DISA STIG for SUSE Linux Enterprise Micro (SLEM) 5
This profile contains configuration checks that align to the DISA STIG for SUSE Linux Enterprise Micro (SLEM) 5.


ID Severity Title Discussion (Rationale) Fix Text (Description) Check Text (OCIL Check) SRG Refs CCI Refs 800-53 Refs
xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay medium Ensure the Logon Failure Delay is Set Correctly in login.defs Increasing the time between a failed authentication attempt and re-prompting to enter credentials helps to slow a single-threaded brute force attack. To ensure the logon failure delay controlled by /etc/login.defs is set properly, add or correct the FAIL_DELAY setting in /etc/login.defs to read as follows:
FAIL_DELAY 
            
Verify SUSE Linux Enterprise Micro 5 enforces a delay of at least  seconds between console logon prompts following a failed logon attempt with the following command:

$ sudo grep -i "FAIL_DELAY" /etc/login.defs
FAIL_DELAY 
      Is it the case that the value of "FAIL_DELAY" is not set to "<sub idref="var_accounts_fail_delay" />" or greater, or the line is commented out?
      
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
CM-6 b
xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faildelay_delay medium Enforce Delay After Failed Logon Attempts Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account. To configure the system to introduce a delay after failed logon attempts, add or correct the pam_faildelay settings in /etc/pam.d/common-auth to make sure its delay parameter is at least or greater. For example:
auth required pam_faildelay.so delay=
              
Verify that the SUSE Linux Enterprise Micro 5 operating system enforces a minimum delay betweeen
logon prompts following a failed logon attempt.

# grep pam_faildelay /etc/pam.d/common-auth
auth required pam_faildelay.so delay=

If the value of delay is not set to
 or greater,
"delay" is commented out, "delay" is missing, or the "pam_faildelay" line is missing
completely, this is a finding.
      Is it the case that the value of delay is not set properly or the line is commented or missing?
      
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
CM-6 b
xccdf_org.ssgproject.content_rule_accounts_passwords_pam_tally2_file medium SLEM 5 must use the default pam_tally2 tally directory. By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. This rule configures the system to use default pam_tally2 tally directory
Verify the location of the default tallylog file for the pam_tally2 module,
with the following command
$sudo grep -R pam_tally2 /etc/pam.d/login | grep "file=" | grep -v "^#"
      Is it the case that file= is set to /var/log/tallylog or missing?
      
SRG-OS-000021-GPOS-00005
CCI-000044
AC-7 a
xccdf_org.ssgproject.content_rule_accounts_passwords_pam_tally2_file_selinux medium An SELinux Context must be configured for default pam_tally2 file option Not having the correct SELinux context on the pam_tally2.so file may lead to unauthorized access to the directory. The file configuration option in PAM pam_tally2.so module defines where to keep counts. Default is /var/log/tallylog. The configured directory must have the correct SELinux context.
If the system does not have SELinux enabled and enforcing a targeted policy,
or if the pam_tally2 module is not configured for use, this requirement is not applicable

Check the security context type of the default tally2 directory with the following command:

$ sudo ls -Z /var/log/tallylog

unconfined_u:object_r:faillog_t:s0 /var/log/faillock

If the security context type of the tally directory is not "faillog_t", this is a finding.
      Is it the case that the security context type of the non-default tally directory is not "faillog_t"?
      
SRG-OS-000021-GPOS-00005
CCI-000044
AC-7 a
xccdf_org.ssgproject.content_rule_audit_rules_execution_chacl medium Record Any Attempts to Run chacl Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect any execution attempt of the chacl command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Verify that SUSE Linux Enterprise Micro 5 is configured to audit the execution of the "chacl" command with the following command:

$ sudo auditctl -l | grep chacl

-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod
      Is it the case that the command does not return a line, or the line is commented out?
      
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
AU-3
AU-3 (1)
AU-12 a
AU-12 c
xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon medium Record Any Attempts to Run chcon Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect any execution attempt of the chcon command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Verify that SUSE Linux Enterprise Micro 5 is configured to audit the execution of the "chcon" command with the following command:

$ sudo auditctl -l | grep chcon

-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod
      Is it the case that the command does not return a line, or the line is commented out?
      
