Rules Related To 'filesystem'

Verify that Shared Library Directories Have Root Group Ownership

Description

System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:

/lib
/lib64
/usr/lib
/usr/lib64

Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules. All files in these directories should be group-owned by the root user. If the directories, is found to be owned by a user other than root correct its ownership with the following command:

$ sudo chgrp root DIR

Rationale

Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership of library directories is necessary to protect the integrity of the system.

Verify that system commands directories are group owned by root

Description

System commands files are stored in the following directories by default:

/bin
/sbin
/usr/bin
/usr/sbin
/usr/local/bin
/usr/local/sbin

All these directories should be owned by the root group. If the directory is found to be owned by a group other than root correct its ownership with the following command:

$ sudo chgrp root DIR

Rationale

If the operating system allows any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Verify that System Executable Have Root Ownership

Description

/bin
/sbin
/usr/bin
/usr/sbin
/usr/local/bin
/usr/local/sbin

All these directories should be owned by the root user. If any directory DIR in these directories is found to be owned by a user other than root, correct its ownership with the following command:

$ sudo chown root DIR

Rationale

System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted.

Verify that Shared Library Directories Have Root Ownership

Description

System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:

/lib
/lib64
/usr/lib
/usr/lib64

Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules. All files in these directories should be owned by the root user. If the directories, is found to be owned by a user other than root correct its ownership with the following command:

$ sudo chown root DIR

Rationale

Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership of library directories is necessary to protect the integrity of the system.

Verify that System Executable Directories Have Restrictive Permissions

Description

System executables are stored in the following directories by default:

/bin
/sbin
/usr/bin
/usr/sbin
/usr/local/bin
/usr/local/sbin

These directories should not be group-writable or world-writable. If any directory DIR in these directories is found to be group-writable or world-writable, correct its permission with the following command:

$ sudo chmod go-w DIR

Rationale

System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted.

Verify that Shared Library Directories Have Restrictive Permissions

Description

System-wide shared library directories, which contain are linked to executables during process load time or run time, are stored in the following directories by default:

/lib
/lib64
/usr/lib
/usr/lib64

Kernel modules, which can be added to the kernel during runtime, are stored in /lib/modules. All sub-directories in these directories should not be group-writable or world-writable. If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command:

$ sudo chmod go-w DIR

Rationale

If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Ensure All World-Writable Directories Are Owned by root User

Description

All directories in local partitions which are world-writable should be owned by root. If any world-writable directories are not owned by root, this should be investigated. Following this, the files should be deleted or assigned to root user.

Rationale

Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users.

Verify that All World-Writable Directories Have Sticky Bits Set

Description

When the so-called 'sticky bit' is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may remove any file in the directory. Setting the sticky bit prevents users from removing each other's files. In cases where there is no reason for a directory to be world-writable, a better solution is to remove that permission rather than to set the sticky bit. However, if a directory is used by a particular application, consult that application's documentation instead of blindly changing modes.
To set the sticky bit on a world-writable directory DIR, run the following command:

$ sudo chmod +t DIR

Rationale

Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure.

The only authorized public directories are those temporary directories supplied with the system, or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system, by users for temporary file storage (such as /tmp), and for directories requiring global read/write access.

Ensure All World-Writable Directories Are Owned by a System Account

Description

All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate owner.

Rationale

Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users.

Ensure All World-Writable Directories Are Group Owned by a System Account

Description

All directories in local partitions which are world-writable should be group owned by root or another system account. If any world-writable directories are not group owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group.

Rationale

Allowing a user account to group own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users.

Verify that system commands directories have root as a group owner

Description

System commands are stored in the following directories: by default:

/bin 
/sbin 
/usr/bin 
/usr/sbin 
/usr/local/bin 
/usr/local/sbin

All these directories should have root user as a group owner. If any system command directory is not group owned by a user other than root correct its ownership with the following command:

$ sudo chgrp root DIR

Rationale

If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Verify that system commands directories have root ownership

Description

System commands are stored in the following directories by default:

/bin 
/sbin 
/usr/bin 
/usr/sbin 
/usr/local/bin 
/usr/local/sbin

All these directories should be owned by the root user. If any system command directory is not owned by a user other than root correct its ownership with the following command:

$ sudo chown root DIR

Rationale

If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Verify Group Who Owns /etc/sysctl.d Directory

Description

To properly set the group owner of /etc/sysctl.d, run the command:

$ sudo chgrp root /etc/sysctl.d

Rationale

The ownership of the /etc/sysctl.d directory by the root group is important because this directory hosts kernel configuration. Protection of this directory is critical for system security. Assigning the ownership to root ensures exclusive control of the kernel configuration.

