | cut -d '' '' -f 1 ' args: warn: false executable: /bin/bash register: device_name check_mode: false changed_when: false when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - mount_option_dev_shm_nodev - medium_severity - configure_strategy - low_complexity - high_disruption - no_reboot_needed - NIST-800-53-CM-7 - NIST-800-53-MP-2 - block: - name: get back device previous mount option shell: 'set -o pipefail mount | grep '' /dev/shm '' | sed -re ''s:.*\((.*)\):\1:'' ' args: warn: false executable: /bin/bash register: device_cur_mountoption check_mode: false changed_when: false - name: get back device fstype shell: 'set -o pipefail mount | grep '' /dev/shm '' | cut -d '' '' -f 5 ' args: warn: false executable: /bin/bash register: device_fstype check_mode: false changed_when: false - name: Ensure permission nodev are set on /dev/shm mount: path: /dev/shm src: '{{ device_name.stdout }}' opts: '{{ device_cur_mountoption.stdout }},nodev' state: mounted fstype: '{{ device_fstype.stdout }}' when: - (device_name.stdout | length > 0) - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - mount_option_dev_shm_nodev - medium_severity - configure_strategy - low_complexity - high_disruption - no_reboot_needed - NIST-800-53-CM-7 - NIST-800-53-MP-2 The nosuid mount option can be used to prevent execution of setuid programs in /dev/shm. The SUID and SGID permissions should not be required in these world-writable directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm. 1.1.16 11 13 14 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS05.06 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.11.2.9 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.8.2.1 A.8.2.2 A.8.2.3 A.8.3.1 A.8.3.3 A.9.1.2 CM-7 MP-2 PR.IP-1 PR.PT-2 PR.PT-3 The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions. _{include_mount_options_functions function perform_remediation { # test "$mount_has_to_exist" = 'yes' if test "yes" = 'yes'; then assert_mount_point_in_fstab /dev/shm || { echo "Not remediating, because there is no record of /dev/shm in /etc/fstab" >&2; return 1; } fi ensure_mount_option_in_fstab "/dev/shm" "nosuid" "" "" ensure_partition_is_mounted "/dev/shm" } perform_remediation} - name: get back device associated to mountpoint shell: 'set -o pipefail mount | grep '' /dev/shm '' | cut -d '' '' -f 1 ' args: warn: false executable: /bin/bash register: device_name check_mode: false changed_when: false when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - mount_option_dev_shm_nosuid - medium_severity - configure_strategy - low_complexity - high_disruption - no_reboot_needed - NIST-800-53-CM-7 - NIST-800-53-MP-2 - block: - name: get back device previous mount option shell: 'set -o pipefail mount | grep '' /dev/shm '' | sed -re ''s:.*\((.*)\):\1:'' ' args: warn: false executable: /bin/bash register: device_cur_mountoption check_mode: false changed_when: false - name: get back device fstype shell: 'set -o pipefail mount | grep '' /dev/shm '' | cut -d '' '' -f 5 ' args: warn: false executable: /bin/bash register: device_fstype check_mode: false changed_when: false - name: Ensure permission nosuid are set on /dev/shm mount: path: /dev/shm src: '{{ device_name.stdout }}' opts: '{{ device_cur_mountoption.stdout }},nosuid' state: mounted fstype: '{{ device_fstype.stdout }}' when: - (device_name.stdout | length > 0) - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - mount_option_dev_shm_nosuid - medium_severity - configure_strategy - low_complexity - high_disruption - no_reboot_needed - NIST-800-53-CM-7 - NIST-800-53-MP-2 The nosuid mount option can be used to prevent execution of setuid programs in /home. The SUID and SGID permissions should not be required in these user data directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /home. 1.1.3 11 13 14 3 8 9 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS05.06 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.11.2.9 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.8.2.1 A.8.2.2 A.8.2.3 A.8.3.1 A.8.3.3 A.9.1.2 CM-7 MP-2 PR.IP-1 PR.PT-2 PR.PT-3 The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from user home directory partitions. _{include_mount_options_functions function perform_remediation { # test "$mount_has_to_exist" = 'yes' if test "yes" = 'yes'; then assert_mount_point_in_fstab /home || { echo "Not remediating, because there is no record of /home in /etc/fstab" >&2; return 1; } fi ensure_mount_option_in_fstab "/home" "nosuid" "" "" ensure_partition_is_mounted "/home" } perform_remediation} - name: get back device associated to mountpoint shell: 'set -o pipefail mount | grep '' /home '' | cut -d '' '' -f 1 ' args: warn: false executable: /bin/bash register: device_name check_mode: false changed_when: false when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - mount_option_home_nosuid - unknown_severity - configure_strategy - low_complexity - high_disruption - no_reboot_needed - NIST-800-53-CM-7 - NIST-800-53-MP-2 - block: - name: get back device previous mount option shell: 'set -o pipefail mount | grep '' /home '' | sed -re ''s:.*\((.*)\):\1:'' ' args: warn: false executable: /bin/bash register: device_cur_mountoption check_mode: false changed_when: false - name: get back device fstype shell: 'set -o pipefail mount | grep '' /home '' | cut -d '' '' -f 5 ' args: warn: false executable: /bin/bash register: device_fstype check_mode: false changed_when: false - name: Ensure permission nosuid are set on /home mount: path: /home src: '{{ device_name.stdout }}' opts: '{{ device_cur_mountoption.stdout }},nosuid' state: mounted fstype: '{{ device_fstype.stdout }}' when: - (device_name.stdout | length > 0) - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - mount_option_home_nosuid - unknown_severity - configure_strategy - low_complexity - high_disruption - no_reboot_needed - NIST-800-53-CM-7 - NIST-800-53-MP-2 SLES-12-010800 The nosuid mount option prevents set-user-identifier (SUID) and set-group-identifier (SGID) permissions from taking effect. These permissions allow users to execute binaries with the same permissions as the owner and group of the file respectively. Users should not be allowed to introduce SUID and SGID files into the system via partitions mounted from removeable media. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of any removable media partitions. SLES-12-010800 SV-91933r2_rule 1.1.19 11 12 13 14 15 16 18 3 5 8 9 APO01.06 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.06 DSS05.07 DSS06.02 DSS06.03 DSS06.06 CCI-000366 4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 5.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.11.2.6 A.11.2.9 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.1.2 A.6.2.1 A.6.2.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.1 A.8.2.2 A.8.2.3 A.8.3.1 A.8.3.3 A.9.1.1 A.9.1.2 A.9.2.1 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 AC-19(a) AC-19(d) AC-19(e) CM-7 MP-2 PR.AC-3 PR.AC-4 PR.AC-6 PR.DS-5 PR.IP-1 PR.PT-2 PR.PT-3 SRG-OS-000480-GPOS-00227 The presence of SUID and SGID executables should be tightly controlled. Allowing users to introduce SUID or SGID binaries from partitions mounted off of removable media would allow them to introduce their own highly-privileged programs. var_removable_partition="_{" include_mount_options_functions function perform_remediation { # test "$mount_has_to_exist" = 'yes' if test "yes" = 'yes'; then assert_mount_point_in_fstab "$var_removable_partition" || { echo "Not remediating, because there is no record of $var_removable_partition in /etc/fstab" >&2; return 1; } fi ensure_mount_option_in_fstab "$var_removable_partition" "nosuid" "" "" ensure_partition_is_mounted "$var_removable_partition" } perform_remediation} - name: XCCDF Value var_removable_partition # promote to variable set_fact: var_removable_partition: !!str _{tags: - always - name: get back device associated to mountpoint shell: 'set -o pipefail mount | grep '' {{ var_removable_partition }} '' | cut -d '' '' -f 1 ' args: warn: false executable: /bin/bash register: device_name check_mode: false changed_when: false when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - mount_option_nosuid_removable_partitions - medium_severity - configure_strategy - low_complexity - high_disruption - no_reboot_needed - NIST-800-53-AC-6 - NIST-800-53-AC-19(a) - NIST-800-53-AC-19(d) - NIST-800-53-AC-19(e) - NIST-800-53-CM-7 - NIST-800-53-MP-2 - DISA-STIG-010800 - block: - name: get back device previous mount option shell: 'set -o pipefail mount | grep '' {{ var_removable_partition }} '' | sed -re ''s:.*\((.*)\):\1:'' ' args: warn: false executable: /bin/bash register: device_cur_mountoption check_mode: false changed_when: false - name: get back device fstype shell: 'set -o pipefail mount | grep '' {{ var_removable_partition }} '' | cut -d '' '' -f 5 ' args: warn: false executable: /bin/bash register: device_fstype check_mode: false changed_when: false - name: Ensure permission nosuid are set on var_removable_partition mount: path: '{{ var_removable_partition }}' src: '{{ device_name.stdout }}' opts: '{{ device_cur_mountoption.stdout }},nosuid' state: mounted fstype: '{{ device_fstype.stdout }}' when: - (device_name.stdout | length > 0) - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - mount_option_nosuid_removable_partitions - medium_severity - configure_strategy - low_complexity - high_disruption - no_reboot_needed - NIST-800-53-AC-6 - NIST-800-53-AC-19(a) - NIST-800-53-AC-19(d) - NIST-800-53-AC-19(e) - NIST-800-53-CM-7 - NIST-800-53-MP-2 - DISA-STIG-010800} SLES-12-010810 The nosuid mount option can be used to prevent execution of setuid programs in network mounts. The SUID and SGID permissions should not be required in these user data directories. SLES-12-010810 SV-91937r2_rule CCI-000366 CM-6(b) The presence of SUID and SGID executables should be tightly controlled. This option must be used for mounting any file system not containing approved setuid and setguid files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. SLES-12-010820 The noexec mount option can be used to prevent execution of programs in mounted file systems. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. SLES-12-010820 SV-91947r2_rule CCI-000366 CM-6(b) Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. SLES-12-010790 The nosuid mount option can be used to prevent execution of setuid programs in home directories. The SUID and SGID permissions should not be required in these user data directories. Assuming home directories in /home, Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /home. SLES-12-010790 SV-91925r2_rule CCI-000366 CM-6(b) SRG-OS-000480-GPOS-00227 The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from user home directory partitions. The recommendations in this section are designed to ensure that the system's features to protect against potentially dangerous program execution are activated. These protections are applied at the system initialization or kernel level, and defend against certain types of badly-configured or compromised programs. A core dump file is the memory image of an executable program when it was terminated by the operating system due to errant behavior. In most cases, only software developers legitimately need to access these files. The core dump files may also contain sensitive information, or unnecessarily occupy large amounts of disk space. Once a hard limit is set in /etc/security/limits.conf, a user cannot increase that limit within his or her own session. If access to core dumps is required, consider restricting them to only certain users or groups. See the limits.conf man page for more information. The core dumps of setuid programs are further protected. The sysctl variable fs.suid_dumpable controls whether the kernel allows core dumps from these programs at all. The default value of 0 is recommended. To set the runtime status of the fs.suid_dumpable kernel parameter, run the following command: $ sudo sysctl -w fs.suid_dumpable=0 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: fs.suid_dumpable = 0 1.5.1 164.308(a)(1)(ii)(D) 164.308(a)(3) 164.308(a)(4) 164.310(b) 164.310(c) 164.312(a) 164.312(e) SI-11 The core dump of a setuid program is more likely to contain sensitive data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data. # # Set runtime for fs.suid_dumpable # /sbin/sysctl -q -n -w fs.suid_dumpable=0 # # If fs.suid_dumpable present in /etc/sysctl.conf, change value to "0" # else, add "fs.suid_dumpable = 0" to /etc/sysctl.conf # _{replace_or_append '/etc/sysctl.conf' '^fs.suid_dumpable' "0" ''} - name: Ensure sysctl fs.suid_dumpable is set to 0 sysctl: name: fs.suid_dumpable value: 0 state: present reload: true when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - sysctl_fs_suid_dumpable - medium_severity - disable_strategy - low_complexity - medium_disruption - reboot_required - NIST-800-53-SI-11 The umask is a per-process setting which limits the default permissions for creation of new files and directories. The system includes initialization scripts which set the default umask for system daemons. Enter umask for daemons 022 027 022 ExecShield describes kernel features that provide protection against exploitation of memory corruption errors such as buffer overflows. These features include random placement of the stack and other memory regions, prevention of execution in memory that should only hold data, and special handling of text buffers. These protections are enabled by default on 32-bit systems and controlled through sysctl variables kernel.exec-shield and kernel.randomize_va_space. On the latest 64-bit systems, kernel.exec-shield cannot be enabled or disabled with sysctl. SLES-12-030320 To set the runtime status of the kernel.kptr_restrict kernel parameter, run the following command: $ sudo sysctl -w kernel.kptr_restrict=1 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: kernel.kptr_restrict = 1 SI-16 SLES-12-030320 SV-92175r2_rule NT28(R23) CCI-002824 SC-39 SRG-OS-000433-GPOS-00192 Exposing kernel pointers (through procfs or seq_printf()) exposes the addresses of the kernel code and data. If a write vulnerability occurs in the kernel allowing a write access to a structure containing a function pointer, the kernel can be compromised. This option disallows any program without the CAP_SYSLOG capability from getting kernel pointer addresses, replacing them with 0. # # Set runtime for kernel.kptr_restrict # /sbin/sysctl -q -n -w kernel.kptr_restrict=1 # # If kernel.kptr_restrict present in /etc/sysctl.conf, change value to "1" # else, add "kernel.kptr_restrict = 1" to /etc/sysctl.conf # _{replace_or_append '/etc/sysctl.conf' '^kernel.kptr_restrict' "1" ''} - name: Ensure sysctl kernel.kptr_restrict is set to 1 sysctl: name: kernel.kptr_restrict value: 1 state: present reload: true when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - sysctl_kernel_kptr_restrict - medium_severity - disable_strategy - low_complexity - medium_disruption - reboot_required - NIST-800-53-SC-39 - DISA-STIG-030320 SLES-12-030330 To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command: $ sudo sysctl -w kernel.randomize_va_space=2 If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: kernel.randomize_va_space = 2 CCI-002824 SI-16 SRG-OS-000433-GPOS-00193 SLES-12-030330 SV-92177r1_rule 1.5.1 3.1.7 CCI-000366 164.308(a)(1)(ii)(D) 164.308(a)(3) 164.308(a)(4) 164.310(b) 164.310(c) 164.312(a) 164.312(e) SC-30(2) SC-39 SRG-OS-000480-GPOS-00227 Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques. # # Set runtime for kernel.randomize_va_space # /sbin/sysctl -q -n -w kernel.randomize_va_space=2 # # If kernel.randomize_va_space present in /etc/sysctl.conf, change value to "2" # else, add "kernel.randomize_va_space = 2" to /etc/sysctl.conf # _{replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' "2" ''} - name: Ensure sysctl kernel.randomize_va_space is set to 2 sysctl: name: kernel.randomize_va_space value: 2 state: present reload: true when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - sysctl_kernel_randomize_va_space - medium_severity - disable_strategy - low_complexity - medium_disruption - reboot_required - NIST-800-53-SC-30(2) - NIST-800-53-SC-39 - NIST-800-171-3.1.7 - DISA-STIG-030330 Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Intel processors it is called Execute Disable (XD). This ability can help prevent exploitation of buffer overflow vulnerabilities and should be activated whenever possible. Extra steps must be taken to ensure that this protection is enabled, particularly on 32-bit x86 systems. Other processors, such as Itanium and POWER, have included such support since inception and the standard kernel for those platforms supports the feature. This is enabled by default on the latest Red Hat and Fedora systems if supported by the hardware. Memory Poisoning consists of writing a special value to uninitialized or freed memory. Poisoning can be used as a mechanism to prevent leak of information and detection of corrupted memory. Permissions for many files on a system must be set restrictively to ensure sensitive information is properly protected. This section discusses the /etc/permissions.local file, where expected permissions can be configured to be checked and fixed through usage of the chkstat command. SLES-12-010890 Files containing sensitive informations should be protected by restrictive permissions. Most of the time, there is no need that these files need to be read by any non-root user To properly set the permissions of /var/log/messages, run the command: $ sudo chmod 0640 /var/log/messages Check that "permissions.local" file contains the correct permissions rules with the following command: # grep -i messages /etc/permissions.local /var/log/messages root:root 640 SLES-12-010890 SV-91971r1_rule CCI-001314 SI-11(c) The /var/log/messages file contains system error messages. Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SUSE operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. SLES-12-020120 Files containing sensitive informations should be protected by restrictive permissions. Most of the time, there is no need that these files need to be read by any non-root user. Check that "permissions.local" file contains the correct permissions rules with the following command: # grep -i audit /etc/permissions.local /var/log/audit/ root:root 600 /var/log/audit/audit.log root:root 600 /etc/audit/audit.rules root:root 640 SLES-12-020120 SV-92007r1_rule CCI-000162 CCI-000163 CCI-000164 AU-9 Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. SLES-12-020130 The SUSE operating system audit tools must have the proper permissions configured to protect against unauthorized access. Check that "permissions.local" file contains the correct permissions rules with the following command: grep "^/usr/sbin/au" /etc/permissions.local /usr/sbin/audispd root:root 0750 /usr/sbin/auditctl root:root 0750 /usr/sbin/auditd root:root 0750 /usr/sbin/ausearch root:root 0755 /usr/sbin/aureport root:root 0755 /usr/sbin/autrace root:root 0750 /usr/sbin/augenrules root:root 0750 Audit tools include but are not limited to vendor-provided and open-source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. SLES-12-020130 SV-92009r2_rule CCI-001493 CCI-001494 CCI-001495 AU-9 Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. SUSE operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools. SLES-12-010880 Verify that the SUSE operating system prevents unauthorized users from accessing system command and library files. Check that all of the audit information files and folders have the correct permissions with the following command: # sudo chkstat --warn --system Set the correct permissions with the following command: # sudo chkstat --set --system SLES-12-010880 SV-91969r1_rule CCI-001499 CM-5(6) If the SUSE operating system were to allow any user to make changes to software libraries, those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components to initiate changes, including upgrades and modifications. SELinux is a feature of the Linux kernel which can be used to guard against misconfigured or compromised programs. SELinux enforces the idea that programs should be limited in what files they can access and what actions they can take. The default SELinux policy, as configured on SUSE Linux Enterprise 12, has been sufficiently developed and debugged that it should be usable on almost any system with minimal configuration and a small amount of system administrator training. This policy prevents system services - including most of the common network-visible services such as mail servers, FTP servers, and DNS servers - from accessing files which those services have no valid reason to access. This action alone prevents a huge amount of possible damage from network attacks against services, from trojaned software, and so forth. This guide recommends that SELinux be enabled using the default (targeted) policy on every SUSE Linux Enterprise 12 system, unless that system has unusual requirements which make a stronger policy appropriate. Type of policy in use. Possible values are: targeted - Only targeted network daemons are protected. strict - Full SELinux protection. mls - Multiple levels of security targeted mls targeted enforcing - SELinux security policy is enforced. permissive - SELinux prints warnings instead of enforcing. disabled - SELinux is fully disabled. enforcing disabled enforcing permissive Enable or Disable runtime customization of SELinux system policies without having to reload or recompile the SELinux policy. default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. true false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true default - Default SELinux boolean setting. on - SELinux boolean is enabled. off - SELinux boolean is disabled. false false true The following sections contain information on security-relevant choices during the initial operating system installation process and the setup of software updates. To ensure separation and protection of data, there are top-level system directories which should be placed on their own physical partition or logical volume. The installer's default partitioning scheme creates separate logical volumes for /, /boot, and swap. If starting with any of the default layouts, check the box to \"Review and modify partitioning.