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
AU-3
AU-3 (1)
AU-12 a
AU-12 c
xccdf_org.ssgproject.content_rule_audit_rules_execution_chmod medium Record Any Attempts to Run chmod Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect any execution attempt of the chmod command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
To verify that execution of the command is being audited, run the following command:
$ sudo grep "path=/usr/bin/chmod" /etc/audit/audit.rules /etc/audit/rules.d/*
The output should return something similar to:
-a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
      Is it the case that ?
      
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000169
CCI-000172
CCI-002884
AU-3
AU-12 a
AU-12 c
xccdf_org.ssgproject.content_rule_audit_rules_execution_rm medium Record Any Attempts to Run rm Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect any execution attempt of the rm command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
To verify that execution of the command is being audited, run the following command:
$ sudo grep "path=/usr/bin/rm" /etc/audit/audit.rules /etc/audit/rules.d/*
The output should return something similar to:
-a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
      Is it the case that ?
      
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000169
CCI-000172
CCI-002884
AU-3
AU-12 a
AU-12 c
xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage medium Record Any Attempts to Run semanage Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect any execution attempt of the semanage command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Verify that SUSE Linux Enterprise Micro 5 is configured to audit the execution of the "semanage" command with the following command:

$ sudo auditctl -l | grep semanage

-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update
      Is it the case that the command does not return a line, or the line is commented out?
      
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000169
CCI-000172
CCI-002884
AU-12 a
AU-12 c
xccdf_org.ssgproject.content_rule_audit_rules_execution_setfacl medium Record Any Attempts to Run setfacl Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect any execution attempt of the setfacl command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Verify that SUSE Linux Enterprise Micro 5 is configured to audit the execution of the "setfacl" command with the following command:

$ sudo auditctl -l | grep setfacl

-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod
      Is it the case that the command does not return a line, or the line is commented out?
      
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
AU-3
AU-3 (1)
AU-12 a
AU-12 c
xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles medium Record Any Attempts to Run setfiles Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect any execution attempt of the setfiles command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Verify that SUSE Linux Enterprise Micro 5 is configured to audit the execution of the "setfiles" command with the following command:

$ sudo auditctl -l | grep setfiles

-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update
      Is it the case that the command does not return a line, or the line is commented out?
      
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000169
CCI-000172
CCI-002884
AU-12 a
AU-12 c
xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool medium Record Any Attempts to Run setsebool Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect any execution attempt of the setsebool command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Verify that SUSE Linux Enterprise Micro 5 is configured to audit the execution of the "setsebool" command with the following command:

$ sudo auditctl -l | grep setsebool

-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged
      Is it the case that the command does not return a line, or the line is commented out?
      
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
AU-3
AU-3 (1)
AU-12 a
AU-12 c
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage medium Ensure auditd Collects Information on the Use of Privileged Commands - chage Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Verify that SUSE Linux Enterprise Micro 5 is configured to audit the execution of the "chage" command with the following command:

$ sudo auditctl -l | grep chage

-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage
      Is it the case that the command does not return a line, or the line is commented out?
      
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
AU-3
AU-3 (1)
AU-12 a
AU-12 c
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chfn medium Ensure auditd Collects Information on the Use of Privileged Commands - chfn Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
To verify that auditing of privileged command use is configured, run the
following command:
$ sudo grep chfn /etc/audit/audit.rules /etc/audit/rules.d/*
It should return a relevant line in the audit rules.
      Is it the case that the command does not return a line, or the line is commented out?
      
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000169
CCI-000172
CCI-002884
AU-3
AU-12 a
AU-12 c
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh medium Ensure auditd Collects Information on the Use of Privileged Commands - chsh Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Verify that SUSE Linux Enterprise Micro 5 is configured to audit the execution of the "chsh" command with the following command:

$ sudo auditctl -l | grep chsh

-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chsh
      Is it the case that the command does not return a line, or the line is commented out?
      
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
AU-3
AU-3 (1)
AU-12 a
AU-12 c
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab medium Ensure auditd Collects Information on the Use of Privileged Commands - crontab Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Verify that SUSE Linux Enterprise Micro 5 is configured to audit the execution of the "crontab" command with the following command:

$ sudo auditctl -l | grep crontab

-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab
      Is it the case that the command does not return a line, or the line is commented out?
      
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
AU-3
AU-3 (1)
AU-12 a
AU-12 c
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd medium Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Verify that SUSE Linux Enterprise Micro 5 is configured to audit the execution of the "gpasswd" command with the following command:

$ sudo auditctl -l | grep gpasswd

-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd
      Is it the case that the command does not return a line, or the line is commented out?
      