Verify User Who Owns /etc/sysctl.d Directory

Description

To properly set the owner of /etc/sysctl.d, run the command:

$ sudo chown root /etc/sysctl.d 

Rationale

The ownership of the /etc/sysctl.d directory by the root user is important because this directory hosts kernel configuration. Protection of this directory is critical for system security. Assigning the ownership to root ensures exclusive control of the kernel configuration.

Verify Permissions On /etc/sysctl.d Directory

Description

To properly set the permissions of /etc/sysctl.d, run the command:

$ sudo chmod 0755 /etc/sysctl.d

Rationale

Setting correct permissions on the /etc/sysctl.d directory is important because this directory hosts kernel configuration. Protection of this directory is critical for system security. Restricting the permissions ensures exclusive control of the kernel configuration.

Verify Permissions and Ownership of Old Passwords File

Description

To properly set the owner of /etc/security/opasswd, run the command:

$ sudo chown root /etc/security/opasswd 

To properly set the group owner of /etc/security/opasswd, run the command:

$ sudo chgrp root /etc/security/opasswd

To properly set the permissions of /etc/security/opasswd, run the command:

$ sudo chmod 0600 /etc/security/opasswd

Rationale

The /etc/security/opasswd file stores old passwords to prevent password reuse. Protection of this file is critical for system security.

Verify Group Who Owns Backup group File

Description

To properly set the group owner of /etc/group-, run the command:

$ sudo chgrp root /etc/group-

Rationale

The /etc/group- file is a backup file of /etc/group, and as such, it contains information regarding groups that are configured on the system. Protection of this file is important for system security.

Verify Group Who Owns Backup gshadow File

Description

To properly set the group owner of /etc/gshadow-, run the command:

$ sudo chgrp root /etc/gshadow-

Rationale

The /etc/gshadow- file is a backup of /etc/gshadow, and as such, it contains group password hashes. Protection of this file is critical for system security.

Verify Group Who Owns Backup passwd File

Description

To properly set the group owner of /etc/passwd-, run the command:

$ sudo chgrp root /etc/passwd-

Rationale

The /etc/passwd- file is a backup file of /etc/passwd, and as such, it contains information about the users that are configured on the system. Protection of this file is critical for system security.

Verify User Who Owns Backup shadow File

Description

To properly set the group owner of /etc/shadow-, run the command:

$ sudo chgrp root /etc/shadow-

Rationale

The /etc/shadow- file is a backup file of /etc/shadow, and as such, it contains the list of local system accounts and password hashes. Protection of this file is critical for system security.

Verify Group Who Owns /etc/crypttab File

Description

To properly set the group owner of /etc/crypttab, run the command:

$ sudo chgrp root /etc/crypttab

Rationale

The ownership of the /etc/crypttab file by the root group is important because this file hosts encrypted block devices configuration. Protection of this file is critical for system security. Assigning the ownership to root ensures exclusive control of the encrypted block devices configuration.

Verify Group Who Owns group File

Description

To properly set the group owner of /etc/group, run the command:

$ sudo chgrp root /etc/group

Rationale

The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security.

Verify Group Who Owns gshadow File

Description

To properly set the group owner of /etc/gshadow, run the command:

$ sudo chgrp root /etc/gshadow

Rationale

The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security.

Verify Group Who Owns passwd File

Description

To properly set the group owner of /etc/passwd, run the command:

$ sudo chgrp root /etc/passwd

Rationale

The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security.

Verify Group Who Owns shadow File

Description

To properly set the group owner of /etc/shadow, run the command:

$ sudo chgrp root /etc/shadow

Rationale

The /etc/shadow file stores password hashes. Protection of this file is critical for system security.

Verify Group Who Owns /etc/shells File

Description

To properly set the group owner of /etc/shells, run the command:

$ sudo chgrp root /etc/shells

Rationale

The /etc/shells file contains the list of full pathnames to shells on the system. Since this file is used by many system programs this file should be protected.

Verify Group Who Owns System.map Files

Description

The System.map files are symbol map files generated during the compilation of the Linux kernel. They contain the mapping between kernel symbols and their corresponding memory addresses. These files must be group-owned by root. To properly set the group owner of /boot/System.map*, run the command:

$ sudo chgrp root /boot/System.map*

Rationale

The purpose of System.map files is primarily for debugging and profiling the kernel. Unrestricted access to these files might disclose information useful to attackers and malicious software leading to more sophisticated exploitation.

Verify Group Who Owns /var/log Directory

Description

To properly set the group owner of /var/log, run the command:

$ sudo chgrp root /var/log

Rationale

The /var/log directory contains files with logs of error messages in the system and should only be accessed by authorized personnel.

Verify Group Who Owns /var/log/messages File

Description

To properly set the group owner of /var/log/messages, run the command:

$ sudo chgrp root /var/log/messages

Rationale

The /var/log/messages file contains logs of error messages in the system and should only be accessed by authorized personnel.

