V-ID |
CCI |
CAT |
Title |
SRG |
Description |
Check Procedures |
Fixtext |
Version |
Mapped Rule |
V-261263 |
366 |
high |
SLEM 5 must be a vendor-supported release. |
SRG-OS-ID |
An operating system is considered "supported" if the vendor continues to
provide security patches for the product. With an unsupported release, it
will not be possible to resolve any security issue discovered in the system
software. |
To verify that the installed operating system is supported, run
the following command:
$ grep -i "suse" /etc/os-release
SUSE Linux Enterprise Micro 5
Is it the case that the installed operating system is not supported?
|
The installed operating system must be maintained by a vendor.
SUSE Linux Enterprise is supported by SUSE. As the SUSE Linux Enterprise
vendor, SUSE is responsible for providing security patches. |
SLEM-05-211010 |
installed_OS_is_vendor_supported |
V-261264 |
|
medium |
SLEM 5 must implement an endpoint security tool. |
SRG-OS-ID |
|
|
|
SLEM-05-211015 |
Missing Rule |
V-261265 |
1388 |
medium |
SLEM 5 must display the Standard Mandatory DOD Notice and Consent Banner before granting any local or remote connection to the system. |
SRG-OS-ID |
The warning message reinforces policy awareness during the logon process and
facilitates possible legal action against attackers. Alternatively, systems
whose ownership should not be obvious should ensure usage of a banner that does
not provide easy attribution. |
To determine how the SSH daemon's Banner option is set, run the following command:
$ sudo grep -i Banner /etc/ssh/sshd_config
If a line indicating /etc/issue is returned, then the required value is set.
Is it the case that the required value is not set?
|
To enable the warning banner and ensure it is consistent
across the system, add or correct the following line in
/etc/ssh/sshd_config:
Banner /etc/issue
Another section contains information on how to create an
appropriate system-wide warning banner. |
SLEM-05-211020 |
sshd_enable_warning_banner |
V-261266 |
|
high |
SLEM 5 must disable the x86 Ctrl-Alt-Delete key sequence. |
SRG-OS-ID |
|
|
|
SLEM-05-211025 |
Missing Rule |
V-261267 |
|
high |
SLEM 5 with a basic input/output system (BIOS) must require authentication upon booting into single-user and maintenance modes. |
SRG-OS-ID |
|
|
|
SLEM-05-212010 |
Missing Rule |
V-261268 |
|
high |
SLEM 5 with Unified Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. |
SRG-OS-ID |
|
|
|
SLEM-05-212015 |
Missing Rule |
V-261269 |
|
medium |
SLEM 5 must restrict access to the kernel message buffer. |
SRG-OS-ID |
|
|
|
SLEM-05-213010 |
Missing Rule |
V-261270 |
|
medium |
SLEM 5 kernel core dumps must be disabled unless needed. |
SRG-OS-ID |
|
|
|
SLEM-05-213015 |
Missing Rule |
V-261271 |
|
medium |
Address space layout randomization (ASLR) must be implemented by SLEM 5 to protect memory from unauthorized code execution. |
SRG-OS-ID |
|
|
|
SLEM-05-213020 |
Missing Rule |
V-261272 |
|
medium |
SLEM 5 must implement kptr-restrict to prevent the leaking of internal kernel addresses. |
SRG-OS-ID |
|
|
|
SLEM-05-213025 |
Missing Rule |
V-261273 |
|
medium |
Vendor-packaged SLEM 5 security patches and updates must be installed and up to date. |
SRG-OS-ID |
|
|
|
SLEM-05-214010 |
Missing Rule |
V-261274 |
|
high |
The SLEM 5 tool zypper must have gpgcheck enabled. |
SRG-OS-ID |
|
|
|
SLEM-05-214015 |
Missing Rule |
V-261275 |
|
medium |
SLEM 5 must remove all outdated software components after updated versions have been installed. |
SRG-OS-ID |
|
|
|
SLEM-05-214020 |
Missing Rule |
V-261276 |
|
medium |
SLEM 5 must use vlock to allow for session locking. |
SRG-OS-ID |
|
|
|
SLEM-05-215010 |
Missing Rule |
V-261277 |
|
high |
SLEM 5 must not have the telnet-server package installed. |
SRG-OS-ID |
|
|
|
SLEM-05-215015 |
Missing Rule |
V-261278 |
|
medium |
A separate file system must be used for SLEM 5 user home directories (such as /home or an equivalent). |
SRG-OS-ID |
|
|
|
SLEM-05-231010 |
Missing Rule |
V-261279 |
|
medium |
SLEM 5 must use a separate file system for /var. |
SRG-OS-ID |
|
|
|
SLEM-05-231015 |
Missing Rule |
V-261280 |
|
medium |
SLEM 5 must use a separate file system for the system audit data path. |
SRG-OS-ID |
|
|
|
SLEM-05-231020 |
Missing Rule |
V-261281 |
|
medium |
SLEM 5 file systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed. |
SRG-OS-ID |
|
|
|
SLEM-05-231025 |
Missing Rule |
V-261282 |
|
medium |
SLEM 5 file systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed. |
SRG-OS-ID |
|
|
|
SLEM-05-231030 |
Missing Rule |
V-261283 |
|
medium |
SLEM 5 file systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed. |
SRG-OS-ID |
|
|
|
SLEM-05-231035 |
Missing Rule |
V-261284 |
|
high |
All SLEM 5 persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at-rest protection. |
SRG-OS-ID |
|
|
|
SLEM-05-231040 |
Missing Rule |
V-261285 |
|
medium |
SLEM 5 file systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed. |
SRG-OS-ID |
|
|
|
SLEM-05-231045 |
Missing Rule |
V-261286 |
|
medium |
SLEM 5 must disable the file system automounter unless required. |
SRG-OS-ID |
|
|
|
SLEM-05-231050 |
Missing Rule |
V-261287 |
|
medium |
SLEM 5 must have directories that contain system commands set to a mode of 755 or less permissive. |
SRG-OS-ID |
|
|
|
SLEM-05-232010 |
Missing Rule |
V-261288 |
|
medium |
SLEM 5 must have system commands set to a mode of 755 or less permissive. |
SRG-OS-ID |
|
|
|
SLEM-05-232015 |
Missing Rule |
V-261289 |
|
medium |
SLEM 5 library directories must have mode 755 or less permissive. |
SRG-OS-ID |
|
|
|
SLEM-05-232020 |
Missing Rule |
V-261290 |
|
medium |
SLEM 5 library files must have mode 755 or less permissive. |
SRG-OS-ID |
|
|
|
SLEM-05-232025 |
Missing Rule |
V-261291 |
|
medium |
All SLEM 5 local interactive user home directories must have mode 750 or less permissive. |
SRG-OS-ID |
|
|
|
SLEM-05-232030 |
Missing Rule |
V-261292 |
|
medium |
All SLEM 5 local initialization files must have mode 740 or less permissive. |
SRG-OS-ID |
|
|
|
SLEM-05-232035 |
Missing Rule |
V-261293 |
|
medium |
SLEM 5 SSH daemon public host key files must have mode 644 or less permissive. |
SRG-OS-ID |
|
|
|
SLEM-05-232040 |
Missing Rule |
V-261294 |
|
medium |
SLEM 5 SSH daemon private host key files must have mode 640 or less permissive. |
SRG-OS-ID |
|
|
|
SLEM-05-232045 |
Missing Rule |
V-261295 |
|
medium |
SLEM 5 library files must be owned by root. |
SRG-OS-ID |
|
|
|
SLEM-05-232050 |
Missing Rule |
V-261296 |
|
medium |
SLEM 5 library files must be group-owned by root. |
SRG-OS-ID |
|
|
|
SLEM-05-232055 |
Missing Rule |
V-261297 |
|
medium |
SLEM 5 library directories must be owned by root. |
SRG-OS-ID |
|
|
|
SLEM-05-232060 |
Missing Rule |
V-261298 |
|
medium |
SLEM 5 library directories must be group-owned by root. |
SRG-OS-ID |
|
|
|
SLEM-05-232065 |
Missing Rule |
V-261299 |