\" This allows for the easy creation of additional logical volumes inside the volume group already created, though it may require making /'s logical volume smaller to create space. In general, using logical volumes is preferable to using partitions because they can be more easily adjusted later.If creating a custom layout, create the partitions mentioned in the previous paragraph (which the installer will require anyway), as well as separate ones described in the following sections. If a system has already been installed, and the default partitioning scheme was used, it is possible but nontrivial to modify it to create separate logical volumes for the directories listed above. The Logical Volume Manager (LVM) makes this possible. See the LVM HOWTO at http://tldp.org/HOWTO/LVM-HOWTO/ for more detailed information on LVM. SLES-12-010450 SUSE Linux Enterprise 12 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time. For manual installations, select the Encrypt checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots. Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on the SUSE Linux Enterprise 12 Documentation web site: https://www.suse.com/documentation/sled-12/book_security/data/sec_security_cryptofs_y2.html SLES-12-010450 SV-91843r3_rule 13 14 APO01.06 BAI02.01 BAI06.01 DSS04.07 DSS05.03 DSS05.04 DSS05.07 DSS06.02 DSS06.06 3.13.16 CCI-001199 CCI-002475 CCI-002476 164.308(a)(1)(ii)(D) 164.308(b)(1) 164.310(d) 164.312(a)(1) 164.312(a)(2)(iii) 164.312(a)(2)(iv) 164.312(b) 164.312(c) 164.314(b)(2)(i) 164.312(d) SR 3.4 SR 4.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 SC-13 SC-28(1) PR.DS-1 PR.DS-5 SRG-OS-000405-GPOS-00184 SRG-OS-000185-GPOS-00079 SRG-OS-000404-VMM-001650 SRG-OS-000405-VMM-001660 The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost. SLES-12-010850 If user home directories will be stored locally, create a separate partition for /home at installation time (or migrate it later using LVM). If /home will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later. SLES-12-010850 SV-91957r3_rule 1.1.13 12 15 8 APO13.01 DSS05.02 CCI-000366 CCI-001208 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.13.1.1 A.13.2.1 A.14.1.3 SC-32(1) PR.PT-4 SRG-OS-000480-GPOS-00227 Ensuring that /home is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage. If a file server (FTP, TFTP...) is hosted locally, create a separate partition for /srv at installation time (or migrate it later using LVM). If /srv will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later. NT28(R12) Srv deserves files for local network file server such as FTP. Ensuring that /srv is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage. The /tmp directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM. 1.1.2 12 15 8 APO13.01 DSS05.02 CCI-000366 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.13.1.1 A.13.2.1 A.14.1.3 SC-32(1) PR.PT-4 SRG-OS-000480-GPOS-00227 The /tmp partition is used as temporary storage by many programs. Placing /tmp in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it. SLES-12-010860 The /var directory is used by daemons and other system services to store frequently-changing data. Ensure that /var has its own partition or logical volume at installation time, or migrate it using LVM. SLES-12-010860 SV-91961r2_rule 1.1.6 12 15 8 APO13.01 DSS05.02 CCI-000366 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.13.1.1 A.13.2.1 A.14.1.3 SC-32(1) PR.PT-4 SRG-OS-000480-GPOS-00227 SRG-OS-000341-VMM-001220 Ensuring that /var is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the /var directory to contain world-writable directories installed by other software packages. System logs are stored in the /var/log directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM. 1.1.11 1 12 14 15 16 3 5 6 8 APO11.04 APO13.01 BAI03.05 DSS05.02 DSS05.04 DSS05.07 MEA02.01 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 AU-9 SC-32 PR.PT-1 PR.PT-4 Placing /var/log in its own partition enables better separation between log files and other files in /var/. SLES-12-010870 Audit logs are stored in the /var/log/audit directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon. SLES-12-010870 SV-91967r2_rule 1.1.12 1 12 13 14 15 16 2 3 5 6 8 APO11.04 APO13.01 BAI03.05 BAI04.04 DSS05.02 DSS05.04 DSS05.07 MEA02.01 CCI-000366 164.312(a)(2)(ii) 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.2 SR 7.6 A.12.1.3 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.17.2.1 AU-4 AU-9 SC-32(1) PR.DS-4 PR.PT-1 PR.PT-4 SRG-OS-000480-GPOS-00227 SRG-OS-000341-VMM-001220 Placing /var/log/audit in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space. SLES-12-010850 If user home directories will be stored locally, create a separate partition, e.g. /home, at installation time (or migrate it later using LVM). If /home will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later. SLES-12-010850 SV-91957r3_rule CCI-000366 CM-6(b) SRG-OS-000480-GPOS-00227 Ensuring that home directories are mounted on their own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage. GNOME is a graphical desktop environment bundled with many Linux distributions that allow users to easily interact with the operating system graphically rather than textually. The GNOME Graphical Display Manager (GDM) provides login, logout, and user switching contexts as well as display server management. GNOME is developed by the GNOME Project and is considered the default Red Hat Graphical environment. For more information on GNOME and the GNOME Project, see https://www.gnome.org. By default, DConf provides a standard user profile. This profile contains a list of DConf configuration databases. The user profile and database always take the highest priority. As such the DConf User profile should always exist and be configured correctly. To make sure that the user profile is configured correctly, the /etc/dconf/profile/gdm should be set as follows: user-db:user system-db:gdm Failure to have a functional DConf profile prevents GNOME3 configuration settings from being enforced for all users and allows various security risks. echo -e 'user-db:user\nsystem-db:gdm' > /etc/dconf/profile/gdm By default, DConf uses a binary database as a data backend. The database is compiled from config files by the dconf update command. dconf can be configured to look into those text files directly by inserting the service-db:keyfile/user directive at the beginning of the /etc/dconf/profile/user file. Unlike text config files, the binary database is impossible to check by OVAL. Therefore, in order to evaluate dconf configuration, both have to be true at the same time - configuration files have to be compliant, and dconf has to be forced to use them as the primary settings storage. mkdir -p /etc/dconf/profile if test -f /etc/dconf/profile/user then sed -i '1s|^|service-db:keyfile/user\n|' /etc/dconf/profile/user else echo 'service-db:keyfile/user' > /etc/dconf/profile/user fi In the default GNOME desktop, the login is displayed after system boot and can display user accounts, allow users to reboot the system, and allow users to login automatically and/or with a guest account. The login screen should be configured to prevent such behavior. For more information about enforcing preferences in the GNOME3 environment using the DConf configuration system, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Desktop_Migration_and_Administration_Guide/index.html/> and the man page dconf(1). In the default graphical environment, users logging directly into the system are greeted with a login screen that displays all known users. This functionality should be disabled. Run the following command to disable the user list: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gdm/simple-greeter/disable_user_list true AC-23 Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to quickly enumerate known user accounts without logging in. In the default graphical environment, users logging directly into the system are greeted with a login screen that allows any user, known or unknown, the ability shutdown or restart the system. This functionality should be disabled by running the following: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gdm/simple-greeter/disable_restart_buttons true 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons are pressed at the login screen, this can create the risk of short-term loss of availability of systems due to reboot. SLES-12-010380 The GNOME Display Manager (GDM) can allow users to automatically login without user interaction or credentials. User should always be required to authenticate themselves to the system that they are authorized to use. To disable user ability to automatically login to the system, set the AutomaticLoginEnable to false in the [daemon] section in /etc/gdm/custom.conf. For example: [daemon] AutomaticLoginEnable=false SLES-12-010380 SV-91829r2_rule 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 3.1.1 CCI-000366 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 CM-6(b) PR.IP-1 FIA_AFL.1 SRG-OS-000480-GPOS-00229 Failure to restrict system access to authenticated users negatively impacts operating system security. if rpm --quiet -q gdm then if ! grep -q "^AutomaticLoginEnable=" /etc/gdm/custom.conf then sed -i "/^\[daemon\]/a \ AutomaticLoginEnable=False" /etc/gdm/custom.conf else sed -i "s/^AutomaticLoginEnable=.