Verify Group Who Owns /var/log/syslog File

Description

To properly set the group owner of /var/log/syslog, run the command:

$ sudo chgrp adm /var/log/syslog

Rationale

The /var/log/syslog file contains logs of error messages in the system and should only be accessed by authorized personnel.

Verify that audit tools are owned by group root

Description

The Amazon Linux 2023 operating system audit tools must have the proper ownership configured to protected against unauthorized access. Verify it by running the following command:

$ stat -c "%n %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules

/sbin/auditctl root
/sbin/aureport root
/sbin/ausearch root
/sbin/autrace root
/sbin/auditd root
/sbin/audispd root
/sbin/augenrules root

Audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators

Rationale

Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. Operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools.

Verify that system commands files are group owned by root or a system account

Description

System commands files are stored in the following directories by default:

/bin
/sbin
/usr/bin
/usr/sbin
/usr/local/bin
/usr/local/sbin

All files in these directories should be owned by the root group, or a system account. If the directory, or any file in these directories, is found to be owned by a group other than root or a a system account correct its ownership with the following command:

$ sudo chgrp root FILE

Rationale

If the operating system allows any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Verify User Who Owns Backup group File

Description

To properly set the owner of /etc/group-, run the command:

$ sudo chown root /etc/group- 

Rationale

The /etc/group- file is a backup file of /etc/group, and as such, it contains information regarding groups that are configured on the system. Protection of this file is important for system security.

Verify User Who Owns Backup gshadow File

Description

To properly set the owner of /etc/gshadow-, run the command:

$ sudo chown root /etc/gshadow- 

Rationale

The /etc/gshadow- file is a backup of /etc/gshadow, and as such, it contains group password hashes. Protection of this file is critical for system security.

Verify User Who Owns Backup passwd File

Description

To properly set the owner of /etc/passwd-, run the command:

$ sudo chown root /etc/passwd- 

Rationale

The /etc/passwd- file is a backup file of /etc/passwd, and as such, it contains information about the users that are configured on the system. Protection of this file is critical for system security.

Verify Group Who Owns Backup shadow File

Description

To properly set the owner of /etc/shadow-, run the command:

$ sudo chown root /etc/shadow- 

Rationale

The /etc/shadow- file is a backup file of /etc/shadow, and as such, it contains the list of local system accounts and password hashes. Protection of this file is critical for system security.

Verify User Who Owns /etc/crypttab File

Description

To properly set the owner of /etc/crypttab, run the command:

$ sudo chown root /etc/crypttab 

Rationale

The ownership of the /etc/crypttab file by the root user is important because this file hosts encrypted block devices configuration. Protection of this file is critical for system security. Assigning the ownership to root ensures exclusive control of the encrypted block devices configuration.

Verify User Who Owns group File

Description

To properly set the owner of /etc/group, run the command:

$ sudo chown root /etc/group 

Rationale

The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security.

Verify User Who Owns gshadow File

Description

To properly set the owner of /etc/gshadow, run the command:

$ sudo chown root /etc/gshadow 

Rationale

The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security.

Verify User Who Owns passwd File

Description

To properly set the owner of /etc/passwd, run the command:

$ sudo chown root /etc/passwd 

Rationale

The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security.

Verify Who Owns /etc/shells File

Description

To properly set the owner of /etc/shells, run the command:

$ sudo chown root /etc/shells 

Rationale

The /etc/shells file contains the list of full pathnames to shells on the system. Since this file is used by many system programs this file should be protected.

Verify User Who Owns shadow File

Description

To properly set the owner of /etc/shadow, run the command:

$ sudo chown root /etc/shadow 

Rationale

The /etc/shadow file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.

Verify User Who Owns System.map Files

Description

The System.map files are symbol map files generated during the compilation of the Linux kernel. They contain the mapping between kernel symbols and their corresponding memory addresses. These files must be owned by root. To properly set the owner of /boot/System.map*, run the command:

$ sudo chown root /boot/System.map* 

Rationale

The purpose of System.map files is primarily for debugging and profiling the kernel. Unrestricted access to these files might disclose information useful to attackers and malicious software leading to more sophisticated exploitation.

Verify User Who Owns /var/log Directory

Description

To properly set the owner of /var/log, run the command:

$ sudo chown root /var/log 

Rationale

The /var/log directory contains files with logs of error messages in the system and should only be accessed by authorized personnel.

Verify User Who Owns /var/log/messages File

Description

To properly set the owner of /var/log/messages, run the command:

$ sudo chown root /var/log/messages 

Rationale

The /var/log/messages file contains logs of error messages in the system and should only be accessed by authorized personnel.

Verify User Who Owns /var/log/syslog File

Description

To properly set the owner of /var/log/syslog, run the command:

$ sudo chown syslog /var/log/syslog 

Rationale

The /var/log/syslog file contains logs of error messages in the system and should only be accessed by authorized personnel.