|
medium |
SLEM 5 must have system commands owned by root. |
SRG-OS-ID |
|
|
|
SLEM-05-232070 |
Missing Rule |
V-261300 |
|
medium |
SLEM 5 must have system commands group-owned by root or a system account. |
SRG-OS-ID |
|
|
|
SLEM-05-232075 |
Missing Rule |
V-261301 |
|
medium |
SLEM 5 must have directories that contain system commands owned by root. |
SRG-OS-ID |
|
|
|
SLEM-05-232080 |
Missing Rule |
V-261302 |
|
medium |
SLEM 5 must have directories that contain system commands group-owned by root. |
SRG-OS-ID |
|
|
|
SLEM-05-232085 |
Missing Rule |
V-261303 |
|
medium |
All SLEM 5 files and directories must have a valid owner. |
SRG-OS-ID |
|
|
|
SLEM-05-232090 |
Missing Rule |
V-261304 |
|
medium |
All SLEM 5 files and directories must have a valid group owner. |
SRG-OS-ID |
|
|
|
SLEM-05-232095 |
Missing Rule |
V-261305 |
|
medium |
All SLEM 5 local interactive user home directories must be group-owned by the home directory owner's primary group. |
SRG-OS-ID |
|
|
|
SLEM-05-232100 |
Missing Rule |
V-261306 |
|
medium |
All SLEM 5 world-writable directories must be group-owned by root, sys, bin, or an application group. |
SRG-OS-ID |
|
|
|
SLEM-05-232105 |
Missing Rule |
V-261307 |
|
medium |
The sticky bit must be set on all SLEM 5 world-writable directories. |
SRG-OS-ID |
|
|
|
SLEM-05-232110 |
Missing Rule |
V-261308 |
|
medium |
SLEM 5 must prevent unauthorized users from accessing system error messages. |
SRG-OS-ID |
|
|
|
SLEM-05-232115 |
Missing Rule |
V-261309 |
|
medium |
SLEM 5 must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. |
SRG-OS-ID |
|
|
|
SLEM-05-232120 |
Missing Rule |
V-261310 |
|
medium |
SLEM 5 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. |
SRG-OS-ID |
|
|
|
SLEM-05-251010 |
Missing Rule |
V-261311 |
|
medium |
SLEM 5 clock must, for networked systems, be synchronized to an authoritative DOD time source at least every 24 hours. |
SRG-OS-ID |
|
|
|
SLEM-05-252010 |
Missing Rule |
V-261312 |
|
medium |
SLEM 5 must not have network interfaces in promiscuous mode unless approved and documented. |
SRG-OS-ID |
|
|
|
SLEM-05-252015 |
Missing Rule |
V-261313 |
|
medium |
SLEM 5 must not forward Internet Protocol version 4 (IPv4) source-routed packets. |
SRG-OS-ID |
|
|
|
SLEM-05-253010 |
Missing Rule |
V-261314 |
|
medium |
SLEM 5 must not forward Internet Protocol version 4 (IPv4) source-routed packets by default. |
SRG-OS-ID |
|
|
|
SLEM-05-253015 |
Missing Rule |
V-261315 |
|
medium |
SLEM 5 must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted. |
SRG-OS-ID |
|
|
|
SLEM-05-253020 |
Missing Rule |
V-261316 |
|
medium |
SLEM 5 must not allow interfaces to accept Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default. |
SRG-OS-ID |
|
|
|
SLEM-05-253025 |
Missing Rule |
V-261317 |
|
medium |
SLEM 5 must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects. |
SRG-OS-ID |
|
|
|
SLEM-05-253030 |
Missing Rule |
V-261318 |
|
medium |
SLEM 5 must not allow interfaces to send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default. |
SRG-OS-ID |
|
|
|
SLEM-05-253035 |
Missing Rule |
V-261319 |
|
medium |
SLEM 5 must not be performing Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router. |
SRG-OS-ID |
|
|
|
SLEM-05-253040 |
Missing Rule |
V-261320 |
|
medium |
SLEM 5 must be configured to use TCP syncookies. |
SRG-OS-ID |
|
|
|
SLEM-05-253045 |
Missing Rule |
V-261321 |
|
medium |
SLEM 5 must not forward Internet Protocol version 6 (IPv6) source-routed packets. |
SRG-OS-ID |
|
|
|
SLEM-05-254010 |
Missing Rule |
V-261322 |
|
medium |
SLEM 5 must not forward Internet Protocol version 6 (IPv6) source-routed packets by default. |
SRG-OS-ID |
|
|
|
SLEM-05-254015 |
Missing Rule |
V-261323 |
|
medium |
SLEM 5 must prevent Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages from being accepted. |
SRG-OS-ID |
|
|
|
SLEM-05-254020 |
Missing Rule |
V-261324 |
|
medium |
SLEM 5 must not allow interfaces to accept Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by default. |
SRG-OS-ID |
|
|
|
SLEM-05-254025 |
Missing Rule |
V-261325 |
|
medium |
SLEM 5 must not be performing Internet Protocol version 6 (IPv6) packet forwarding unless the system is a router. |
SRG-OS-ID |
|
|
|
SLEM-05-254030 |
Missing Rule |
V-261326 |
|
medium |
SLEM 5 must not be performing Internet Protocol version 6 (IPv6) packet forwarding by default unless the system is a router. |
SRG-OS-ID |
|
|
|
SLEM-05-254035 |
Missing Rule |
V-261327 |
|
high |
SLEM 5 must have SSH installed to protect the confidentiality and integrity of transmitted information. |
SRG-OS-ID |
|
|
|
SLEM-05-255010 |
Missing Rule |
V-261328 |
|
high |
SLEM 5 must use SSH to protect the confidentiality and integrity of transmitted information. |
SRG-OS-ID |
|
|
|
SLEM-05-255015 |
Missing Rule |
V-261329 |
|
medium |
SLEM 5 must display the Standard Mandatory DOD Notice and Consent Banner before granting access via SSH. |
SRG-OS-ID |
|
|
|
SLEM-05-255020 |
Missing Rule |
V-261330 |
366 |
high |
SLEM 5 must not allow unattended or automatic logon via SSH. |
SRG-OS-ID |
SSH environment options potentially allow users to bypass
access restriction in some configurations. |
To determine how the SSH daemon's PermitUserEnvironment option is set, run the following command:
$ sudo grep -i PermitUserEnvironment /etc/ssh/sshd_config
If a line indicating no is returned, then the required value is set.
Is it the case that the required value is not set?
|
Ensure that users are not able to override environment variables of the SSH daemon.
The default SSH configuration disables environment processing. The appropriate
configuration is used if no value is set for PermitUserEnvironment.
To explicitly disable Environment options, add or correct the following
/etc/ssh/sshd_config:
PermitUserEnvironment no
|
SLEM-05-255025 |
sshd_do_not_permit_user_env |
V-261331 |
|
medium |
SLEM 5 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive. |
SRG-OS-ID |
|
|
|
SLEM-05-255030 |
Missing Rule |
V-261332 |
|
medium |
SLEM 5 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive. |
SRG-OS-ID |
|
|
|
SLEM-05-255035 |
Missing Rule |
V-261333 |
366 |
medium |
SLEM 5 SSH daemon must disable forwarded remote X connections for interactive users, unless to fulfill documented and validated mission requirements. |
SRG-OS-ID |
Disable X11 forwarding unless there is an operational requirement to use X11
applications directly. There is a small risk that the remote X11 servers of
users who are logged in via SSH with X11 forwarding could be compromised by
other users on the X11 server. Note that even if X11 forwarding is disabled,
users can always install their own forwarders. |
To determine how the SSH daemon's X11Forwarding option is set, run the following command:
$ sudo grep -i X11Forwarding /etc/ssh/sshd_config
If a line indicating no is returned, then the required value is set.