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
AU-3
AU-3 (1)
AU-12 a
AU-12 c
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_insmod medium Ensure auditd Collects Information on the Use of Privileged Commands - insmod Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-w /sbin/insmod -p x -k modules
To verify that auditing of privileged command use is configured, run the
following command:

   sudo auditctl -l | grep -w '/sbin/insmod'

If the system is configured to audit the execution of the module management program "insmod",
the command will return a line.
      Is it the case that the command does not return a line, or the line is commented out?
      
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000169
CCI-000172
CCI-002884
AU-3
AU-12 a
AU-12 c
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_kmod medium Ensure auditd Collects Information on the Use of Privileged Commands - kmod Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-w /usr/bin/kmod -p x -k modules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-w /usr/bin/kmod -p x -k modules
Verify that SUSE Linux Enterprise Micro 5 is configured to audit the execution of the "kmod" command with the following command:

$ sudo auditctl -l | grep kmod

-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-kmod
      Is it the case that the command does not return a line, or the line is commented out?
      
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
AU-3
AU-3 (1)
AU-12 a
AU-12 c
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_modprobe medium Ensure auditd Collects Information on the Use of Privileged Commands - modprobe Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-w /sbin/modprobe -p x -k modules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-w /sbin/modprobe -p x -k modules
To verify that auditing of privileged command use is configured, run the
following command:

  sudo auditctl -l | grep -w '/sbin/modprobe'
  -w /sbin/modprobe -p x -k modules

It should return a relevant line in the audit rules.
      Is it the case that the command does not return a line, or the line is commented out?
      
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000169
CCI-000172
CCI-002884
AU-3
AU-12 a
AU-12 c
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp medium Ensure auditd Collects Information on the Use of Privileged Commands - newgrp Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Verify that SUSE Linux Enterprise Micro 5 is configured to audit the execution of the "newgrp" command with the following command:

$ sudo auditctl -l | grep newgrp

-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-newgrp
      Is it the case that the command does not return a line, or the line is commented out?
      
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000169
CCI-000135
CCI-000172
CCI-002884
AU-3
AU-12 a
AU-3 (1)
AU-12 c
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check medium Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/sbin/pam_timestamp_check
-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/sbin/pam_timestamp_check
-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
AU-3
AU-3 (1)
AU-12 a
AU-12 c
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd medium Ensure auditd Collects Information on the Use of Privileged Commands - passwd Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Verify that SUSE Linux Enterprise Micro 5 is configured to audit the execution of the "passwd" command with the following command:

$ sudo auditctl -l | grep passwd

-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd
      Is it the case that the command does not return a line, or the line is commented out?
      
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
AU-3
AU-3 (1)
AU-12 a
AU-12 c
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_rmmod medium Ensure auditd Collects Information on the Use of Privileged Commands - rmmod Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-w /sbin/rmmod -p x -k modules
To verify that auditing of privileged command use is configured, run the
following command:

   sudo auditctl -l | grep -w '/sbin/rmmod'

If the system is configured to audit the execution of the module management program "rmmod",
the command will return a line.
      Is it the case that the command does not return a line, or the line is commented out?
      
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000169
CCI-000172
CCI-002884
AU-3
AU-12 a
AU-12 c
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_agent medium Record Any Attempts to Run ssh-agent Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect any execution attempt of the ssh-agent command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
Verify that SUSE Linux Enterprise Micro 5 is configured to audit the execution of the "ssh-agent" command with the following command:

$ sudo auditctl -l | grep ssh-agent

-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
      Is it the case that the command does not return a line, or the line is commented out?
      
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
AU-3
AU-3 (1)
AU-12 a
AU-12 c
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign medium Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/lib/ssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/lib/ssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Verify that SUSE Linux Enterprise Micro 5 is configured to audit the execution of the "ssh-keysign" command with the following command:

$ sudo auditctl -l | grep ssh-keysign

-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-keysign
      Is it the case that the command does not return a line, or the line is commented out?
      
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
AU-3
AU-3 (1)
AU-12 a
AU-12 c
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su medium Ensure auditd Collects Information on the Use of Privileged Commands - su Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Verify that SUSE Linux Enterprise Micro 5 is configured to audit the execution of the "su" command with the following command:

$ sudo auditctl -l | grep su

-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-su
      Is it the case that the command does not return a line, or the line is commented out?
      