*/AutomaticLoginEnable=False/g" /etc/gdm/custom.conf fi fi GNOME media settings that apply to the graphical interface. The system's default desktop environment, GNOME, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. Disable automount and autorun within GNOME by running the following: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/nautilus/preferences/media_automount false $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/nautilus/preferences/media_autorun_never true 12 16 APO13.01 DSS01.04 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS06.03 4.3.3.2.2 4.3.3.5.2 4.3.3.6.6 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.13 SR 1.2 SR 1.4 SR 1.5 SR 1.9 SR 2.1 SR 2.6 A.11.2.6 A.13.1.1 A.13.2.1 A.6.2.1 A.6.2.2 A.7.1.1 A.9.2.1 AC-19(a) AC-19(d) AC-19(e) PR.AC-3 PR.AC-6 Disabling automatic mounting in GNOME can prevent the introduction of malware via removable media. It will, however, also prevent desktop users from legitimate use of removable media. The system's default desktop environment, GNOME, uses a number of different thumbnailer programs to generate thumbnails for any new or modified content in an opened folder. The following command can disable the execution of these thumbnail applications: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /desktop/gnome/thumbnailers/disable_all true This effectively prevents an attacker from gaining access to a system through a flaw in GNOME's Nautilus thumbnail creators. 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7 PR.IP-1 PR.PT-3 An attacker with knowledge of a flaw in a GNOME thumbnailer application could craft a malicious file to exploit this flaw. Assuming the attacker could place the malicious file on the local filesystem (via a web upload for example) and assuming a user browses the same location using Nautilus, the malicious file would exploit the thumbnailer with the potential for malicious code execution. It is best to disable these thumbnailer applications unless they are explicitly required. GNOME network settings that apply to the graphical interface. GNOME allows users to create ad-hoc wireless connections through the NetworkManager applet. Wireless connections should be disabled by running the following: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/nm-applet/disable-wifi-create true Wireless network connections should not be allowed to be configured by general users on a given system as it could open the system to backdoor attacks. By default, GNOME disables WIFI notification when disconnecting from a wireless network. This should be permanently set so that users do not connect to a wireless network when the system finds one. While useful for mobile devices, this setting should be disabled for all other systems. To configure the system to disable the WIFI notication, run the following: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/nm-applet/disable-disconnected-notifications true Wireless network connections should not be allowed to be configured by general users on a given system as it could open the system to backdoor attacks. By default, GNOME disables WIFI notification when connecting to a wireless network. This should be permanently set so that users do not connect to a wireless network when the system finds one. While useful for mobile devices, this setting should be disabled for all other systems. To configure the system to disable the WIFI notication, run the following: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/nm-applet/disable-connected-notifications true Wireless network connections should not be allowed to be configured by general users on a given system as it could open the system to backdoor attacks. GNOME remote access settings that apply to the graphical interface. In the default GNOME3 desktop, the screen can be locked by selecting the user name in the far right corner of the main panel and selecting Lock. The following sections detail commands to enforce idle activation of the screensaver, screen locking, a blank-screen screensaver, and an idle activation time. Because users should be trained to lock the screen when they step away from the computer, the automatic locking feature is only meant as a backup. The root account can be screen-locked; however, the root account should never be used to log into an X Windows environment and should only be used to for direct login via console in emergency circumstances. For more information about enforcing preferences in the GNOME3 environment using the DConf configuration system, see http://wiki.gnome.org/dconf and the man page dconf(1). Choose allowed duration (in seconds) of inactive graphical sessions 600 900 1800 300 900 Choose allowed duration (in seconds) after a screensaver becomes active before displaying an authentication prompt 10 5 0 0 SLES-12-010080 To activate the GNOME3 lock screen after no less than 15 minutes, make sure that the GNOME idle-delay setting in org.gnome.desktop.session-delay is set to 900 or less for each user: gsettings get org.gnome.desktop.session idle-delay 900 To ensure that this setting is not modified by users, set it in an appropriate configuration file in the /etc/dconf/db/local.d directory and lock it in a file in the /etc/dconf/db/local.d/locks directory to prevent user modification. For example, to configure the system for a 15 minute delay, add the following to /etc/dconf/db/local.d/00-security-settings: [org/gnome/desktop/session] idle-delay=uint32 900 Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/session/idle-delay After the settings have been set, run dconf update. When selecting this rule in a profile, make sure that rule with ID dconf_use_text_backend is selected as well: dconf-related rules can't be checked by OVAL if dconf is using a binary database as it's data backend. dconf has to be forced to use config files directly as backend, as those config files are checked by OVAL probes. SLES-12-010080 SV-91757r2_rule 1 12 15 16 5.5.5 DSS05.04 DSS05.10 DSS06.10 3.1.10 CCI-000057 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-11(a) PR.AC-7 FMT_MOF_EXT.1 Req-8.1.8 SRG-OS-000029-GPOS-00010 A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME3 can be configured to identify when a user's session has idled and take action to initiate a session lock. SLES-12-010100 To set the screensaver mode in the GNOME3 desktop to a blank screen, add or set picture-uri to '' for each user: gsettings set org.gnome.desktop.screensaver picture-uri '' To ensure that this setting is not modified by users, you can add or set picture-uri to string '' in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/desktop/screensaver] picture-uri='' Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/screensaver/picture-uri After the settings have been set, run dconf update. When selecting this rule in a profile, make sure that rule with ID dconf_use_text_backend is selected as well: dconf-related rules can't be checked by OVAL if dconf is using a binary database as it's data backend. dconf has to be forced to use config files directly as backend, as those config files are checked by OVAL probes. SLES-12-010100 SV-91761r2_rule 1 12 15 16 5.5.5 DSS05.04 DSS05.10 DSS06.10 3.1.10 CCI-000060 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-11(b) PR.AC-7 FMT_MOF_EXT.1 Req-8.1.8 Setting the screensaver mode to blank-only conceals the contents of the display from passersby. Run the following command to prevent changes to the screensaver lock keybindings: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type string \ --set /apps/gnome_settings_daemon/keybindings/screensaver "<Control><Alt>l" 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 The ability to lock graphical desktop sessions manually allows users to easily secure their accounts should they need to depart from their workstations temporarily. Run the following command to activate the screensaver in the GNOME desktop after a period of inactivity: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gnome-screensaver/idle_activation_enabled true 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-11(a) PR.AC-7 Req-8.1.8 Enabling idle activation of the screensaver ensures the screensaver will be activated after the idle delay. Applications requiring continuous, real-time screen display (such as network management products) require the login session does not have administrator rights and the display station is located in a controlled-access area. Run the following command to set the idle time-out value for inactivity in the GNOME desktop to _{minutes: $ sudo gconftool-2 \ --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type int \ --set /desktop/gnome/session/idle_delay} 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-11(a) PR.AC-7 Req-8.1.8 Setting the idle delay controls when the screensaver will start, and can be combined with screen locking to prevent access from passersby. Run the following command to activate locking of the screensaver in the GNOME desktop when it is activated: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gnome-screensaver/lock_enabled true 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-11(a) PR.AC-7 Req-8.1.8 Enabling the activation of the screen lock after an idle period ensures password entry will be required in order to access the system, preventing access by passersby. Run the following command to set force logout an inactive user when the maximum allowed inactivity period has expired: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type string \ --set /desktop/gnome/session/max_idle_action "forced-logout" Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session and will also free up resources utilized by an idle session. Run the following command to set the maximum allowed period of inactivity for an inactive user in the GNOME desktop to _{minutes: $ sudo gconftool-2 \ --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type int \ --set /desktop/gnome/session/max_idle_time} Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session and will also free up resources utilized by an idle session. Run the following command to set the screensaver mode in the GNOME desktop to a blank screen: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type string \ --set /apps/gnome-screensaver/mode blank-only 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-11(b) PR.AC-7 Req-8.1.8 Setting the screensaver mode to blank-only conceals the contents of the display from passersby. SLES-12-010060 To activate the GNOME3 lock screen, make sure that the GNOME disable-lock-screen setting in org.gnome.desktop.lockdown is set to false for each user: gsettings get org.gnome.desktop.lockdown disable-lock-screen false To activate the lock screen for an existing user, run: gsettings set org.gnome.desktop.lockdown disable-lock-screen false To activate the lock screen by default, add or set disable-lock-screen to false in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/desktop/lockdown] disable-lock-screen=false Once the settings have been added, you can add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/lockdown/disable-lock-screen After the global settings have been set, run dconf update. SLES-12-010060 SV-91753r2_rule CCI-000056 AC-11(b) SRG-OS-000028-GPOS-00009 SRG-OS-000030-GPOS-00011 A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. GNOME