Is it the case that the required value is not set?
|
The X11Forwarding parameter provides the ability to tunnel X11 traffic
through the connection to enable remote graphic connections.
SSH has the capability to encrypt remote X11 connections when SSH's
X11Forwarding option is enabled.
The default SSH configuration disables X11Forwarding. The appropriate
configuration is used if no value is set for X11Forwarding.
To explicitly disable X11 Forwarding, add or correct the following line in
/etc/ssh/sshd_config:
X11Forwarding no
|
SLEM-05-255040 |
sshd_disable_x11_forwarding |
V-261334 |
|
high |
SLEM 5 must implement DOD-approved encryption to protect the confidentiality of SSH remote connections. |
SRG-OS-ID |
|
|
|
SLEM-05-255045 |
Missing Rule |
V-261335 |
|
high |
SLEM 5 SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2/140-3 approved cryptographic hash algorithms. |
SRG-OS-ID |
|
|
|
SLEM-05-255050 |
Missing Rule |
V-261336 |
|
high |
SLEM 5 SSH server must be configured to use only FIPS 140-2/140-3 validated key exchange algorithms. |
SRG-OS-ID |
|
|
|
SLEM-05-255055 |
Missing Rule |
V-261337 |
770 |
medium |
SLEM 5 must deny direct logons to the root account using remote access via SSH. |
SRG-OS-ID |
Even though the communications channel may be encrypted, an additional layer of
security is gained by extending the policy of not logging directly on as root.
In addition, logging in with a user-specific account provides individual
accountability of actions performed on the system and also helps to minimize
direct attack attempts on root's password. |
To determine how the SSH daemon's PermitRootLogin option is set, run the following command:
$ sudo grep -i PermitRootLogin /etc/ssh/sshd_config
If a line indicating no is returned, then the required value is set.
Is it the case that the required value is not set?
|
The root user should never be allowed to login to a
system directly over a network.
To disable root login via SSH, add or correct the following line in
/etc/ssh/sshd_config:
PermitRootLogin no
|
SLEM-05-255060 |
sshd_disable_root_login |
V-261338 |
67 |
medium |
SLEM 5 must log SSH connection attempts and failures to the server. |
SRG-OS-ID |
SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically
not recommended other than strictly for debugging SSH communications since it provides
so much data that it is difficult to identify important security information. INFO or
VERBOSE level is the basic level that only records login activity of SSH users. In many
situations, such as Incident Response, it is important to determine when a particular user was active
on a system. The logout record can eliminate those users who disconnected, which helps narrow the
field. |
To determine how the SSH daemon's LogLevel option is set, run the following command:
$ sudo grep -i LogLevel /etc/ssh/sshd_config
If a line indicating VERBOSE is returned, then the required value is set.
Is it the case that the required value is not set?
|
The VERBOSE parameter configures the SSH daemon to record login and logout activity.
To specify the log level in
SSH, add or correct the following line in
/etc/ssh/sshd_config:
LogLevel VERBOSE
|
SLEM-05-255065 |
sshd_set_loglevel_verbose |
V-261339 |
366 |
medium |
SLEM 5 must display the date and time of the last successful account logon upon an SSH logon. |
SRG-OS-ID |
Providing users feedback on when account accesses last occurred facilitates user
recognition and reporting of unauthorized account use. |
To determine how the SSH daemon's PrintLastLog option is set, run the following command:
$ sudo grep -i PrintLastLog /etc/ssh/sshd_config
If a line indicating yes is returned, then the required value is set.
Is it the case that the required value is not set?
|
Ensure that SSH will display the date and time of the last successful account logon.
The default SSH configuration enables print of the date and time of the last login.
The appropriate configuration is used if no value is set for PrintLastLog.
To explicitly enable LastLog in SSH, add or correct the following line in
/etc/ssh/sshd_config:
PrintLastLog yes
|
SLEM-05-255070 |
sshd_print_last_log |
V-261340 |
366 |
medium |
SLEM 5 SSH daemon must be configured to not allow authentication using known hosts authentication. |
SRG-OS-ID |
Configuring this setting for the SSH daemon provides additional
assurance that remote login via SSH will require a password, even
in the event of misconfiguration elsewhere. |
To determine how the SSH daemon's IgnoreUserKnownHosts option is set, run the following command:
$ sudo grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config
If a line indicating yes is returned, then the required value is set.
Is it the case that the required value is not set?
|
SSH can allow system users to connect to systems if a cache of the remote
systems public keys is available. This should be disabled.
To ensure this behavior is disabled, add or correct the following line in
/etc/ssh/sshd_config:
IgnoreUserKnownHosts yes
|
SLEM-05-255075 |
sshd_disable_user_known_hosts |
V-261341 |
366 |
medium |
SLEM 5 SSH daemon must perform strict mode checking of home directory configuration files. |
SRG-OS-ID |
If other users have access to modify user-specific SSH configuration files, they
may be able to log into the system as another user. |
To determine how the SSH daemon's StrictModes option is set, run the following command:
$ sudo grep -i StrictModes /etc/ssh/sshd_config
If a line indicating yes is returned, then the required value is set.
Is it the case that the required value is not set?
|
SSHs StrictModes option checks file and ownership permissions in
the user's home directory .ssh folder before accepting login. If world-
writable permissions are found, logon is rejected.
The default SSH configuration has StrictModes enabled. The appropriate
configuration is used if no value is set for StrictModes.
To explicitly enable StrictModes in SSH, add or correct the following line in
/etc/ssh/sshd_config:
StrictModes yes
|
SLEM-05-255080 |
sshd_enable_strictmodes |
V-261342 |
|
medium |
SLEM 5, for PKI-based authentication, must enforce authorized access to the corresponding private key. |
SRG-OS-ID |
|
|
|
SLEM-05-255085 |
Missing Rule |
V-261343 |
|
high |
There must be no .shosts files on SLEM 5. |
SRG-OS-ID |
|
|
|
SLEM-05-255090 |
Missing Rule |
V-261344 |
|
high |
There must be no shosts.equiv files on SLEM 5. |
SRG-OS-ID |
|
|
|
SLEM-05-255095 |
Missing Rule |
V-261345 |
|
high |
SLEM 5 must not allow unattended or automatic logon via the graphical user interface (GUI). |
SRG-OS-ID |
|
|
|
SLEM-05-272010 |
Missing Rule |
V-261346 |
|
medium |
SLEM 5 wireless network adapters must be disabled unless approved and documented. |
SRG-OS-ID |
|
|
|
SLEM-05-291010 |
Missing Rule |
V-261347 |
|
medium |
SLEM 5 must disable the USB mass storage kernel module. |
SRG-OS-ID |
|
|
|
SLEM-05-291015 |
Missing Rule |
V-261348 |
|
medium |
All SLEM 5 local interactive user accounts, upon creation, must be assigned a home directory. |
SRG-OS-ID |
|
|
|
SLEM-05-411010 |
Missing Rule |
V-261349 |
|
medium |
SLEM 5 default permissions must be defined in such a way that all authenticated users can only read and modify their own files. |
SRG-OS-ID |
|
|
|
SLEM-05-411015 |
Missing Rule |
V-261350 |
366 |
medium |
SLEM 5 shadow password suite must be configured to enforce a delay of at least five seconds between logon prompts following a failed logon attempt. |
SRG-OS-ID |
Increasing the time between a failed authentication attempt and re-prompting to
enter credentials helps to slow a single-threaded brute force attack. |
Verify SUSE Linux Enterprise Micro 5 enforces a delay of at least seconds between console logon prompts following a failed logon attempt with the following command:
$ sudo grep -i "FAIL_DELAY" /etc/login.defs
FAIL_DELAY
Is it the case that the value of "FAIL_DELAY" is not set to "" or greater, or the line is commented out?