Verify that audit tools are owned by root

Description

The Amazon Linux 2023 operating system audit tools must have the proper ownership configured to protected against unauthorized access. Verify it by running the following command:

$ stat -c "%n %U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules

/sbin/auditctl root
/sbin/aureport root
/sbin/ausearch root
/sbin/autrace root
/sbin/auditd root
/sbin/audispd root
/sbin/augenrules root

Audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators

Rationale

Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. Operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools.

Verify that System Executables Have Root Ownership

Description

System executables are stored in the following directories by default:

/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin

All files in these directories should be owned by the root user. If any file FILE in these directories is found to be owned by a user other than root, correct its ownership with the following command:

$ sudo chown root FILE

Rationale

System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted.

Verify that Shared Library Files Have Root Ownership

Description

System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:

/lib
/lib64
/usr/lib
/usr/lib64

Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules. All files in these directories should be owned by the root user. If the directory, or any file in these directories, is found to be owned by a user other than root correct its ownership with the following command:

$ sudo chown root FILE

Rationale

Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system.

Verify that audit tools Have Mode 0755 or less

Description

The Amazon Linux 2023 operating system audit tools must have the proper permissions configured to protected against unauthorized access. Verify it by running the following command:

$ stat -c "%n %a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules

/sbin/auditctl 755
/sbin/aureport 755
/sbin/ausearch 755
/sbin/autrace 755
/sbin/auditd 755
/sbin/audispd 755
/sbin/augenrules 755

Audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators

Rationale

Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. Operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools.

Verify Permissions on Backup group File

Description

To properly set the permissions of /etc/group-, run the command:

$ sudo chmod 0644 /etc/group-

Rationale

The /etc/group- file is a backup file of /etc/group, and as such, it contains information regarding groups that are configured on the system. Protection of this file is important for system security.

Verify Permissions on Backup gshadow File

Description

To properly set the permissions of /etc/gshadow-, run the command:

$ sudo chmod 0000 /etc/gshadow-

Rationale

The /etc/gshadow- file is a backup of /etc/gshadow, and as such, it contains group password hashes. Protection of this file is critical for system security.

Verify Permissions on Backup passwd File

Description

To properly set the permissions of /etc/passwd-, run the command:

$ sudo chmod 0644 /etc/passwd-

Rationale

The /etc/passwd- file is a backup file of /etc/passwd, and as such, it contains information about the users that are configured on the system. Protection of this file is critical for system security.

Verify Permissions on Backup shadow File

Description

To properly set the permissions of /etc/shadow-, run the command:

$ sudo chmod 0000 /etc/shadow-

Rationale

The /etc/shadow- file is a backup file of /etc/shadow, and as such, it contains the list of local system accounts and password hashes. Protection of this file is critical for system security.

Verify that System Executables Have Restrictive Permissions

Description

System executables are stored in the following directories by default:

/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin

All files in these directories should not be group-writable or world-writable. If any file FILE in these directories is found to be group-writable or world-writable, correct its permission with the following command:

$ sudo chmod go-w FILE

Rationale

System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted.

Verify Permissions on /etc/audit/auditd.conf

Description

To properly set the permissions of /etc/audit/auditd.conf, run the command:

$ sudo chmod 0640 /etc/audit/auditd.conf

Rationale

Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Verify Permissions on /etc/audit/rules.d/*.rules

Description

To properly set the permissions of /etc/audit/rules.d/*.rules, run the command:

$ sudo chmod 0640 /etc/audit/rules.d/*.rules

Rationale

Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Verify Permissions on /etc/audit/audit.rules

Description

To properly set the permissions of /etc/audit/audit.rules, run the command:

$ sudo chmod 0640 /etc/audit/audit.rules

Rationale

Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Verify Permissions On /etc/crypttab File

Description

To properly set the permissions of /etc/crypttab, run the command:

$ sudo chmod 0600 /etc/crypttab

Rationale

Setting correct permissions on the /etc/crypttab file is important because this file hosts encrypted block devices configuration. Protection of this file is critical for system security. Assigning the ownership to root ensures exclusive control of the encrypted block devices configuration.

Verify Permissions on group File

Description

To properly set the permissions of /etc/group, run the command:

$ sudo chmod 0644 /etc/group

Rationale

The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security.

Verify Permissions on gshadow File

Description

To properly set the permissions of /etc/gshadow, run the command:

$ sudo chmod 0000 /etc/gshadow

Rationale

The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security.

Verify Permissions on passwd File

Description

To properly set the permissions of /etc/passwd, run the command:

$ sudo chmod 0644 /etc/passwd

Rationale

If the /etc/passwd file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security.