provides configuration and functionality to a graphical desktop environment that changes grahical configurations or allow a user to perform actions that users normally would not be able to do in non-graphical mode such as remote access configuration, power policies, Geo-location, etc. Configuring such settings in GNOME will prevent accidential graphical configuration changes by users from taking place. SLES-12-010610 By default, GNOME will reboot the system if the Ctrl-Alt-Del key sequence is pressed. To configure the system to ignore the Ctrl-Alt-Del key sequence from the Graphical User Interface (GUI) instead of rebooting the system, add or set logout to string '' in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/settings-daemon/plugins/media-keys] logout='' Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/settings-daemon/plugins/media-keys/logout After the settings have been set, run dconf update. When selecting this rule in a profile, make sure that rule with ID dconf_use_text_backend is selected as well: dconf-related rules can't be checked by OVAL if dconf is using a binary database as it's data backend. dconf has to be forced to use config files directly as backend, as those config files are checked by OVAL probes. SLES-12-010610 SV-91867r3_rule 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 3.1.2 CCI-000366 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 SRG-OS-000480-GPOS-00227 A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. _{include_dconf_settings dconf_settings 'org/gnome/settings-daemon/plugins/media-keys' 'logout' "''" 'local.d' '00-security-settings' dconf_lock 'org/gnome/settings-daemon/plugins/media-keys' 'logout' 'local.d' '00-security-settings-lock'} Run the following command to activate locking of the screensaver in the GNOME desktop when it is activated: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/panel/applets/clock/prefs/show_temperature false Disabling the temperature feature in the GNOME clock prevents the system from connecting to the internet and diclosing the system location when set by a user. Run the following command to activate locking of the screensaver in the GNOME desktop when it is activated: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/panel/applets/clock/prefs/show_weather false Disabling the weather feature in the GNOME clock prevents the system from connecting to the internet and diclosing the system location when set by a user. By default, GNOME will reboot the system if the Ctrl-Alt-Del key sequence is pressed. To configure the system to ignore the Ctrl-Alt-Del key sequence from the Graphical User Interface (GUI) instead of rebooting the system, run the following: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type string \ --set /apps/gnome_settings_daemon/keybindings/power "" 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 AC-6 PR.AC-4 PR.DS-5 A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. System and software integrity can be gained by installing antivirus, increasing system encryption strength with FIPS, verifying installed software, enabling SELinux, installing an Intrusion Prevention System, etc. However, installing or enabling integrity checking tools cannot prevent intrusions, but they can detect that an intrusion may have occurred. Requirements for integrity checking may be highly dependent on the environment in which the system will be used. Snapshot-based approaches such as AIDE may induce considerable overhead in the presence of frequent software updates. The prelinking feature changes binaries in an attempt to decrease their startup time. In order to disable it, change or add the following line inside the file /etc/sysconfig/prelink: PRELINKING=no Next, run the following command to return binaries to a normal, non-prelinked state: $ sudo /usr/sbin/prelink -ua 1.5.4 11 13 14 2 3 9 5.10.1.3 APO01.06 BAI02.01 BAI03.05 BAI06.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS04.07 DSS05.03 DSS06.02 DSS06.06 3.13.11 CCI-000803 CCI-002450 4.3.4.3.2 4.3.4.3.3 4.3.4.4.4 SR 3.1 SR 3.3 SR 3.4 SR 3.8 SR 4.1 SR 7.6 A.11.2.4 A.12.1.2 A.12.2.1 A.12.5.1 A.12.6.2 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.8.2.3 CM-6(d) CM-6(3) SC-13 SC-28 SI-7 IA-7 PR.DS-1 PR.DS-6 PR.DS-8 PR.IP-1 Req-11.5 SRG-OS-000120-VMM-000600 SRG-OS-000478-VMM-001980 SRG-OS-000396-VMM-001590 Because the prelinking feature changes binaries, it can interfere with the operation of certain software and/or modes such as AIDE, FIPS, etc. _{disable_prelink} The assurance of a vendor to provide operating system support and maintenance for their product is an important criterion to ensure product stability and security over the life of the product. A certified product that follows the necessary standards and government certification requirements guarantees that known software vulnerabilities will be remediated, and proper guidance for protecting and securing the operating system will be given. To enable processing of sensitive information the operating system must provide certified cryptographic modules compliant with FIPS 140-2 standard. There is no remediation besides switching to a different operating system. CCI-000803 CCI-002450 IA-5 IA-7 SC-13 SRG-OS-000120-VMM-000600 SRG-OS-000478-VMM-001980 SRG-OS-000396-VMM-001590 The Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS PUB 140-2) is a computer security standard. The standard specifies security requirements for cryptographic modules used to protect sensitive unclassified information. Refer to the full FIPS 140-2 standard at http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf for further details on the requirements. FIPS 140-2 validation is required by U.S. law when information systems use cryptography to protect sensitive government information. In order to achieve FIPS 140-2 certification, cryptographic modules are subject to extensive testing by independent laboratories, accredited by National Institute of Standards and Technology (NIST). SLES-12-010000 The installed operating system must be maintained and certified by a vendor. SUSE Linux Enterprise is supported and maintained by SUSE. SUSE is responsible for providing security patches as well as meeting and maintaining goverment certifications and standards. Up-to date information on the support status of your operating system release can be found at https://www.suse.com/lifecycle/ There is no remediation besides switching to a different operating system. SLES-12-010000 SV-91741r2_rule CCI-000366 SI-2(c) SRG-OS-000480-GPOS-00227 An operating system is considered "supported" if the vendor continues to provide security patches for the product as well as maintain government certification requirements. With an unsupported release, it will not be possible to resolve security issue discovered in the system software as well as meet government certifications. Linux has the capability to centrally configure cryptographic polices. The command update-crypto-policies is used to set the policy applicable for the various cryptographic back-ends, such as SSL/TLS libraries. The configured cryptographic policies will be the default policy used by these backends unless the application user configures them otherwise. When the system has been configured to use the centralized cryptographic policies, the administrator is assured that any application that utilizes the supported backends will follow a policy that adheres to the configured profile. Currently the supported backends are: GnuTLS libraryOpenSSL libraryNSS libraryOpenJDKLibkrb5BINDOpenSSH Applications and languages which rely on any of these backends will follow the system policies as well. Examples are apache httpd, nginx, php, and others. Specify the crypto policy for the system. DEFAULT FIPS LEGACY FUTURE NEXT To configure the system cyptography policy to use ciphers only from the policy, run the following command: $ sudo update-crypto-policies --set Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. Endpoint protection security software that is not provided or supported by Red Hat can be installed to provide complementary or duplicative security capabilities to those provided by the base platform. Add-on software may not be appropriate for some specialized systems. The operating system must conduct backups of user data contained in the operating system. The operating system provides utilities for automating backups of user data. Commercial and open-source products are also available. Operating system backup is a critical step in maintaining data assurance and availability. User-level information is data generated by information system and/or application users. Backups shall be consistent with organizational recovery time and recovery point objectives.false In DoD environments, McAfee Host-based Security System (HBSS) and VirusScan Enterprise for Linux (VSEL) is required to be installed on all systems. Specify the amount of time (in seconds) before McAfee definition files need to be updated. 2592000 86400 604800 2592000 McAfee Host-based Security System (HBSS) is a suite of software applications used to monitor, detect, and defend computer networks and systems. The Federal Information Processing Standard (FIPS) is a computer security standard which is developed by the U.S. Government and industry working groups to validate the quality of cryptographic modules. The FIPS standard provides four security levels to ensure adequate coverage of different industries, implementation of cryptographic modules, and organizational sizes and requirements. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets industry and government requirements. For government systems, this allows Security Levels 1, 2, 3, or 4 for use on SUSE Linux Enterprise 12. See http://csrc.nist.gov/publications/PubsFIPS.html for more information. To enable FIPS mode, run the following command: fips-mode-setup --enable To enable FIPS, the system requires that the fips module is added in dracut configuration. Check if /etc/dracut.conf.d/40-fips.conf contain add_dracutmodules+=" fips " The system needs to be rebooted for these changes to take effect. The ability to enable FIPS does not denote FIPS compliancy or certification. SUSE Linux Enterprise 12 is FIPS certified and compliant. Community projects such as CentOS, Scientific Linux, Fedora, etc. do not necessarily meet FIPS certification and compliancy. Therefore, non-certified vendors and/or projects do not meet this requirement even if technically feasible. See http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm for a list of FIPS certified vendors. CCI-000068 CCI-000803 CCI-002450 SC-13 AC-17(2) IA-7 SRG-OS-000120-VMM-000600 SRG-OS-000478-VMM-001980 SRG-OS-000396-VMM-001590 Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. SLES-12-010420 Enabling FIPS mode on a preexisting system involves a number of modifications to the SUSE operating system. The patterns-sles-fips package can be installed with the following command: $ sudo zypper install patterns-sles-fips Then refer to section 9.1, "Crypto Officer Guidance", of the following document for installation guidance: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2435.pdf Furthermore, the system running in FIPS mode should be FIPS certified by NIST. The system needs to be rebooted for these changes to take effect. The ability to enable FIPS does not denote FIPS compliancy or certification. SUSE Linux Enterprise 12 is FIPS certified and compliant. Community projects such as CentOS, Scientific Linux, Fedora, openSUSE, etc. do not necessarily meet FIPS certification and compliancy. Therefore, non-certified vendors and/or projects do not meet this requirement even if technically feasible. See http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm for a list of FIPS certified vendors. SLES-12-010420 SV-91837r2_rule CCI-000068 CCI-000803 CCI-002450 SC-13 AC-17(2) IA-7 SRG-OS-000120-VMM-000600 SRG-OS-000478-VMM-001980 SRG-OS-000396-VMM-001590 Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. System running in FIPS mode is indicated by kernel parameter 'crypto.fips_enabled'. This parameter should be set to 1 in FIPS mode. To enable FIPS mode, run the following command: fips-mode-setup --enable The system needs to be rebooted for these changes to take effect. The ability to enable FIPS does not denote FIPS compliancy or certification. SUSE Linux Enterprise 12 is FIPS certified and compliant. Community projects such as CentOS, Scientific Linux, Fedora, etc. do not necessarily meet FIPS certification and compliancy. Therefore, non-certified vendors and/or projects do not meet this requirement even if technically feasible. See http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm for a list of FIPS certified vendors. CCI-000068 CCI-000803 CCI-002450 IA-5 SC-13 AC-17(2) IA-7 SRG-OS-000120-VMM-000600 SRG-OS-000478-VMM-001980 SRG-OS-000396-VMM-001590 Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. Both the AIDE (Advanced Intrusion Detection Environment) software and the RPM package management system provide mechanisms for verifying the integrity of installed software. AIDE uses snapshots of file metadata (such as hashes) and compares these to current system files in order to detect changes. The RPM package management system can conduct integrity checks by comparing information in its metadata database with files installed on the system. AIDE conducts integrity checks by comparing information about files with previously-gathered information. Ideally, the AIDE database is created immediately after initial system configuration, and then again after any software update. AIDE is highly configurable, with further configuration information located in /usr/share/doc/aide-VERSION. Run the following command to generate a new database: $ sudo /usr/sbin/aide --init By default, the database will be written to the file /var/lib/aide/aide.db.new.gz. Storing the database, the configuration file /etc/aide.conf, and the binary /usr/sbin/aide (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity. The newly-generated database can be installed as follows: $ sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz To initiate a manual check, run the following command: $ sudo /usr/sbin/aide --check If this check produces any unexpected output, investigate. 1 11 12 13 14 15 16 2 3 5 7 8 9 5.10.1.3 APO01.06 BAI01.06 BAI02.01 BAI03.05 BAI06.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS03.05 DSS04.07 DSS05.02 DSS05.03 DSS05.05 DSS05.07 DSS06.02 DSS06.06 4.3.4.3.2 4.3.4.3.3 4.3.4.4.4 SR 3.1 SR 3.3 SR 3.4 SR 3.8 SR 4.1 SR 6.2 SR 7.6 A.11.2.4 A.12.1.2 A.12.2.1 A.12.4.1 A.12.5.1 A.12.6.2 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.14.2.7 A.15.2.1 A.8.2.3 CM-3(d) CM-3(e) CM-6(d) CM-6(3) SC-28 SI-7 DE.CM-1 DE.CM-7 PR.DS-1 PR.DS-6 PR.DS-8 PR.IP-1 PR.IP-3 Req-11.5 For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files. - name: Ensure AIDE is installed package: name: '{{ item }}' state: present with_items: - aide tags: - aide_build_database - medium_severity - restrict_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-CM-3(d) - NIST-800-53-CM-3(e) - NIST-800-53-CM-6(d) - NIST-800-53-CM-6(3) - NIST-800-53-SC-28 - NIST-800-53-SI-7 - PCI-DSS-Req-11.5 - CJIS-5.10.1.3 - name: Build and Test AIDE Database command: /usr/sbin/aide --init changed_when: true tags: - aide_build_database - medium_severity - restrict_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-CM-3(d) - NIST-800-53-CM-3(e) - NIST-800-53-CM-6(d) - NIST-800-53-CM-6(3) - NIST-800-53-SC-28 - NIST-800-53-SI-7 - PCI-DSS-Req-11.5 - CJIS-5.10.1.3 - name: Check whether the stock AIDE Database exists stat: path: /var/lib/aide/aide.db.new.gz register: aide_database_stat tags: - aide_build_database - medium_severity - restrict_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-CM-3(d) - NIST-800-53-CM-3(e) - NIST-800-53-CM-6(d) - NIST-800-53-CM-6(3) - NIST-800-53-SC-28 - NIST-800-53-SI-7 - PCI-DSS-Req-11.5 - CJIS-5.10.1.3 - name: Stage AIDE Database copy: src: /var/lib/aide/aide.db.new.gz dest: /var/lib/aide/aide.db.gz backup: true remote_src: true when: (aide_database_stat.stat.exists is defined and aide_database_stat.stat.exists) tags: - aide_build_database - medium_severity - restrict_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-CM-3(d) - NIST-800-53-CM-3(e) - NIST-800-53-CM-6(d) - NIST-800-53-CM-6(3) - NIST-800-53-SC-28 - NIST-800-53-SI-7 - PCI-DSS-Req-11.5 - CJIS-5.10.1.3 SLES-12-010500 At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * 0 root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example. The usage of cron's special time codes, such as @daily and @weekly is acceptable. SLES-12-010500 SV-91847r3_rule 1.3.2 1 11 12 13 14 15 16 2 3 5 7 8 9 5.10.1.3 APO01.06 BAI01.06 BAI02.01 BAI03.05 BAI06.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS03.05 DSS04.07 DSS05.02 DSS05.03 DSS05.05 DSS05.07 DSS06.02 DSS06.06 CCI-001744 4.3.4.3.2 4.3.4.3.3 4.3.4.4.4 SR 3.1 SR 3.3 SR 3.4 SR 3.8 SR 4.1 SR 6.2 SR 7.6 A.11.2.4 A.12.1.2 A.12.2.1 A.12.4.1 A.12.5.1 A.12.6.2 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.14.2.7 A.15.2.1 A.8.2.3 CM-3(d) CM-3(e) CM-3(5) CM-6(d) CM-6(3) SC-28 SI-7 DE.CM-1 DE.CM-7 PR.DS-1 PR.DS-6 PR.DS-8 PR.IP-1 PR.IP-3 Req-11.5 SRG-OS-000363-GPOS-00150 By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. _{package_install aide if ! grep -q "/usr/sbin/aide --check" /etc/crontab ; then echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab fi} - name: Ensure AIDE is installed package: name: '{{ item }}' state: present with_items: - aide when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - aide_periodic_cron_checking - medium_severity - restrict_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-CM-3(d) - NIST-800-53-CM-3(e) - NIST-800-53-CM-3(5) - NIST-800-53-CM-6(d) - NIST-800-53-CM-6(3) - NIST-800-53-SC-28 - NIST-800-53-SI-7 - PCI-DSS-Req-11.5 - CJIS-5.10.1.3 - DISA-STIG-010500 - name: Configure Periodic Execution of AIDE cron: name: run AIDE check minute: 5 hour: 4 weekday: 0 user: root job: /usr/sbin/aide --check when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - aide_periodic_cron_checking - medium_severity - restrict_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-CM-3(d) - NIST-800-53-CM-3(e) - NIST-800-53-CM-3(5) - NIST-800-53-CM-6(d) - NIST-800-53-CM-6(3) - NIST-800-53-SC-28 - NIST-800-53-SI-7 - PCI-DSS-Req-11.5 - CJIS-5.10.1.3 - DISA-STIG-010500 SLES-12-010510 AIDE should notify appropriate personnel of the details of a scan after the scan has been run. If AIDE has already been configured for periodic execution in /etc/crontab, append the following line to the existing AIDE line: | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost Otherwise, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost AIDE can be executed periodically through other means; this is merely one example. CCI-002702 SI-6d SLES-12-010510 SV-91849r2_rule 1 11 12 13 15 16 2 3 5 7 8 9 BAI01.06 BAI06.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS03.05 DSS05.02 DSS05.05 DSS05.07 CCI-001744 4.3.4.3.2 4.3.4.3.3 SR 6.2 SR 7.6 A.12.1.2 A.12.4.1 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.14.2.7 A.15.2.1 CM-3(5) DE.CM-1 DE.CM-7 PR.IP-1 PR.IP-3 SRG-OS-000363-GPOS-00150 Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. _{package_install aide CRONTAB=/etc/crontab CRONDIRS='/etc/cron.d /etc/cron.daily /etc/cron.weekly /etc/cron.monthly' if [ -f /var/spool/cron/root ]; then VARSPOOL=/var/spool/cron/root fi if ! grep -qR '^.*\/usr\/sbin\/aide\s*\-\-check.*|.*\/bin\/mail\s*-s\s*".*"\s*root@.*$' $CRONTAB $VARSPOOL $CRONDIRS; then echo '0 5 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost' >> $CRONTAB fi} SLES-12-010520 By default, the acl option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the acl option is missing, add acl to the appropriate ruleset. For example, add acl to the following line in /etc/aide.conf: FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256 AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. CM-6b SLES-12-010520 SV-91851r1_rule 2 3 APO01.06 BAI03.05 BAI06.01 DSS06.02 CCI-000366 4.3.4.4.4 SR 3.1 SR 3.3 SR 3.4 SR 3.8 A.11.2.4 A.12.2.1 A.12.5.1 A.14.1.2 A.14.1.3 A.14.2.4 SI-7.1 PR.DS-6 PR.DS-8 SRG-OS-000480-GPOS-00227 ACLs can provide permissions beyond those permitted through the file mode and must be verified by the file integrity tools. _{package_install aide aide_conf="/etc/aide.conf" groups=$(LC_ALL=C grep "^[A-Z]\+" $aide_conf | grep -v "^ALLXTRAHASHES" | cut -f1 -d '=' | tr -d ' ' | sort -u) for group in $groups do config=$(grep "^$group\s*=" $aide_conf | cut -f2 -d '=' | tr -d ' ') if ! [[ $config = *acl* ]] then if [[ -z $config ]] then config="acl" else config=$config"+acl" fi fi sed -i "s/^$group\s*=.*/$group = $config/g" $aide_conf done} SLES-12-010530 By default, the xattrs option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the xattrs option is missing, add xattrs to the appropriate ruleset. For example, add xattrs to the following line in /etc/aide.conf: FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256 AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. CM-6b SLES-12-010530 SV-91853r1_rule 2 3 APO01.06 BAI03.05 BAI06.01 DSS06.02 CCI-000366 4.3.4.4.4 SR 3.1 SR 3.3 SR 3.4 SR 3.8 A.11.2.4 A.12.2.1 A.12.5.1 A.14.1.2 A.14.1.3 A.14.2.4 SI-7.1 PR.DS-6 PR.DS-8 SRG-OS-000480-GPOS-00227 Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications. _{package_install aide aide_conf="/etc/aide.conf" groups=$(LC_ALL=C grep "^[A-Z]\+" $aide_conf | grep -v "^ALLXTRAHASHES" | cut -f1 -d '=' | tr -d ' ' | sort -u) for group in $groups do config=$(grep "^$group\s*=" $aide_conf | cut -f2 -d '=' | tr -d ' ') if ! [[ $config = *xattrs* ]] then if [[ -z $config ]] then config="xattrs" else config=$config"+xattrs" fi fi sed -i "s/^$group\s*=.