|
To ensure the logon failure delay controlled by /etc/login.defs is set properly,
add or correct the FAIL_DELAY setting in /etc/login.defs to read as follows:
FAIL_DELAY
|
SLEM-05-411020 |
accounts_logon_fail_delay |
V-261351 |
|
medium |
All SLEM 5 local interactive users must have a home directory assigned in the /etc/passwd file. |
SRG-OS-ID |
|
|
|
SLEM-05-411025 |
Missing Rule |
V-261352 |
|
medium |
All SLEM 5 local interactive user home directories defined in the /etc/passwd file must exist. |
SRG-OS-ID |
|
|
|
SLEM-05-411030 |
Missing Rule |
V-261353 |
|
medium |
All SLEM 5 local interactive user initialization files executable search paths must contain only paths that resolve to the users' home directory. |
SRG-OS-ID |
|
|
|
SLEM-05-411035 |
Missing Rule |
V-261354 |
|
medium |
All SLEM 5 local initialization files must not execute world-writable programs. |
SRG-OS-ID |
|
|
|
SLEM-05-411040 |
Missing Rule |
V-261355 |
|
medium |
SLEM 5 must automatically expire temporary accounts within 72 hours. |
SRG-OS-ID |
|
|
|
SLEM-05-411045 |
Missing Rule |
V-261356 |
|
medium |
SLEM 5 must never automatically remove or disable emergency administrator accounts. |
SRG-OS-ID |
|
|
|
SLEM-05-411050 |
Missing Rule |
V-261357 |
|
medium |
SLEM 5 must not have unnecessary accounts. |
SRG-OS-ID |
|
|
|
SLEM-05-411055 |
Missing Rule |
V-261358 |
|
medium |
SLEM 5 must not have unnecessary account capabilities. |
SRG-OS-ID |
|
|
|
SLEM-05-411060 |
Missing Rule |
V-261359 |
|
high |
SLEM 5 root account must be the only account with unrestricted access to the system. |
SRG-OS-ID |
|
|
|
SLEM-05-411065 |
Missing Rule |
V-261360 |
|
medium |
SLEM 5 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity after password expiration. |
SRG-OS-ID |
|
|
|
SLEM-05-411070 |
Missing Rule |
V-261361 |
|
medium |
SLEM 5 must not have duplicate User IDs (UIDs) for interactive users. |
SRG-OS-ID |
|
|
|
SLEM-05-411075 |
Missing Rule |
V-261362 |
|
medium |
SLEM 5 must display the date and time of the last successful account logon upon logon. |
SRG-OS-ID |
|
|
|
SLEM-05-412010 |
Missing Rule |
V-261363 |
|
medium |
SLEM 5 must initiate a session lock after a 15-minute period of inactivity. |
SRG-OS-ID |
|
|
|
SLEM-05-412015 |
Missing Rule |
V-261364 |
|
medium |
SLEM 5 must lock an account after three consecutive invalid access attempts. |
SRG-OS-ID |
|
|
|
SLEM-05-412020 |
Missing Rule |
V-261365 |
366 |
medium |
SLEM 5 must enforce a delay of at least five seconds between logon prompts following a failed logon attempt via pluggable authentication modules (PAM). |
SRG-OS-ID |
Limiting the number of logon attempts over a certain time interval reduces
the chances that an unauthorized user may gain access to an account. |
Verify that the SUSE Linux Enterprise Micro 5 operating system enforces a minimum delay betweeen
logon prompts following a failed logon attempt.
# grep pam_faildelay /etc/pam.d/common-auth
auth required pam_faildelay.so delay=
If the value of delay is not set to
or greater,
"delay" is commented out, "delay" is missing, or the "pam_faildelay" line is missing
completely, this is a finding.
Is it the case that the value of delay is not set properly or the line is commented or missing?
|
To configure the system to introduce a delay after failed logon attempts,
add or correct the pam_faildelay settings in
/etc/pam.d/common-auth to make sure its delay parameter
is at least or greater. For example:
auth required pam_faildelay.so delay=
|
SLEM-05-412025 |
accounts_passwords_pam_faildelay_delay |
V-261366 |
44 |
medium |
SLEM 5 must use the default pam_tally2 tally directory. |
SRG-OS-ID |
Not having the correct SELinux context on the pam_tally2.so file may lead to
unauthorized access to the directory. |
If the system does not have SELinux enabled and enforcing a targeted policy,
or if the pam_tally2 module is not configured for use, this requirement is not applicable
Check the security context type of the default tally2 directory with the following command:
$ sudo ls -Z /var/log/tallylog
unconfined_u:object_r:faillog_t:s0 /var/log/faillock
If the security context type of the tally directory is not "faillog_t", this is a finding.
Is it the case that the security context type of the non-default tally directory is not "faillog_t"?
|
The file configuration option in PAM pam_tally2.so module defines where to keep counts.
Default is /var/log/tallylog. The configured directory must have the correct SELinux context. |
SLEM-05-412030 |
accounts_passwords_pam_tally2_file_selinux |
V-261367 |
|
low |
SLEM 5 must limit the number of concurrent sessions to 10 for all accounts and/or account types. |
SRG-OS-ID |
|
|
|
SLEM-05-412035 |
Missing Rule |
V-261368 |
1084 |
low |
SLEM 5 must have policycoreutils package installed. |
SRG-OS-ID |
Security-enhanced Linux is a feature of the Linux kernel and a number of utilities
with enhanced security functionality designed to add mandatory access controls to Linux.
The Security-enhanced Linux kernel contains new architectural components originally
developed to improve security of the Flask operating system. These architectural components
provide general support for the enforcement of many kinds of mandatory access control
policies, including those based on the concepts of Type Enforcement, Role-based Access
Control, and Multi-level Security.
policycoreutils contains the policy core utilities that are required for
basic operation of an SELinux-enabled system. These utilities include load_policy
to load SELinux policies, setfiles to label filesystems, newrole to
switch roles, and so on. |
Run the following command to determine if the policycoreutils package is installed: $ rpm -q policycoreutils
Is it the case that the policycoreutils package is not installed?
|
The policycoreutils package can be installed with the following command:
$ sudo zypper install policycoreutils
|
SLEM-05-431010 |
package_policycoreutils_installed |
V-261369 |
2233 |
high |
SLEM 5 must use a Linux Security Module configured to enforce limits on system services. |
SRG-OS-ID |
Setting the SELinux state to enforcing ensures SELinux is able to confine
potentially compromised processes to the security policy, which is designed to
prevent them from causing damage to the system or further elevating their
privileges. |
Ensure that SUSE Linux Enterprise Micro 5 verifies correct operation of security functions.
Check if "SELinux" is active and in "" mode with the following command:
$ sudo getenforce
Is it the case that SELINUX is not set to enforcing?
|
The SELinux state should be set to
at
system boot time. In the file /etc/selinux/config, add or correct the
following line to configure the system to boot into enforcing mode:
SELINUX=
|
SLEM-05-431015 |
selinux_state |
V-261370 |
2696 |
medium |
SLEM 5 must enable the SELinux targeted policy. |
SRG-OS-ID |
Setting the SELinux policy to targeted or a more specialized policy
ensures the system will confine processes that are likely to be
targeted for exploitation, such as network or system services.
Note: During the development or debugging of SELinux modules, it is common to
temporarily place non-production systems in permissive mode. In such
temporary cases, SELinux policies should be developed, and once work
is completed, the system should be reconfigured to
. |
Verify the SELINUX on SUSE Linux Enterprise Micro 5 is using the policy with the following command:
$ sestatus | grep policy
Loaded policy name:
Is it the case that the loaded policy name is not ""?
|
The SELinux targeted policy is appropriate for
general-purpose desktops and servers, as well as systems in many other roles.