Verify Permissions on shadow File

Description

To properly set the permissions of /etc/shadow, run the command:

$ sudo chmod 0000 /etc/shadow

Rationale

The /etc/shadow file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.

Verify Permissions on /etc/shells File

Description

To properly set the permissions of /etc/shells, run the command:

$ sudo chmod 0644 /etc/shells

Rationale

The /etc/shells file contains the list of full pathnames to shells on the system. Since this file is used by many system programs this file should be protected.

Verify that Shared Library Files Have Restrictive Permissions

Description

System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:

/lib
/lib64
/usr/lib
/usr/lib64

Kernel modules, which can be added to the kernel during runtime, are stored in /lib/modules. All files in these directories should not be group-writable or world-writable. If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command:

$ sudo chmod go-w FILE

Rationale

Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Restrictive permissions are necessary to protect the integrity of the system.

Verify that local /var/log/messages is not world-readable

Description

Files containing sensitive informations should be protected by restrictive permissions. Most of the time, there is no need that these files need to be read by any non-root user To properly set the permissions of /var/log/messages, run the command:

$ sudo chmod 0640 /var/log/messages

Check that "permissions.local" file contains the correct permissions rules with the following command:

# grep -i messages /etc/permissions.local

/var/log/messages root:root 640

Rationale

The /var/log/messages file contains system error messages. Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SUSE operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.

Verify that system commands are protected from unauthorized access

Description

System commands are stored in the following directories by default:

/bin
/sbin
/usr/bin
/usr/sbin
/usr/local/bin
/usr/local/sbin

All files in these directories should not be group-writable or world-writable. If any file FILE in these directories is found to be group-writable or world-writable, correct its permission with the following command:

$ sudo chmod 755 FILE

Rationale

System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted.

Verify Permissions on System.map Files

Description

The System.map files are symbol map files generated during the compilation of the Linux kernel. They contain the mapping between kernel symbols and their corresponding memory addresses. In general, there is no need for non-root users to read these files. To properly set the permissions of /boot/System.map*, run the command:

$ sudo chmod 0600 /boot/System.map*

Rationale

The purpose of System.map files is primarily for debugging and profiling the kernel. Unrestricted access to these files might disclose information useful to attackers and malicious software leading to more sophisticated exploitation.

Ensure All SGID Executables Are Authorized

Description

The SGID (set group id) bit should be set only on files that were installed via authorized means. A straightforward means of identifying unauthorized SGID files is determine if any were not installed as part of an RPM package, which is cryptographically verified. Investigate the origin of any unpackaged SGID files. This configuration check considers authorized SGID files those which were installed via RPM. It is assumed that when an individual has sudo access to install an RPM and all packages are signed with an organizationally-recognized GPG key, the software should be considered an approved package on the system. Any SGID file not deployed through an RPM will be flagged for further review.

Rationale

Executable files with the SGID permission run with the privileges of the owner of the file. SGID files of uncertain provenance could allow for unprivileged users to elevate privileges. The presence of these files should be strictly controlled on the system.

Ensure All SUID Executables Are Authorized

Description

The SUID (set user id) bit should be set only on files that were installed via authorized means. A straightforward means of identifying unauthorized SUID files is determine if any were not installed as part of an RPM package, which is cryptographically verified. Investigate the origin of any unpackaged SUID files. This configuration check considers authorized SUID files those which were installed via RPM. It is assumed that when an individual has sudo access to install an RPM and all packages are signed with an organizationally-recognized GPG key, the software should be considered an approved package on the system. Any SUID file not deployed through an RPM will be flagged for further review.

Rationale

Executable files with the SUID permission run with the privileges of the owner of the file. SUID files of uncertain provenance could allow for unprivileged users to elevate privileges. The presence of these files should be strictly controlled on the system.

Ensure No World-Writable Files Exist

Description

It is generally a good idea to remove global (other) write access to a file when it is discovered. However, check with documentation for specific applications before making changes. Also, monitor for recurring world-writable files, as these may be symptoms of a misconfigured application or user account. Finally, this applies to real files and not virtual files that are a part of pseudo file systems such as sysfs or procfs.

Rationale

Data in world-writable files can be modified by any user on the system. In almost all circumstances, files can be configured using a combination of user and group permissions to support whatever legitimate access is needed without the risk caused by world-writable files.

Ensure All Files Are Owned by a Group

Description

If any file is not group-owned by a group present in /etc/group, the cause of the lack of group-ownership must be investigated. Following this, those files should be deleted or assigned to an appropriate group. Locate the mount points related to local devices by the following command:

$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)

For all mount points listed by the previous command, it is necessary to search for files which do not belong to a valid group using the following command:

$ sudo find MOUNTPOINT -xdev -nogroup 2>/dev/null

Rationale

Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account, or other similar cases. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed.