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
AU-3
AU-3 (1)
AU-12 a
AU-12 c
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo medium Ensure auditd Collects Information on the Use of Privileged Commands - sudo Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Verify that SUSE Linux Enterprise Micro 5 is configured to audit the execution of the "sudo" command with the following command:

$ sudo auditctl -l | grep sudo

-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-sudo
      Is it the case that the command does not return a line, or the line is commented out?
      
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
AU-3
AU-3 (1)
AU-12 a
AU-12 c
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit medium Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Verify that SUSE Linux Enterprise Micro 5 is configured to audit the execution of the "sudoedit" command with the following command:

$ sudo auditctl -l | grep sudoedit

-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -k privileged-sudoedit
      Is it the case that the command does not return a line, or the line is commented out?
      
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
AU-3
AU-3 (1)
AU-12 a
AU-12 c
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd medium Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Verify that SUSE Linux Enterprise Micro 5 is configured to audit the execution of the "unix_chkpwd" command with the following command:

$ sudo auditctl -l | grep unix_chkpwd

-a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix_chkpwd
      Is it the case that the command does not return a line, or the line is commented out?
      
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
AU-3
AU-3 (1)
AU-12 a
AU-12 c
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usermod medium Ensure auditd Collects Information on the Use of Privileged Commands - usermod Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Verify that SUSE Linux Enterprise Micro 5 is configured to audit the execution of the "usermod" command with the following command:

$ sudo auditctl -l | grep usermod

-a always,exit -F path=/usr/bin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod
      Is it the case that the command does not return a line, or the line is commented out?
      
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
AU-3
AU-3 (1)
AU-12 a
AU-12 c
xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd medium Record Events that Modify User/Group Information - /etc/passwd In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes:

-w /etc/passwd -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-w /etc/passwd -p wa -k audit_rules_usergroup_modification
Verify SUSE Linux Enterprise Micro 5 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command:

$  sudo auditctl -l | grep -E '(/etc/passwd)'

-w /etc/passwd -p wa -k identity
      Is it the case that the command does not return a line, or the line is commented out?
      
SRG-OS-000004-GPOS-00004
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000239-GPOS-00089
SRG-OS-000240-GPOS-00090
SRG-OS-000241-GPOS-00091
SRG-OS-000274-GPOS-00104
SRG-OS-000275-GPOS-00105
SRG-OS-000276-GPOS-00106
SRG-OS-000277-GPOS-00107
SRG-OS-000303-GPOS-00120
SRG-OS-000304-GPOS-00121
SRG-OS-000392-GPOS-00172
CCI-000018
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-001403
CCI-001404
CCI-001405
CCI-001683
CCI-001684
CCI-001685
CCI-001686
CCI-002130
CCI-002132
CCI-002884
AC-2 (4)
AU-3
AU-3 (1)
AU-12 a
AU-12 c
AC-2 (4)
AC-2 (4)
AC-2 (4)
AC-2 (4)
AC-2 (4)
AC-2 (4)
AC-2 (4)
xccdf_org.ssgproject.content_rule_installed_OS_is_vendor_supported high The Installed Operating System Is Vendor Supported An operating system is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve any security issue discovered in the system software. The installed operating system must be maintained by a vendor. SUSE Linux Enterprise is supported by SUSE. As the SUSE Linux Enterprise vendor, SUSE is responsible for providing security patches.
To verify that the installed operating system is supported, run
the following command:

$ grep -i "suse" /etc/os-release

SUSE Linux Enterprise Micro 5
      Is it the case that the installed operating system is not supported?
      
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
CM-6 b
xccdf_org.ssgproject.content_rule_package_audit-audispd-plugins_installed medium Ensure the default plugins for the audit dispatcher are Installed Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. The audit-audispd-plugins package should be installed.
      Is it the case that the package is not installed?
      
SRG-OS-000342-GPOS-00133
SRG-OS-000479-GPOS-00224
CCI-001851
xccdf_org.ssgproject.content_rule_package_policycoreutils-python-utils_installed medium Install policycoreutils-python-utils package This package is required to operate and manage an SELinux environment and its policies. It provides utilities such as semanage, audit2allow, audit2why, chcat and sandbox. The policycoreutils-python-utils package can be installed with the following command:
$ sudo zypper install policycoreutils-python-utils
Run the following command to determine if the policycoreutils-python-utils package is installed: $ rpm -q policycoreutils-python-utils
      Is it the case that the package is not installed?
      