To configure the system to use this policy, add or correct the following line
in /etc/selinux/config:
SELINUXTYPE=
Other policies, such as mls, provide additional security labeling
and greater confinement but are not compatible with many general-purpose
use cases. |
SLEM-05-431020 |
selinux_policytype |
V-261371 |
|
medium |
SLEM 5 must prevent nonprivileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures. |
SRG-OS-ID |
|
|
|
SLEM-05-431025 |
Missing Rule |
V-261372 |
|
medium |
SLEM 5 must use the invoking user's password for privilege escalation when using "sudo". |
SRG-OS-ID |
|
|
|
SLEM-05-432010 |
Missing Rule |
V-261373 |
|
medium |
SLEM 5 must reauthenticate users when changing authenticators, roles, or escalating privileges. |
SRG-OS-ID |
|
|
|
SLEM-05-432015 |
Missing Rule |
V-261374 |
|
medium |
SLEM 5 must require reauthentication when using the "sudo" command. |
SRG-OS-ID |
|
|
|
SLEM-05-432020 |
Missing Rule |
V-261375 |
|
medium |
SLEM 5 must restrict privilege elevation to authorized personnel. |
SRG-OS-ID |
|
|
|
SLEM-05-432025 |
Missing Rule |
V-261376 |
|
medium |
SLEM 5 must specify the default "include" directory for the /etc/sudoers file. |
SRG-OS-ID |
|
|
|
SLEM-05-432030 |
Missing Rule |
V-261377 |
|
medium |
SLEM 5 must enforce passwords that contain at least one uppercase character. |
SRG-OS-ID |
|
|
|
SLEM-05-611010 |
Missing Rule |
V-261378 |
|
medium |
SLEM 5 must enforce passwords that contain at least one lowercase character. |
SRG-OS-ID |
|
|
|
SLEM-05-611015 |
Missing Rule |
V-261379 |
|
medium |
SLEM 5 must enforce passwords that contain at least one numeric character. |
SRG-OS-ID |
|
|
|
SLEM-05-611020 |
Missing Rule |
V-261380 |
|
medium |
SLEM 5 must enforce passwords that contain at least one special character. |
SRG-OS-ID |
|
|
|
SLEM-05-611025 |
Missing Rule |
V-261381 |
|
medium |
SLEM 5 must prevent the use of dictionary words for passwords. |
SRG-OS-ID |
|
|
|
SLEM-05-611030 |
Missing Rule |
V-261382 |
|
medium |
SLEM 5 must employ passwords with a minimum of 15 characters. |
SRG-OS-ID |
|
|
|
SLEM-05-611035 |
Missing Rule |
V-261383 |
|
medium |
SLEM 5 must require the change of at least eight of the total number of characters when passwords are changed. |
SRG-OS-ID |
|
|
|
SLEM-05-611040 |
Missing Rule |
V-261384 |
|
medium |
SLEM 5 must not allow passwords to be reused for a minimum of five generations. |
SRG-OS-ID |
|
|
|
SLEM-05-611045 |
Missing Rule |
V-261385 |
|
medium |
SLEM 5 must configure the Linux Pluggable Authentication Modules (PAM) to only store encrypted representations of passwords. |
SRG-OS-ID |
|
|
|
SLEM-05-611050 |
Missing Rule |
V-261386 |
366 |
high |
SLEM 5 must not be configured to allow blank or null passwords. |
SRG-OS-ID |
Configuring this setting for the SSH daemon provides additional assurance
that remote login via SSH will require a password, even in the event of
misconfiguration elsewhere. |
To determine how the SSH daemon's PermitEmptyPasswords option is set, run the following command:
$ sudo grep -i PermitEmptyPasswords /etc/ssh/sshd_config
If a line indicating no is returned, then the required value is set.
Is it the case that the required value is not set?
|
Disallow SSH login with empty passwords.
The default SSH configuration disables logins with empty passwords. The appropriate
configuration is used if no value is set for PermitEmptyPasswords.
To explicitly disallow SSH login from accounts with empty passwords,
add or correct the following line in
/etc/ssh/sshd_config:
PermitEmptyPasswords no
Any accounts with empty passwords should be disabled immediately, and PAM configuration
should prevent users from being able to assign themselves empty passwords. |
SLEM-05-611055 |
sshd_disable_empty_passwords |
V-261387 |
|
high |
SLEM 5 must not have accounts configured with blank or null passwords. |
SRG-OS-ID |
|
|
|
SLEM-05-611060 |
Missing Rule |
V-261388 |
|
medium |
SLEM 5 must employ user passwords with a minimum lifetime of 24 hours (one day). |
SRG-OS-ID |
|
|
|
SLEM-05-611065 |
Missing Rule |
V-261389 |
|
medium |
SLEM 5 must employ user passwords with a maximum lifetime of 60 days. |
SRG-OS-ID |
|
|
|
SLEM-05-611070 |
Missing Rule |
V-261390 |
|
medium |
SLEM 5 must employ a password history file. |
SRG-OS-ID |
|
|
|
SLEM-05-611075 |
Missing Rule |
V-261391 |
|
high |
SLEM 5 must employ FIPS 140-2/140-3-approved cryptographic hashing algorithms for system authentication. |
SRG-OS-ID |
|
|
|
SLEM-05-611080 |
Missing Rule |
V-261392 |
|
high |
SLEM 5 shadow password suite must be configured to use a sufficient number of hashing rounds. |
SRG-OS-ID |
|
|
|
SLEM-05-611085 |
Missing Rule |
V-261393 |
|
medium |
SLEM 5 must employ FIPS 140-2/140-3 approved cryptographic hashing algorithm for system authentication (login.defs). |
SRG-OS-ID |
|
|
|
SLEM-05-611090 |
Missing Rule |
V-261394 |
|
medium |
SLEM 5 must be configured to create or update passwords with a minimum lifetime of 24 hours (one day). |
SRG-OS-ID |
|
|
|
SLEM-05-611095 |
Missing Rule |
V-261395 |
|
medium |
SLEM 5 must be configured to create or update passwords with a maximum lifetime of 60 days. |
SRG-OS-ID |
|
|
|
SLEM-05-611100 |
Missing Rule |
V-261396 |
|
medium |
SLEM 5 must have the packages required for multifactor authentication to be installed. |
SRG-OS-ID |
|
|
|
SLEM-05-612010 |
Missing Rule |
V-261397 |
|
medium |
SLEM 5 must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM). |
SRG-OS-ID |
|
|
|
SLEM-05-612015 |
Missing Rule |
V-261398 |
|
medium |
SLEM 5 must implement certificate status checking for multifactor authentication. |
SRG-OS-ID |
|
|
|
SLEM-05-612020 |
Missing Rule |
V-261399 |
|
medium |
If Network Security Services (NSS) is being used by SLEM 5 it must prohibit the use of cached authentications after one day. |
SRG-OS-ID |
|
|
|
SLEM-05-631010 |
Missing Rule |
V-261400 |
|
medium |
SLEM 5 must configure the Linux Pluggable Authentication Modules (PAM) to prohibit the use of cached offline authentications after one day. |
SRG-OS-ID |
|
|
|
SLEM-05-631015 |
Missing Rule |
V-261401 |
|
medium |
SLEM 5, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. |
SRG-OS-ID |
|
|
|
SLEM-05-631020 |
Missing Rule |
V-261402 |
|
medium |
SLEM 5 must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes. |
SRG-OS-ID |
|
|
|
SLEM-05-631025 |
Missing Rule |
V-261403 |
|
medium |
SLEM 5 must use a file integrity tool to verify correct operation of all security functions. |
SRG-OS-ID |
|
|
|
SLEM-05-651010 |
Missing Rule |
V-261404 |
|
medium |
SLEM 5 file integrity tool must be configured to verify Access Control Lists (ACLs). |
SRG-OS-ID |
|
|
|
SLEM-05-651015 |
Missing Rule |
V-261405 |
|
medium |
SLEM 5 file integrity tool must be configured to verify extended attributes. |
SRG-OS-ID |
|
|
|
SLEM-05-651020 |
Missing Rule |
V-261406 |
|
medium |
SLEM 5 file integrity tool must be configured to protect the integrity of the audit tools. |
SRG-OS-ID |
|
|
|
SLEM-05-651025 |
Missing Rule |
V-261407 |
|
medium |
Advanced Intrusion Detection Environment (AIDE) must verify the baseline SLEM 5 configuration at least weekly. |
SRG-OS-ID |
|
|
|
SLEM-05-651030 |
Missing Rule |
V-261408 |
|
medium |
SLEM 5 must notify the system administrator (SA) when Advanced Intrusion Detection Environment (AIDE) discovers anomalies in the operation of any security functions. |
SRG-OS-ID |
|
|
|
SLEM-05-651035 |
Missing Rule |
V-261409 |
|
medium |
SLEM 5 must offload rsyslog messages for networked systems in real time and offload standalone systems at least weekly. |
SRG-OS-ID |
|
|
|
SLEM-05-652010 |
Missing Rule |
V-261410 |
|
medium |
SLEM 5 must have the auditing package installed. |
SRG-OS-ID |
|
|
|
SLEM-05-653010 |
Missing Rule |
V-261411 |
|
medium |
SLEM 5 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. |
SRG-OS-ID |
|
|
|
SLEM-05-653015 |
Missing Rule |
V-261412 |
|
medium |
The audit-audispd-plugins package must be installed on SLEM 5. |
SRG-OS-ID |
|
|
|
SLEM-05-653020 |
Missing Rule |
V-261413 |
1849 |
medium |
SLEM 5 must allocate audit record storage capacity to store at least one week of audit records when audit records are not immediately sent to a central audit record storage facility. |
SRG-OS-ID |
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. |
Is it the case that the package is not installed?