Verify Permissions on /var/log Directory

Description

To properly set the permissions of /var/log, run the command:

$ sudo chmod 0755 /var/log

Rationale

The /var/log directory contains files with logs of error messages in the system and should only be accessed by authorized personnel.

Verify Permissions on /var/log/messages File

Description

To properly set the permissions of /var/log/messages, run the command:

$ sudo chmod 0640 /var/log/messages

Rationale

The /var/log/messages file contains logs of error messages in the system and should only be accessed by authorized personnel.

Verify Permissions on /var/log/syslog File

Description

To properly set the permissions of /var/log/syslog, run the command:

$ sudo chmod 0640 /var/log/syslog

Rationale

The /var/log/syslog file contains logs of error messages in the system and should only be accessed by authorized personnel.

Add nosuid Option to /boot/efi

Description

The nosuid mount option can be used to prevent execution of setuid programs in /boot/efi. The SUID and SGID permissions should not be required on the boot partition. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /boot/efi.

Rationale

The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from boot partitions.

Add noauto Option to /boot

Description

The noauto mount option is used to prevent automatic mounting of th /boot partition. Add the noauto option to the fourth column of /etc/fstab for the line which controls mounting of /boot.

Rationale

The /boot partition contains the kernel and the bootloader. Access to the partition after the boot process finishes should not be needed. Files contained within this partition can be analysed and gained information can be used for exploit creation.

Add nodev Option to /boot

Description

The nodev mount option can be used to prevent device files from being created in /boot. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /boot.

Rationale

The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.

Add noexec Option to /boot

Description

The noexec mount option can be used to prevent binaries from being executed out of /boot. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /boot.

Rationale

The /boot partition contains the kernel and the bootloader. No binaries should be executed from this partition after the booting process finishes.

Add nosuid Option to /boot

Description

The nosuid mount option can be used to prevent execution of setuid programs in /boot. The SUID and SGID permissions should not be required on the boot partition. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /boot.

Rationale

The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from boot partitions.

Add nodev Option to /dev/shm

Description

The nodev mount option can be used to prevent creation of device files in /dev/shm. Legitimate character and block devices should not exist within temporary directories like /dev/shm. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm.

Rationale

The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.

Add noexec Option to /dev/shm

Description

The noexec mount option can be used to prevent binaries from being executed out of /dev/shm. It can be dangerous to allow the execution of binaries from world-writable temporary storage directories such as /dev/shm. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm.

Rationale

Allowing users to execute binaries from world-writable directories such as /dev/shm can expose the system to potential compromise.

Add nosuid Option to /dev/shm

Description

The nosuid mount option can be used to prevent execution of setuid programs in /dev/shm. The SUID and SGID permissions should not be required in these world-writable directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm.

Rationale

The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions.

Add grpquota Option to /home

Description

The grpquota mount option allows for the filesystem to have disk quotas configured. Add the grpquota option to the fourth column of /etc/fstab for the line which controls mounting of /home.

Rationale

To ensure the availability of disk space on /home, it is important to limit the impact a single user or group can cause for other users (or the wider system) by intentionally or accidentally filling up the partition. Quotas can also be applied to inodes for filesystems where inode exhaustion is a concern.

Add nodev Option to /home

Description

The nodev mount option can be used to prevent device files from being created in /home. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /home.

Rationale

The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.

Add noexec Option to /home

Description

The noexec mount option can be used to prevent binaries from being executed out of /home. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /home.

Rationale

The /home directory contains data of individual users. Binaries in this directory should not be considered as trusted and users should not be able to execute them.

Add nosuid Option to /home

Description

The nosuid mount option can be used to prevent execution of setuid programs in /home. The SUID and SGID permissions should not be required in these user data directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /home.

Rationale

The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from user home directory partitions.

Add usrquota Option to /home

Description

The usrquota mount option allows for the filesystem to have disk quotas configured. Add the usrquota option to the fourth column of /etc/fstab for the line which controls mounting of /home.

Rationale

To ensure the availability of disk space on /home, it is important to limit the impact a single user or group can cause for other users (or the wider system) by intentionally or accidentally filling up the partition. Quotas can also be applied to inodes for filesystems where inode exhaustion is a concern.

Mount Remote Filesystems with Kerberos Security

Description

Add the sec=krb5:krb5i:krb5p option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.

Rationale

When an NFS server is configured to use AUTH_SYS a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The AUTH_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request.

Add nodev Option to Non-Root Local Partitions

Description

The nodev mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of any non-root local partitions.

Rationale

The nodev mount option prevents files from being interpreted as character or block devices. The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails, for which it is not advised to set nodev on these filesystems.

Mount Remote Filesystems with nodev

Description

Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.

Rationale

Legitimate device files should only exist in the /dev directory. NFS mounts should not present device files to users.

Add nodev Option to Removable Media Partitions

Description

The nodev mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of any removable media partitions.