xccdf_org.ssgproject.content_rule_package_policycoreutils_installed low Install policycoreutils Package Security-enhanced Linux is a feature of the Linux kernel and a number of utilities with enhanced security functionality designed to add mandatory access controls to Linux. The Security-enhanced Linux kernel contains new architectural components originally developed to improve security of the Flask operating system. These architectural components provide general support for the enforcement of many kinds of mandatory access control policies, including those based on the concepts of Type Enforcement, Role-based Access Control, and Multi-level Security. policycoreutils contains the policy core utilities that are required for basic operation of an SELinux-enabled system. These utilities include load_policy to load SELinux policies, setfiles to label filesystems, newrole to switch roles, and so on. The policycoreutils package can be installed with the following command:
$ sudo zypper install policycoreutils
Run the following command to determine if the policycoreutils package is installed: $ rpm -q policycoreutils
      Is it the case that the policycoreutils package is not installed?
      
SRG-OS-000134-GPOS-00068
CCI-001084
SC-3
xccdf_org.ssgproject.content_rule_selinux_policytype medium Configure SELinux Policy Setting the SELinux policy to targeted or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services.

Note: During the development or debugging of SELinux modules, it is common to temporarily place non-production systems in permissive mode. In such temporary cases, SELinux policies should be developed, and once work is completed, the system should be reconfigured to .
The SELinux targeted policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in /etc/selinux/config:
SELINUXTYPE=
          
Other policies, such as mls, provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases.
Verify the SELINUX on SUSE Linux Enterprise Micro 5 is using the  policy with the following command:

$ sestatus | grep policy

Loaded policy name:             
      Is it the case that the loaded policy name is not "<sub idref="var_selinux_policy_name" />"?
      
SRG-OS-000312-GPOS-00122
SRG-OS-000312-GPOS-00123
SRG-OS-000312-GPOS-00124
SRG-OS-000445-GPOS-00199
CCI-002165
CCI-002696
xccdf_org.ssgproject.content_rule_selinux_state high Ensure SELinux State is Enforcing Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges. The SELinux state should be set to at system boot time. In the file /etc/selinux/config, add or correct the following line to configure the system to boot into enforcing mode:
SELINUX=
          
Ensure that SUSE Linux Enterprise Micro 5 verifies correct operation of security functions.

Check if "SELinux" is active and in "" mode with the following command:

$ sudo getenforce

      Is it the case that SELINUX is not set to enforcing?
      
SRG-OS-000134-GPOS-00068
SRG-OS-000312-GPOS-00122
SRG-OS-000312-GPOS-00123
SRG-OS-000312-GPOS-00124
SRG-OS-000445-GPOS-00199
CCI-001084
CCI-002165
CCI-002696
SC-3
xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords high Disable SSH Access via Empty Passwords Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. Disallow SSH login with empty passwords. The default SSH configuration disables logins with empty passwords. The appropriate configuration is used if no value is set for PermitEmptyPasswords.
To explicitly disallow SSH login from accounts with empty passwords, add or correct the following line in /etc/ssh/sshd_config:
PermitEmptyPasswords no
Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.
To determine how the SSH daemon's PermitEmptyPasswords option is set, run the following command:

$ sudo grep -i PermitEmptyPasswords /etc/ssh/sshd_config

If a line indicating no is returned, then the required value is set.

      Is it the case that the required value is not set?
      
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
SRG-OS-000106-GPOS-00053
CCI-000366
CCI-000766
CM-6 b
IA-2 (2)
xccdf_org.ssgproject.content_rule_sshd_disable_root_login medium Disable SSH Root Login Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password. The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following line in /etc/ssh/sshd_config:
PermitRootLogin no
To determine how the SSH daemon's PermitRootLogin option is set, run the following command:

$ sudo grep -i PermitRootLogin /etc/ssh/sshd_config

If a line indicating no is returned, then the required value is set.

      Is it the case that the required value is not set?
      
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
SRG-OS-000109-GPOS-00056
CCI-000366
CCI-000770
CM-6 b
IA-2 (5) (b)
xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts medium Disable SSH Support for User Known Hosts Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. SSH can allow system users to connect to systems if a cache of the remote systems public keys is available. This should be disabled.

To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config:
IgnoreUserKnownHosts yes
To determine how the SSH daemon's IgnoreUserKnownHosts option is set, run the following command:

$ sudo grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config

If a line indicating yes is returned, then the required value is set.

      Is it the case that the required value is not set?
      