|
The audit-audispd-plugins package should be installed. |
SLEM-05-653025 |
package_audit-audispd-plugins_installed |
V-261414 |
|
medium |
SLEM 5 auditd service must notify the system administrator (SA) and information system security officer (ISSO) immediately when audit storage capacity is 75 percent full. |
SRG-OS-ID |
|
|
|
SLEM-05-653030 |
Missing Rule |
V-261415 |
|
medium |
SLEM 5 audit system must take appropriate action when the audit storage volume is full. |
SRG-OS-ID |
|
|
|
SLEM-05-653035 |
Missing Rule |
V-261416 |
|
medium |
SLEM 5 must offload audit records onto a different system or media from the system being audited. |
SRG-OS-ID |
|
|
|
SLEM-05-653040 |
Missing Rule |
V-261417 |
|
medium |
Audispd must take appropriate action when SLEM 5 audit storage is full. |
SRG-OS-ID |
|
|
|
SLEM-05-653045 |
Missing Rule |
V-261418 |
|
medium |
SLEM 5 must protect audit rules from unauthorized modification. |
SRG-OS-ID |
|
|
|
SLEM-05-653050 |
Missing Rule |
V-261419 |
|
medium |
SLEM 5 audit tools must have the proper permissions configured to protect against unauthorized access. |
SRG-OS-ID |
|
|
|
SLEM-05-653055 |
Missing Rule |
V-261420 |
|
medium |
SLEM 5 audit tools must have the proper permissions applied to protect against unauthorized access. |
SRG-OS-ID |
|
|
|
SLEM-05-653060 |
Missing Rule |
V-261421 |
|
low |
SLEM 5 audit event multiplexor must be configured to use Kerberos. |
SRG-OS-ID |
|
|
|
SLEM-05-653065 |
Missing Rule |
V-261422 |
|
medium |
Audispd must offload audit records onto a different system or media from SLEM 5 being audited. |
SRG-OS-ID |
|
|
|
SLEM-05-653070 |
Missing Rule |
V-261423 |
|
medium |
The information system security officer (ISSO) and system administrator (SA), at a minimum, must have mail aliases to be notified of a SLEM 5 audit processing failure. |
SRG-OS-ID |
|
|
|
SLEM-05-653075 |
Missing Rule |
V-261424 |
|
medium |
The information system security officer (ISSO) and system administrator (SA), at a minimum, must be alerted of a SLEM 5 audit processing failure event. |
SRG-OS-ID |
|
|
|
SLEM-05-653080 |
Missing Rule |
V-261425 |
169 |
medium |
SLEM 5 must generate audit records for all uses of the "chacl" command. |
SRG-OS-ID |
Without generating audit records that are specific to the security and
mission needs of the organization, it would be difficult to establish,
correlate, and investigate the events relating to an incident or identify
those responsible for one.
Audit records can be generated from various components within the
information system (e.g., module or policy filter). |
Verify that SUSE Linux Enterprise Micro 5 is configured to audit the execution of the "chacl" command with the following command:
$ sudo auditctl -l | grep chacl
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod
Is it the case that the command does not return a line, or the line is commented out?
|
At a minimum, the audit system should collect any execution attempt
of the chacl command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
SLEM-05-654010 |
audit_rules_execution_chacl |
V-261426 |
172 |
medium |
SLEM 5 must generate audit records for all uses of the "chage" command. |
SRG-OS-ID |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
Verify that SUSE Linux Enterprise Micro 5 is configured to audit the execution of the "chage" command with the following command:
$ sudo auditctl -l | grep chage
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage
Is it the case that the command does not return a line, or the line is commented out?
|
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
SLEM-05-654015 |
audit_rules_privileged_commands_chage |
V-261427 |
172 |
medium |
SLEM 5 must generate audit records for all uses of the "chcon" command. |
SRG-OS-ID |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
Verify that SUSE Linux Enterprise Micro 5 is configured to audit the execution of the "chcon" command with the following command:
$ sudo auditctl -l | grep chcon
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod
Is it the case that the command does not return a line, or the line is commented out?
|
At a minimum, the audit system should collect any execution attempt
of the chcon command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
SLEM-05-654020 |
audit_rules_execution_chcon |
V-261428 |
172 |
medium |
SLEM 5 must generate audit records for all uses of the "chfn" command. |
SRG-OS-ID |
Without generating audit records that are specific to the security and
mission needs of the organization, it would be difficult to establish,
correlate, and investigate the events relating to an incident or identify
those responsible for one.
Audit records can be generated from various components within the
information system (e.g., module or policy filter). |
To verify that auditing of privileged command use is configured, run the
following command:
$ sudo grep chfn /etc/audit/audit.rules /etc/audit/rules.d/*
It should return a relevant line in the audit rules.
Is it the case that the command does not return a line, or the line is commented out?
|
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
SLEM-05-654025 |
audit_rules_privileged_commands_chfn |
V-261429 |
172 |
medium |
SLEM 5 must generate audit records for all uses of the "chmod" command. |
SRG-OS-ID |
Without generating audit records that are specific to the security and
mission needs of the organization, it would be difficult to establish,
correlate, and investigate the events relating to an incident or identify
those responsible for one.