*/$group = $config/g" $aide_conf done} The aide package can be installed with the following command: $ sudo zypper install aide CCI-001744 1.3.1 1 11 12 13 14 15 16 2 3 5 7 8 9 5.10.1.3 APO01.06 BAI01.06 BAI02.01 BAI03.05 BAI06.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS03.05 DSS04.07 DSS05.02 DSS05.03 DSS05.05 DSS05.07 DSS06.02 DSS06.06 4.3.4.3.2 4.3.4.3.3 4.3.4.4.4 SR 3.1 SR 3.3 SR 3.4 SR 3.8 SR 4.1 SR 6.2 SR 7.6 A.11.2.4 A.12.1.2 A.12.2.1 A.12.4.1 A.12.5.1 A.12.6.2 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.14.2.7 A.15.2.1 A.8.2.3 CM-3(d) CM-3(e) CM-6(d) CM-6(3) SC-28 SI-7 DE.CM-1 DE.CM-7 PR.DS-1 PR.DS-6 PR.DS-8 PR.IP-1 PR.IP-3 Req-11.5 The AIDE package must be installed if it is to be available for integrity checking. _{package_install aide} - name: Ensure aide is installed package: name: aide state: present tags: - package_aide_installed - medium_severity - enable_strategy - low_complexity - low_disruption - no_reboot_needed - NIST-800-53-CM-3(d) - NIST-800-53-CM-3(e) - NIST-800-53-CM-6(d) - NIST-800-53-CM-6(3) - NIST-800-53-SC-28 - NIST-800-53-SI-7 - PCI-DSS-Req-11.5 - CJIS-5.10.1.3 include install_aide class install_aide { package { 'aide': ensure => 'installed', } } SLES-12-010540 The SUSE operating system file integrity tool must be configured to protect the integrity of the audit tools. SLES-12-010540 SV-91855r1_rule CCI-001496 AU-9(3) Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Audit tools include but are not limited to vendor-provided and open-source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. It is not uncommon for attackers to replace the audit tools or inject code into the existing tools to provide the capability to hide or erase system activity from the audit logs. To address this risk, audit tools must be cryptographically signed to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files. _{package_install aide || exit 1 aide_conf="/etc/aide.conf" tools="auditctl auditd ausearch aureport autrace audispd augenrules" for tool in $tools ; do if ! grep -x -q -F "/usr/sbin/$tool p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" "$aide_conf" ; then if grep -q "^/usr/sbin/$tool\s" "$aide_conf" ; then sed -i --follow-symlinks -E -e 's/^\/usr\/sbin\/'"$tool"'\s[^\n]*/\/usr\/sbin\/'"$tool"' p+i+n+u+g+s+b+acl+selinux+xattrs+sha512/' "$aide_conf" || exit 1 else echo "/usr/sbin/$tool p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> "$aide_conf" || exit 1 fi fi done true} The RPM package management system includes the ability to verify the integrity of installed packages by comparing the installed files with information about the files taken from the package metadata stored in the RPM database. Although an attacker could corrupt the RPM database (analogous to attacking the AIDE database as described above), this check can still reveal modification of important files. To list which files on the system differ from what is expected by the RPM database: $ rpm -qVa See the man page for rpm to see a complete explanation of each column. SAP (Systems, Applications and Products in Data Processing) is enterprise software to manage business operations and customer relations. The following section contains SAP specific requirement that is not part of standard or common OS setting. List the user accounts that are authorized locally on the operating system. This list includes both users requried by the operating system and by the installed applications. Depending on the Operating System distribution, version, software groups and applications, the user list is different and can be customized with scap-workbench. OVAL regular expression is used for the user list. The list starts with '^' and ends with '$' so that it matches exactly the username, not any string that includes the username. Users are separated with '|'. For example, three users: bin, oracle and sapadm are allowd, then the list is ^(bin|oracle|sapadm)$. The user root is the only user that is hard coded in OVAL that is always allowed on the operating system. ^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd)$ ^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|[a-z][a-z0-9][a-z0-9]adm|ora[a-z][a-z0-9][a-z0-9]|sapadm|oracle)$ ^$ SLES-12-010630 Enterprise Application tends to use the server or virtual machine exclusively. Besides the default operating system user, there should be only authorized local users required by the installed softoware groups and applications that exist on the operating system. The authorized user list can be customized in the refine value variable var_accounts_authorized_local_users_regex. OVAL regular expression is used for the user list. Configure the system so all accounts on the system are assigned to an active system, application, or user account. Remove accounts that do not support approved system activities or that allow for a normal user to perform administrative-level actions. To remove unauthorized system accounts, use the following command: $ sudo userdel unauthorized_user CM-6(b) SLES-12-010630 SV-91871r1_rule CCI-000366 Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system. Sudo, which stands for \"su 'do'\", provides the ability to delegate authority to certain users, groups of users, or system administrators. When configured for system users and/or groups, Sudo can allow a user or group to execute privileged commands that normally only root is allowed to execute. For more information on Sudo and addition Sudo configuration options, see https://www.sudo.ws. SLES-12-010110 The sudo !authenticate option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the !authenticate option does not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. SLES-12-010110 SV-91763r2_rule NT28(R5) 1 12 15 16 5 DSS05.04 DSS05.10 DSS06.03 DSS06.10 CCI-002038 4.3.3.5.1 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-11 PR.AC-1 PR.AC-7 SRG-OS-000373-GPOS-00156 SRG-OS-000373-GPOS-00157 SRG-OS-000373-GPOS-00158 SRG-OS-000373-VMM-001470 SRG-OS-000373-VMM-001480 SRG-OS-000373-VMM-001490 Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate. SLES-12-010110 The sudo NOPASSWD tag, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the NOPASSWD tag does not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. SLES-12-010110 SV-91763r2_rule NT28(R5) 1 12 15 16 5 DSS05.04 DSS05.10 DSS06.03 DSS06.10 CCI-002038 4.3.3.5.1 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-11 PR.AC-1 PR.AC-7 SRG-OS-000373-GPOS-00156 SRG-OS-000373-GPOS-00157 SRG-OS-000373-GPOS-00158 SRG-OS-000373-VMM-001470 SRG-OS-000373-VMM-001480 SRG-OS-000373-VMM-001490 Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate. The sudo NOPASSWD and !authenticate option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that NOPASSWD and/or !authenticate do not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/." 1 12 15 16 5 DSS05.04 DSS05.10 DSS06.03 DSS06.10 4.3.3.5.1 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-11 PR.AC-1 PR.AC-7 Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate. The sudo NOPASSWD tag, when specified, allows a user to execute commands using sudo without having to authenticate. Only the vdsm user should have this capability in any sudo configuration snippets in /etc/sudoers.d/. Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate. The zypper command line tool is used to install and update software packages. The system also provides a graphical software update tool in the System menu, in the Administration submenu, called Software Update. SUSE Linux Enterprise 12 systems contain an installed software catalog called the RPM database, which records metadata of installed packages. Consistently using zypper or the graphical Software Update for all software installation allows for insight into the current inventory of installed software on the system. SLES-12-010570 zypper should be configured to remove previous software components after new versions have been installed. To configure zypper to remove the previous software components after updating, set the solver.upgradeRemoveDroppedPackages to 1 in /etc/zypp/zypp.conf. SLES-12-010570 SV-91859r2_rule 18 20 4 APO12.01 APO12.02 APO12.03 APO12.04 BAI03.10 DSS05.01 DSS05.02 3.4.8 CCI-002617 4.2.3 4.2.3.12 4.2.3.7 4.2.3.9 A.12.6.1 A.14.2.3 A.16.1.3 A.18.2.2 A.18.2.3 SI-2(6) CM-11 ID.RA-1 PR.IP-12 SRG-OS-000437-GPOS-00194 SRG-OS-000437-VMM-001760 Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries. _{replace_or_append '/etc/zypp/zypp.conf' '^solver.upgradeRemoveDroppedPackages' 'true' '' '%s=%s'} SLES-12-010550 The gpgcheck option controls whether RPM packages' signatures are always checked prior to installation. To configure zypper to check package signatures before installing them, ensure the following line appears in /etc/zypp/zypp.conf in the [main] section: gpgcheck = on repo_gpgcheck = on pkg_gpgcheck = on SLES-12-010550 SV-91857r2_rule 1.2.2 11 2 3 9 5.10.4.1 APO01.06 BAI03.05 BAI06.