Rationale

The only legitimate location for device files is the /dev directory located on the root partition. An exception to this is chroot jails, and it is not advised to set nodev on partitions which contain their root filesystems.

Mount Remote Filesystems with noexec

Description

Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.

Rationale

The noexec mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.

Add noexec Option to Removable Media Partitions

Description

The noexec mount option prevents the direct execution of binaries on the mounted filesystem. Preventing the direct execution of binaries from removable media (such as a USB key) provides a defense against malicious software that may be present on such untrusted media. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of any removable media partitions.

Rationale

Allowing users to execute binaries from removable media such as USB keys exposes the system to potential compromise.

Mount Remote Filesystems with nosuid

Description

Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.

Rationale

NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem.

Add nosuid Option to Removable Media Partitions

Description

The nosuid mount option prevents set-user-identifier (SUID) and set-group-identifier (SGID) permissions from taking effect. These permissions allow users to execute binaries with the same permissions as the owner and group of the file respectively. Users should not be allowed to introduce SUID and SGID files into the system via partitions mounted from removeable media. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of any removable media partitions.

Rationale

The presence of SUID and SGID executables should be tightly controlled. Allowing users to introduce SUID or SGID binaries from partitions mounted off of removable media would allow them to introduce their own highly-privileged programs.

Add nosuid Option to /opt

Description

The nosuid mount option can be used to prevent execution of setuid programs in /opt. The SUID and SGID permissions should not be required in this directory. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /opt.

Rationale

The presence of SUID and SGID executables should be tightly controlled. The /opt directory contains additional software packages. Users should not be able to execute SUID or SGID binaries from this directory.

Add hidepid Option to /proc

Description

The hidepid mount option is applicable to /proc and is used to control who can access the information in /proc/[pid] directories. The option can have one of the following values:

0: Everybody may access all /proc/[pid] directories.
1: Users may not access files and subdirectories inside any /proc/[pid] directories
   but their own. The /proc/[pid] directories themselves remain visible.
2: Same as for mode 1, but in addition the /proc/[pid] directories belonging to other
   users become invisible.

For example, if you choose the value 2: Add the hidepid=2 option to the fourth column of /etc/fstab for the line which controls mounting of /proc.

Rationale

Users should not be able to see and access directories within /proc, which are not related to their own processes in a system. Otherwise, sensitive information from other users could be seem.

Add nosuid Option to /srv

Description

The nosuid mount option can be used to prevent execution of setuid programs in /srv. The SUID and SGID permissions should not be required in this directory. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /srv.

Rationale

The presence of SUID and SGID executables should be tightly controlled. The /srv directory contains files served by various network services such as FTP. Users should not be able to execute SUID or SGID binaries from this directory.

Add nodev Option to /tmp

Description

The nodev mount option can be used to prevent device files from being created in /tmp. Legitimate character and block devices should not exist within temporary directories like /tmp. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /tmp.

Rationale

The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.

Add noexec Option to /tmp

Description

The noexec mount option can be used to prevent binaries from being executed out of /tmp. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /tmp.

Rationale

Allowing users to execute binaries from world-writable directories such as /tmp should never be necessary in normal operation and can expose the system to potential compromise.

Add nosuid Option to /tmp

Description

The nosuid mount option can be used to prevent execution of setuid programs in /tmp. The SUID and SGID permissions should not be required in these world-writable directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /tmp.

Rationale

The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions.

Add nodev Option to /var/log/audit

Description

The nodev mount option can be used to prevent device files from being created in /var/log/audit. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /var/log/audit.

Rationale

The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.

Add noexec Option to /var/log/audit

Description

The noexec mount option can be used to prevent binaries from being executed out of /var/log/audit. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /var/log/audit.

Rationale

Allowing users to execute binaries from directories containing audit log files such as /var/log/audit should never be necessary in normal operation and can expose the system to potential compromise.

Add nosuid Option to /var/log/audit

Description

The nosuid mount option can be used to prevent execution of setuid programs in /var/log/audit. The SUID and SGID permissions should not be required in directories containing audit log files. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /var/log/audit.

Rationale

The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from partitions designated for audit log files.

Add nodev Option to /var/log

Description

The nodev mount option can be used to prevent device files from being created in /var/log. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /var/log.

Rationale

The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.

Add noexec Option to /var/log

Description

The noexec mount option can be used to prevent binaries from being executed out of /var/log. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /var/log.

Rationale

Allowing users to execute binaries from directories containing log files such as /var/log should never be necessary in normal operation and can expose the system to potential compromise.

Add nosuid Option to /var/log

Description

The nosuid mount option can be used to prevent execution of setuid programs in /var/log. The SUID and SGID permissions should not be required in directories containing log files. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /var/log.

Rationale

The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from partitions designated for log files.