Audit records can be generated from various components within the
information system (e.g., module or policy filter). |
To verify that execution of the command is being audited, run the following command:
$ sudo grep "path=/usr/bin/chmod" /etc/audit/audit.rules /etc/audit/rules.d/*
The output should return something similar to:
-a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Is it the case that ?
|
At a minimum, the audit system should collect any execution attempt
of the chmod command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
SLEM-05-654030 |
audit_rules_execution_chmod |
V-261430 |
172 |
medium |
SLEM 5 must generate audit records for a uses of the "chsh" command. |
SRG-OS-ID |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
Verify that SUSE Linux Enterprise Micro 5 is configured to audit the execution of the "chsh" command with the following command:
$ sudo auditctl -l | grep chsh
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chsh
Is it the case that the command does not return a line, or the line is commented out?
|
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
SLEM-05-654035 |
audit_rules_privileged_commands_chsh |
V-261431 |
172 |
medium |
SLEM 5 must generate audit records for all uses of the "crontab" command. |
SRG-OS-ID |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
Verify that SUSE Linux Enterprise Micro 5 is configured to audit the execution of the "crontab" command with the following command:
$ sudo auditctl -l | grep crontab
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab
Is it the case that the command does not return a line, or the line is commented out?
|
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
SLEM-05-654040 |
audit_rules_privileged_commands_crontab |
V-261432 |
172 |
medium |
SLEM 5 must generate audit records for all uses of the "gpasswd" command. |
SRG-OS-ID |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
Verify that SUSE Linux Enterprise Micro 5 is configured to audit the execution of the "gpasswd" command with the following command:
$ sudo auditctl -l | grep gpasswd
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd
Is it the case that the command does not return a line, or the line is commented out?
|
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
SLEM-05-654045 |
audit_rules_privileged_commands_gpasswd |
V-261433 |
172 |
medium |
SLEM 5 must generate audit records for all uses of the "insmod" command. |
SRG-OS-ID |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
To verify that auditing of privileged command use is configured, run the
following command:
sudo auditctl -l | grep -w '/sbin/insmod'
If the system is configured to audit the execution of the module management program "insmod",
the command will return a line.
Is it the case that the command does not return a line, or the line is commented out?
|
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-w /sbin/insmod -p x -k modules
|
SLEM-05-654050 |
audit_rules_privileged_commands_insmod |
V-261434 |
172 |
medium |
SLEM 5 must generate audit records for all uses of the "kmod" command. |
SRG-OS-ID |
Without generating audit records that are specific to the security and
mission needs of the organization, it would be difficult to establish,
correlate, and investigate the events relating to an incident or identify
those responsible for one.
Audit records can be generated from various components within the
information system (e.g., module or policy filter). |
Verify that SUSE Linux Enterprise Micro 5 is configured to audit the execution of the "kmod" command with the following command:
$ sudo auditctl -l | grep kmod
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-kmod
Is it the case that the command does not return a line, or the line is commented out?
|
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-w /usr/bin/kmod -p x -k modules
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-w /usr/bin/kmod -p x -k modules
|
SLEM-05-654055 |
audit_rules_privileged_commands_kmod |
V-261435 |
172 |
medium |
SLEM 5 must generate audit records for all uses of the "modprobe" command. |
SRG-OS-ID |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
To verify that auditing of privileged command use is configured, run the
following command:
sudo auditctl -l | grep -w '/sbin/modprobe'
-w /sbin/modprobe -p x -k modules
It should return a relevant line in the audit rules.
Is it the case that the command does not return a line, or the line is commented out?
|
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-w /sbin/modprobe -p x -k modules
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-w /sbin/modprobe -p x -k modules
|
SLEM-05-654060 |
audit_rules_privileged_commands_modprobe |
V-261436 |
172 |
medium |
SLEM 5 must generate audit records for all uses of the "newgrp" command. |
SRG-OS-ID |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
Verify that SUSE Linux Enterprise Micro 5 is configured to audit the execution of the "newgrp" command with the following command:
$ sudo auditctl -l | grep newgrp
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-newgrp
Is it the case that the command does not return a line, or the line is commented out?
|
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
SLEM-05-654065 |
audit_rules_privileged_commands_newgrp |
V-261437 |
172 |
medium |
SLEM 5 must generate audit records for all uses of the "pam_timestamp_check" command. |
SRG-OS-ID |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/sbin/pam_timestamp_check
-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/sbin/pam_timestamp_check
-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
SLEM-05-654070 |
audit_rules_privileged_commands_pam_timestamp_check |
V-261438 |
172 |
medium |
SLEM 5 must generate audit records for all uses of the "passwd" command. |
SRG-OS-ID |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
Verify that SUSE Linux Enterprise Micro 5 is configured to audit the execution of the "passwd" command with the following command:
$ sudo auditctl -l | grep passwd
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd
Is it the case that the command does not return a line, or the line is commented out?
|
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
SLEM-05-654075 |
audit_rules_privileged_commands_passwd |
V-261439 |
172 |
medium |
SLEM 5 must generate audit records for all uses of the "rm" command. |
SRG-OS-ID |
Without generating audit records that are specific to the security and
mission needs of the organization, it would be difficult to establish,
correlate, and investigate the events relating to an incident or identify
those responsible for one.
Audit records can be generated from various components within the
information system (e.g., module or policy filter). |
To verify that execution of the command is being audited, run the following command:
$ sudo grep "path=/usr/bin/rm" /etc/audit/audit.rules /etc/audit/rules.d/*
The output should return something similar to:
-a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Is it the case that ?
|
At a minimum, the audit system should collect any execution attempt
of the rm command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
SLEM-05-654080 |
audit_rules_execution_rm |
V-261440 |
172 |
medium |
SLEM 5 must generate audit records for all uses of the "rmmod" command. |
SRG-OS-ID |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
To verify that auditing of privileged command use is configured, run the
following command:
sudo auditctl -l | grep -w '/sbin/rmmod'
If the system is configured to audit the execution of the module management program "rmmod",
the command will return a line.
Is it the case that the command does not return a line, or the line is commented out?
|
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-w /sbin/rmmod -p x -k modules
|
SLEM-05-654085 |
audit_rules_privileged_commands_rmmod |
V-261441 |
169 |
medium |
SLEM 5 must generate audit records for all uses of the "setfacl" command. |
SRG-OS-ID |
Without generating audit records that are specific to the security and
mission needs of the organization, it would be difficult to establish,
correlate, and investigate the events relating to an incident or identify
those responsible for one.
Audit records can be generated from various components within the
information system (e.g., module or policy filter). |
Verify that SUSE Linux Enterprise Micro 5 is configured to audit the execution of the "setfacl" command with the following command:
$ sudo auditctl -l | grep setfacl
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod
Is it the case that the command does not return a line, or the line is commented out?
|
At a minimum, the audit system should collect any execution attempt
of the setfacl command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
SLEM-05-654090 |
audit_rules_execution_setfacl |
V-261442 |
172 |
medium |
SLEM 5 must generate audit records for all uses of the "ssh-agent" command. |
SRG-OS-ID |
Without generating audit records that are specific to the security and
mission needs of the organization, it would be difficult to establish,
correlate, and investigate the events relating to an incident or identify
those responsible for one.
Audit records can be generated from various components within the
information system (e.g., module or policy filter). |
Verify that SUSE Linux Enterprise Micro 5 is configured to audit the execution of the "ssh-agent" command with the following command:
$ sudo auditctl -l | grep ssh-agent
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
Is it the case that the command does not return a line, or the line is commented out?
|
At a minimum, the audit system should collect any execution attempt
of the ssh-agent command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
|
SLEM-05-654095 |
audit_rules_privileged_commands_ssh_agent |
V-261443 |
172 |
medium |
SLEM 5 must generate audit records for all uses of the "ssh-keysign" command. |
SRG-OS-ID |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
Verify that SUSE Linux Enterprise Micro 5 is configured to audit the execution of the "ssh-keysign" command with the following command:
$ sudo auditctl -l | grep ssh-keysign
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-keysign
Is it the case that the command does not return a line, or the line is commented out?
|
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/lib/ssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/lib/ssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
SLEM-05-654100 |
audit_rules_privileged_commands_ssh_keysign |
V-261444 |
172 |
medium |
SLEM 5 must generate audit records for all uses of the "su" command. |
SRG-OS-ID |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
Verify that SUSE Linux Enterprise Micro 5 is configured to audit the execution of the "su" command with the following command:
$ sudo auditctl -l | grep su
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-su
Is it the case that the command does not return a line, or the line is commented out?
|
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
SLEM-05-654105 |
audit_rules_privileged_commands_su |
V-261445 |
172 |
medium |
SLEM 5 must generate audit records for all uses of the "sudo" command. |
SRG-OS-ID |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
Verify that SUSE Linux Enterprise Micro 5 is configured to audit the execution of the "sudo" command with the following command:
$ sudo auditctl -l | grep sudo
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-sudo
Is it the case that the command does not return a line, or the line is commented out?