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS06.02 3.4.8 CCI-001749 164.308(a)(1)(ii)(D) 164.312(b) 164.312(c)(1) 164.312(c)(2) 164.312(e)(2)(i) 4.3.4.3.2 4.3.4.3.3 4.3.4.4.4 SR 3.1 SR 3.3 SR 3.4 SR 3.8 SR 7.6 A.11.2.4 A.12.1.2 A.12.2.1 A.12.5.1 A.12.6.2 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 CM-5(3) CM-11 SI-7 MA-1(b) PR.DS-6 PR.DS-8 PR.IP-1 FAU_GEN.1.1.c Req-6.2 SRG-OS-000366-GPOS-00153 SRG-OS-000366-VMM-001430 SRG-OS-000370-VMM-001460 SRG-OS-000404-VMM-001650 Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA). _{replace_or_append "/etc/zypp/zypp.conf" '^gpgcheck' 'on' '' replace_or_append "/etc/zypp/zypp.conf" '^repo_gpgcheck' 'on' '' replace_or_append "/etc/zypp/zypp.conf" '^pkg_gpgcheck' 'on' ''} SLES-12-010010 If the system is configured for online updates, invoking the following command will list available security updates: $ sudo zypper refresh && sudo zypper list-patches -g security NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy dictates. CCI-001227 SLES-12-010010 SV-91743r2_rule 1.8 18 20 4 5.10.4.1 APO12.01 APO12.02 APO12.03 APO12.04 BAI03.10 DSS05.01 DSS05.02 CCI-000366 4.2.3 4.2.3.12 4.2.3.7 4.2.3.9 A.12.6.1 A.14.2.3 A.16.1.3 A.18.2.2 A.18.2.3 SI-2 SI-2(c) MA-1(b) ID.RA-1 PR.IP-12 FMT_MOF_EXT.1 Req-6.2 SRG-OS-000480-GPOS-00227 SRG-OS-000480-VMM-002000 Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. zypper ref zypper patch -g security -y - name: Security patches are up to date package: name: '*' state: latest tags: - security_patches_up_to_date - high_severity - skip_ansible_lint - patch_strategy - low_complexity - high_disruption - reboot_required - NIST-800-53-SI-2 - NIST-800-53-SI-2(c) - NIST-800-53-MA-1(b) - PCI-DSS-Req-6.2 - CJIS-5.10.4.1 - DISA-STIG-010010 The following sections contain information on security-relevant choices in the kernel configuration. SLES-12-010580 To configure the system to prevent the usb-storage kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: blacklist usb-storage SLES-12-010580 SV-91861r2_rule CCI-001958 IA-3 Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Peripherals include but are not limited to such devices as flash drives, external storage, and printers. echo 'blacklist usb-storage' >> /etc/modprobe.d/50-blacklist.conf Many security vulnerabilities result from bugs in trusted programs. A trusted program runs with privileges that attackers want to possess. The program fails to keep that trust if there is a bug in the program that allows the attacker to acquire said privilege. AppArmor® is an application security solution designed specifically to apply privilege confinement to suspect programs. AppArmor allows the administrator to specify the domain of activities the program can perform by developing a security profile. A security profile is a listing of files that the program may access and the operations the program may perform. AppArmor secures applications by enforcing good application behavior without relying on attack signatures, so it can prevent attacks even if previously unknown vulnerabilities are being exploited. Fore more information on using AppArmor, see https://www.suse.com/documentation/sles-12/book_security/data/cha_apparmor_intro.html. SLES-12-010600 Verify that the SUSE operating system Apparmor tool is configured to control whitelisted applications and user home directory access control. Check that pam_apparmor is installed on the system with the following command: # rpm -q pam_apparmor Check that the "apparmor" daemon is running with the following command: # systemctl status apparmor.service | grep -i active Active: active (exited) since Fri 2017-01-13 01:01:01 GMT; 1day 1h ago Note: pam_apparmor must have properly configured profiles. All configurations will be based on the actual system setup and organization. See the pam_apparmor documentation for more information on configuring profiles. SLES-12-010600 SV-91865r2_rule CCI-001774 CCI-002165 CCI-002233 CCI-002235 AC-3(4) AC-6(8) AC-6(10) CM-7(5)(b) SRG-OS-000312-GPOS-00122 SRG-OS-000312-GPOS-00123SRG-OS-000312-GPOS-00124 SRG-OS-000324-GPOS-00125 SRG-OS-000326-GPOS-00126 SRG-OS-000370-GPOS-00155 SRG-OS-000480-GPOS-00230 Using a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. The organization must identify authorized software programs and permit execution of authorized software by adding each authorized program to the "pam_apparmor" exception policy. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. Verification of whitelisted software occurs prior to execution or at system startup. Users' home directories/folders may contain information of a sensitive nature. Nonprivileged users should coordinate any sharing of information with a System Administrator (SA) through shared resources. Apparmor can confine users to their home directory, not allowing them to make any changes outside of their own home directories. Confining users to their home directory will minimize the risk of sharing information. The apparmor service loads AppArmor profiles into the kernel. The apparmor service can be enabled with the following command: $ sudo systemctl enable apparmor.service Protection of system integrity using AppArmor depends on this service being started during boot. _{package_install 'apparmor-parser' || exit 1 SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" start 'apparmor.service' "$SYSTEMCTL_EXEC" enable 'apparmor.service'} - name: Enable service apparmor service: name: apparmor enabled: 'yes' state: started when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - service_apparmor_enabled - medium_severity - enable_strategy - low_complexity - low_disruption - no_reboot_needed The pam_apparmor package can be installed with the following command: $ sudo zypper install pam_apparmor Protection of system integrity using AppArmor depends on this package being installed. _{package_install pam_apparmor} - name: Ensure pam_apparmor is installed package: name: pam_apparmor state: present when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - package_pam_apparmor_installed - medium_severity - enable_strategy - low_complexity - low_disruption - no_reboot_needed include install_pam_apparmor class install_pam_apparmor { package { 'pam_apparmor': ensure => 'installed', } } combine_ovals.py from SCAP Security Guide ssg: [0, 1, 44], python: 3.7.2 5.11 2019-04-18T09:25:33 CentOS 6 SUSE Linux Enterprise 12 The operating system installed on the system is CentOS 6 CentOS 7 SUSE Linux Enterprise 12 The operating system installed on the system is CentOS 7 CentOS 8 SUSE Linux Enterprise 12 The operating system installed on the system is CentOS 8 Debian 8 SUSE Linux Enterprise 12 The operating system installed on the system is Debian 8 Installed operating system is Fedora SUSE Linux Enterprise 12 The operating system installed on the system is Fedora Oracle Linux 6 SUSE Linux Enterprise 12 The operating system installed on the system is Oracle Linux 6 Oracle Linux 7 SUSE Linux Enterprise 12 The operating system installed on the system is Oracle Linux 7 Oracle Linux 8 SUSE Linux Enterprise 12 The operating system installed on the system is Oracle Linux 8 openSUSE SUSE Linux Enterprise 12 The operating system installed on the system is openSUSE. openSUSE Leap 15 SUSE Linux Enterprise 12 The operating system installed on the system is openSUSE Leap 15. openSUSE Leap 42 SUSE Linux Enterprise 12 The operating system installed on the system is openSUSE Leap 42. Installed operating system is part of the Unix family SUSE Linux Enterprise 12 The operating system installed on the system is part of the Unix OS family Red Hat Enterprise Linux 6 SUSE Linux Enterprise 12 The operating system installed on the system is Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 SUSE Linux Enterprise 12 The operating system installed on the system is Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 SUSE Linux Enterprise 12 The operating system installed on the system is Red Hat Enterprise Linux 8 Red Hat Virtualization 4 SUSE Linux Enterprise 12 The operating system installed on the system is Red Hat Virtualization Host 4 or Red Hat Enterprise Host. Scientific Linux 6 SUSE Linux Enterprise 12 The operating system installed on the system is Scientific Linux 6 Scientific Linux 7 SUSE Linux Enterprise 12 The operating system installed on the system is Scientific Linux 7 Scientific Linux 8 SUSE Linux Enterprise 12 The operating system installed on the system is Scientific Linux 8 SUSE Linux Enterprise 11 SUSE Linux Enterprise 12 The operating system installed on the system is SUSE Linux Enterprise 11. SUSE Linux Enterprise 12 SUSE Linux Enterprise 12 The operating system installed on the system is SUSE Linux Enterprise 12. Ubuntu SUSE Linux Enterprise 12 The operating system installed is an Ubuntu System Ubuntu 1404 SUSE Linux Enterprise 12 The operating system installed on the system is Ubuntu 1404 Ubuntu 1604 SUSE Linux Enterprise 12 The operating system installed on the system is Ubuntu 1604 Ubuntu 1804 SUSE Linux Enterprise 12 The operating system installed on the system is Ubuntu 1804 WRLinux SUSE Linux Enterprise 12 The operating system installed on the system is Wind River Linux Red Hat OpenShift Container Platform SUSE Linux Enterprise 12 The application installed installed on the system is OpenShift 3. Red Hat OpenStack Platform SUSE Linux Enterprise 12 The application installed installed on the system is Red Hat OpenStack Platform 13. Red Hat Virtualization 4 SUSE Linux Enterprise 12 The application installed installed on the system is Red Hat Virtualization 4. Package libuser is installed SUSE Linux Enterprise 12 Checks if package libuser is installed. Package nss-pam-ldapd is installed SUSE Linux Enterprise 12 Checks if package nss-pam-ldapd is installed. Package pam is installed SUSE Linux Enterprise 12 Checks if package pam is installed. Package shadow-utils is installed SUSE Linux Enterprise 12 Checks if package shadow-utils is installed. Package systemd is installed SUSE Linux Enterprise 12 Checks if package systemd is installed. Package yum or zypper is installed SUSE Linux Enterprise 12 Checks if package yum or zypper is installed. Package yum is installed SUSE Linux Enterprise 12 Checks if package yum is installed. Check if the scan target is a container SUSE Linux Enterprise 12 Check for presence of files characterizing container filesystems. Check if the scan target is a machine SUSE Linux Enterprise 12 Check for absence of files characterizing container filesystems. centos-release centos-release centos-release /etc/debian_version /etc/debian_version ^8.[0-9]+$ 1 fedora-release /etc/system-release-cpe ^cpe:\/o:fedoraproject:fedora:[\d]+$ 1 oraclelinux-release oraclelinux-release oraclelinux-release openSUSE-release openSUSE-release openSUSE-release redhat-release-client redhat-release-workstation redhat-release-server redhat-release-computenode redhat-release-client redhat-release-workstation redhat-release-server redhat-release-computenode redhat-release-virtualization-host /etc/redhat-release ^Red Hat Enterprise Linux release (\d)\.\d+$ 1 redhat-release redhat-release-virtualization-host /etc/redhat-release ^Red Hat Enterprise Linux release (\d)\.\d+$ 1 sl-release sl-release sl-release sled-release sles-release sled-release sles-release SLES_SAP-release /etc/lsb-release /etc/lsb-release ^DISTRIB_ID=Ubuntu$ 1 /etc/lsb-release ^DISTRIB_CODENAME=trusty$ 1 /etc/lsb-release ^DISTRIB_CODENAME=xenial$ 1 /etc/lsb-release ^DISTRIB_CODENAME=bionic$ 1 /etc/wrlinux-release atomic-openshift atomic-openshift-node atomic-openshift-hyperkube rhosp-release rhvm-appliance libuser nss-pam-ldapd pam shadow-utils systemd yum zypper yum /.dockerenv /run/.containerenv ^6.*$ ^7.*$ ^8.*$ ^6Server$ ^7.*$ ^8.*$ openSUSE-release ^15.*$ ^42.*$ unix ^6.*$ ^6.*$ ^6.*$ ^6.*$ unix ^7.*$ ^7.*$ ^7.*$ ^7.*$ 7 unix ^8.*$ ^4.*$ 7 ^6.*$ ^7.*$ ^8.*$ unix ^11.*$ ^11.*$ unix ^12.*$ ^12.*$ ^12.*$ unix ^3.*$ ^3.*$ ^3.*$ ^13.*$ ^4.*$ SUSE Linux Enterprise Server 12 oval:ssg-installed_OS_is_sle12:def:1 SUSE Linux Enterprise Server 12 oval:ssg-installed_OS_is_sle12:def:1 SUSE Linux Enterprise Desktop 12 oval:ssg-installed_OS_is_sle12:def:1 Container oval:ssg-installed_env_is_a_container:def:1 Bare-metal or Virtual Machine oval:ssg-installed_env_is_a_machine:def:1