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
CM-6 b
xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding medium Disable X11 Forwarding Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders. The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections. SSH has the capability to encrypt remote X11 connections when SSH's X11Forwarding option is enabled.
The default SSH configuration disables X11Forwarding. The appropriate configuration is used if no value is set for X11Forwarding.
To explicitly disable X11 Forwarding, add or correct the following line in /etc/ssh/sshd_config:
X11Forwarding no
To determine how the SSH daemon's X11Forwarding option is set, run the following command:

$ sudo grep -i X11Forwarding /etc/ssh/sshd_config

If a line indicating no is returned, then the required value is set.

      Is it the case that the required value is not set?
      
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
CM-6 b
xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env medium Do Not Allow SSH Environment Options SSH environment options potentially allow users to bypass access restriction in some configurations. Ensure that users are not able to override environment variables of the SSH daemon.
The default SSH configuration disables environment processing. The appropriate configuration is used if no value is set for PermitUserEnvironment.
To explicitly disable Environment options, add or correct the following /etc/ssh/sshd_config:
PermitUserEnvironment no
To determine how the SSH daemon's PermitUserEnvironment option is set, run the following command:

$ sudo grep -i PermitUserEnvironment /etc/ssh/sshd_config

If a line indicating no is returned, then the required value is set.

      Is it the case that the required value is not set?
      
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
CM-6 b
xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes medium Enable Use of Strict Mode Checking If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user. SSHs StrictModes option checks file and ownership permissions in the user's home directory .ssh folder before accepting login. If world- writable permissions are found, logon is rejected.
The default SSH configuration has StrictModes enabled. The appropriate configuration is used if no value is set for StrictModes.
To explicitly enable StrictModes in SSH, add or correct the following line in /etc/ssh/sshd_config:
StrictModes yes
To determine how the SSH daemon's StrictModes option is set, run the following command:

$ sudo grep -i StrictModes /etc/ssh/sshd_config

If a line indicating yes is returned, then the required value is set.

      Is it the case that the required value is not set?
      
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
CM-6 b
xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner medium Enable SSH Warning Banner The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution. To enable the warning banner and ensure it is consistent across the system, add or correct the following line in /etc/ssh/sshd_config:
Banner /etc/issue
Another section contains information on how to create an appropriate system-wide warning banner.
To determine how the SSH daemon's Banner option is set, run the following command:

$ sudo grep -i Banner /etc/ssh/sshd_config

If a line indicating /etc/issue is returned, then the required value is set.

      Is it the case that the required value is not set?
      
SRG-OS-000023-GPOS-00006
SRG-OS-000024-GPOS-00007
SRG-OS-000228-GPOS-00088
SRG-OS-000228-GPOS-00088
SRG-OS-000228-GPOS-00088
SRG-OS-000228-GPOS-00088
SRG-OS-000228-GPOS-00088
CCI-000048
CCI-000050
CCI-001384
CCI-001385
CCI-001386
CCI-001387
CCI-001388
AC-8 a
AC-8 b
AC-8 c
AC-8 c
AC-8 c
AC-8 c
AC-8 c
xccdf_org.ssgproject.content_rule_sshd_print_last_log medium Enable SSH Print Last Log Providing users feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use. Ensure that SSH will display the date and time of the last successful account logon.
The default SSH configuration enables print of the date and time of the last login. The appropriate configuration is used if no value is set for PrintLastLog.
To explicitly enable LastLog in SSH, add or correct the following line in /etc/ssh/sshd_config:
PrintLastLog yes
To determine how the SSH daemon's PrintLastLog option is set, run the following command:

$ sudo grep -i PrintLastLog /etc/ssh/sshd_config

If a line indicating yes is returned, then the required value is set.

      Is it the case that the required value is not set?
      
CCI-000052
AC-9
xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose medium Set SSH Daemon LogLevel to VERBOSE SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO or VERBOSE level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. The VERBOSE parameter configures the SSH daemon to record login and logout activity. To specify the log level in SSH, add or correct the following line in /etc/ssh/sshd_config:
LogLevel VERBOSE
To determine how the SSH daemon's LogLevel option is set, run the following command:

$ sudo grep -i LogLevel /etc/ssh/sshd_config

If a line indicating VERBOSE is returned, then the required value is set.

      Is it the case that the required value is not set?
      
SRG-OS-000032-GPOS-00013
CCI-000067
AC-17 (1)