|
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
SLEM-05-654110 |
audit_rules_privileged_commands_sudo |
V-261446 |
172 |
medium |
SLEM 5 must generate audit records for all uses of the "sudoedit" command. |
SRG-OS-ID |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
Verify that SUSE Linux Enterprise Micro 5 is configured to audit the execution of the "sudoedit" command with the following command:
$ sudo auditctl -l | grep sudoedit
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -k privileged-sudoedit
Is it the case that the command does not return a line, or the line is commented out?
|
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
SLEM-05-654115 |
audit_rules_privileged_commands_sudoedit |
V-261447 |
172 |
medium |
SLEM 5 must generate audit records for all uses of the "unix_chkpwd" or "unix2_chkpwd" commands. |
SRG-OS-ID |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
Verify that SUSE Linux Enterprise Micro 5 is configured to audit the execution of the "unix_chkpwd" command with the following command:
$ sudo auditctl -l | grep unix_chkpwd
-a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix_chkpwd
Is it the case that the command does not return a line, or the line is commented out?
|
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
SLEM-05-654120 |
audit_rules_privileged_commands_unix_chkpwd |
V-261448 |
172 |
medium |
SLEM 5 must generate audit records for all uses of the "usermod" command. |
SRG-OS-ID |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
Verify that SUSE Linux Enterprise Micro 5 is configured to audit the execution of the "usermod" command with the following command:
$ sudo auditctl -l | grep usermod
-a always,exit -F path=/usr/bin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod
Is it the case that the command does not return a line, or the line is commented out?
|
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
SLEM-05-654125 |
audit_rules_privileged_commands_usermod |
V-261449 |
|
medium |
SLEM 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. |
SRG-OS-ID |
|
|
|
SLEM-05-654130 |
Missing Rule |
V-261450 |
|
medium |
SLEM 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd. |
SRG-OS-ID |
|
|
|
SLEM-05-654135 |
Missing Rule |
V-261451 |
172 |
medium |
SLEM 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. |
SRG-OS-ID |
In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy. |
Verify SUSE Linux Enterprise Micro 5 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command:
$ sudo auditctl -l | grep -E '(/etc/passwd)'
-w /etc/passwd -p wa -k identity
Is it the case that the command does not return a line, or the line is commented out?
|
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, in order to capture events that modify
account changes:
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
|
SLEM-05-654140 |
audit_rules_usergroup_modification_passwd |
V-261452 |
|
medium |
SLEM 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. |
SRG-OS-ID |
|
|
|
SLEM-05-654145 |
Missing Rule |
V-261453 |
|
medium |
SLEM 5 must generate audit records for all uses of the "chmod", "fchmod" and "fchmodat" system calls. |
SRG-OS-ID |
|
|
|
SLEM-05-654150 |
Missing Rule |
V-261454 |
|
medium |
SLEM 5 must generate audit records for all uses of the "chown", "fchown", "fchownat", and "lchown" system calls. |
SRG-OS-ID |
|
|
|
SLEM-05-654155 |
Missing Rule |
V-261455 |
|
medium |
SLEM 5 must generate audit records for all uses of the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" system calls. |
SRG-OS-ID |
|
|
|
SLEM-05-654160 |
Missing Rule |
V-261456 |
|
medium |
SLEM 5 must generate audit records for all uses of the "delete_module" system call. |
SRG-OS-ID |
|
|
|
SLEM-05-654165 |
Missing Rule |
V-261457 |
|
medium |
SLEM 5 must generate audit records for all uses of the "init_module" and "finit_module" system calls. |
SRG-OS-ID |
|
|
|
SLEM-05-654170 |
Missing Rule |
V-261458 |
|
medium |
SLEM 5 must generate audit records for all uses of the "mount" system call. |
SRG-OS-ID |
|
|
|
SLEM-05-654175 |
Missing Rule |
V-261459 |
|
medium |
SLEM 5 must generate audit records for all uses of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls. |
SRG-OS-ID |
|
|
|
SLEM-05-654180 |
Missing Rule |
V-261460 |
|
medium |
SLEM 5 must generate audit records for all uses of the "umount" system call. |
SRG-OS-ID |
|
|
|
SLEM-05-654185 |
Missing Rule |
V-261461 |
|
medium |
SLEM 5 must generate audit records for all uses of the "unlink", "unlinkat", "rename", "renameat", and "rmdir" system calls. |
SRG-OS-ID |
|
|
|
SLEM-05-654190 |
Missing Rule |
V-261462 |
|
medium |
SLEM 5 must generate audit records for all uses of privileged functions. |
SRG-OS-ID |
|
|
|
SLEM-05-654195 |
Missing Rule |
V-261463 |
|
medium |
SLEM 5 must generate audit records for all modifications to the "lastlog" file. |
SRG-OS-ID |
|
|
|
SLEM-05-654200 |
Missing Rule |
V-261464 |
|
medium |
SLEM 5 must generate audit records for all modifications to the "tallylog" file must generate an audit record. |
SRG-OS-ID |
|
|
|
SLEM-05-654205 |
Missing Rule |
V-261465 |
|
medium |
SLEM 5 must audit all uses of the sudoers file and all files in the "/etc/sudoers.d/" directory. |
SRG-OS-ID |
|
|
|
SLEM-05-654210 |
Missing Rule |
V-261466 |
169 |
medium |
Successful/unsuccessful uses of "setfiles" in SLEM 5 must generate an audit record. |
SRG-OS-ID |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
Verify that SUSE Linux Enterprise Micro 5 is configured to audit the execution of the "setfiles" command with the following command:
$ sudo auditctl -l | grep setfiles
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update
Is it the case that the command does not return a line, or the line is commented out?
|
At a minimum, the audit system should collect any execution attempt
of the setfiles command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
SLEM-05-654215 |
audit_rules_execution_setfiles |
V-261467 |
169 |
medium |
Successful/unsuccessful uses of "semanage" in SLEM 5 must generate an audit record. |
SRG-OS-ID |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
Verify that SUSE Linux Enterprise Micro 5 is configured to audit the execution of the "semanage" command with the following command:
$ sudo auditctl -l | grep semanage
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update
Is it the case that the command does not return a line, or the line is commented out?
|
At a minimum, the audit system should collect any execution attempt
of the semanage command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
SLEM-05-654220 |
audit_rules_execution_semanage |
V-261468 |
169 |
medium |
Successful/unsuccessful uses of "setsebool" in SLEM 5 must generate an audit record. |
SRG-OS-ID |
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
Verify that SUSE Linux Enterprise Micro 5 is configured to audit the execution of the "setsebool" command with the following command:
$ sudo auditctl -l | grep setsebool
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged
Is it the case that the command does not return a line, or the line is commented out?
|
At a minimum, the audit system should collect any execution attempt
of the setsebool command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
SLEM-05-654225 |
audit_rules_execution_setsebool |
V-261469 |
|
medium |
SLEM 5 must generate audit records for the "/run/utmp file". |
SRG-OS-ID |
|
|
|
SLEM-05-654230 |
Missing Rule |
V-261470 |
|
medium |
SLEM 5 must generate audit records for the "/var/log/btmp" file. |
SRG-OS-ID |
|
|
|
SLEM-05-654235 |
Missing Rule |
V-261471 |
|
medium |
SLEM 5 must generate audit records for the "/var/log/wtmp" file. |
SRG-OS-ID |
|
|
|
SLEM-05-654240 |
Missing Rule |
V-261472 |
|
medium |
SLEM 5 must not disable syscall auditing. |
SRG-OS-ID |
|
|
|
SLEM-05-654245 |
Missing Rule |
V-261473 |
|
high |
FIPS 140-2/140-3 mode must be enabled on SLEM 5. |
SRG-OS-ID |
|
|
|
SLEM-05-671010 |
Missing Rule |