Add nodev Option to /var

Description

The nodev mount option can be used to prevent device files from being created in /var. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /var.

Rationale

The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.

Add noexec Option to /var

Description

The noexec mount option can be used to prevent binaries from being executed out of /var. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /var.

Rationale

The /var directory contains variable system data such as logs, mails and caches. No binaries should be executed from this directory.

Add nosuid Option to /var

Description

The nosuid mount option can be used to prevent execution of setuid programs in /var. The SUID and SGID permissions should not be required for this directory. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /var.

Rationale

The presence of SUID and SGID executables should be tightly controlled.

Bind Mount /var/tmp To /tmp

Description

The /var/tmp directory is a world-writable directory. Bind-mount it to /tmp in order to consolidate temporary storage into one location protected by the same techniques as /tmp. To do so, edit /etc/fstab and add the following line:

/tmp     /var/tmp     none     rw,nodev,noexec,nosuid,bind     0 0

See the mount(8) man page for further explanation of bind mounting.

Rationale

Having multiple locations for temporary storage is not required. Unless absolutely necessary to meet requirements, the storage location /var/tmp should be bind mounted to /tmp and thus share the same protections.

Add nodev Option to /var/tmp

Description

The nodev mount option can be used to prevent device files from being created in /var/tmp. Legitimate character and block devices should not exist within temporary directories like /var/tmp. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /var/tmp.

Rationale

The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.

Add noexec Option to /var/tmp

Description

The noexec mount option can be used to prevent binaries from being executed out of /var/tmp. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /var/tmp.

Rationale

Allowing users to execute binaries from world-writable directories such as /var/tmp should never be necessary in normal operation and can expose the system to potential compromise.

Add nosuid Option to /var/tmp

Description

The nosuid mount option can be used to prevent execution of setuid programs in /var/tmp. The SUID and SGID permissions should not be required in these world-writable directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /var/tmp.

Rationale

The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions.

Ensure All Files Are Owned by a User

Description

If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate user. Locate the mount points related to local devices by the following command:

$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)

For all mount points listed by the previous command, it is necessary to search for files which do not belong to a valid user using the following command:

$ sudo find MOUNTPOINT -xdev -nouser 2>/dev/null

Rationale

Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account, or other similar cases. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed.

Ensure /boot Located On Separate Partition

Description

It is recommended that the /boot directory resides on a separate partition. This makes it easier to apply restrictions e.g. through the noexec mount option. Eventually, the /boot partition can be configured not to be mounted automatically with the noauto mount option.

Rationale

The /boot partition contains the kernel and bootloader files. Access to this partition should be restricted.

Ensure /dev/shm is configured

Description

The /dev/shm is a traditional shared memory concept. One program will create a memory portion, which other processes (if permitted) can access. If /dev/shm is not configured, tmpfs will be mounted to /dev/shm by systemd.

Rationale

Any user can upload and execute files inside the /dev/shm similar to the /tmp partition. Configuring /dev/shm allows an administrator to set the noexec option on the mount, making /dev/shm useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw.

Ensure /home Located On Separate Partition

Description

If user home directories will be stored locally, create a separate partition for /home at installation time (or migrate it later using LVM). If /home will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later.

Rationale

Ensuring that /home is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.

Ensure /opt Located On Separate Partition

Description

It is recommended that the /opt directory resides on a separate partition.

Rationale

The /opt partition contains additional software, usually installed outside the packaging system. Putting this directory on a separate partition makes it easier to apply restrictions e.g. through the nosuid mount option.

Ensure /srv Located On Separate Partition

Description

If a file server (FTP, TFTP...) is hosted locally, create a separate partition for /srv at installation time (or migrate it later using LVM). If /srv will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later.

Rationale

Srv deserves files for local network file server such as FTP. Ensuring that /srv is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.

Ensure /tmp Located On Separate Partition

Description

The /tmp directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.

Rationale

The /tmp partition is used as temporary storage by many programs. Placing /tmp in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.

Ensure /usr Located On Separate Partition

Description

It is recommended that the /usr directory resides on a separate partition.

Rationale

The /usr partition contains system software, utilities and files. Putting it on a separate partition allows limiting its size and applying restrictions through mount options.

Ensure /var Located On Separate Partition

Description

The /var directory is used by daemons and other system services to store frequently-changing data. Ensure that /var has its own partition or logical volume at installation time, or migrate it using LVM.

Rationale

Ensuring that /var is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the /var directory to contain world-writable directories installed by other software packages.

Ensure /var/log Located On Separate Partition

Description

System logs are stored in the /var/log directory. Ensure that /var/log has its own partition or logical volume at installation time, or migrate it using LVM.

Rationale

Placing /var/log in its own partition enables better separation between log files and other files in /var/.

Ensure /var/log/audit Located On Separate Partition

Description

Audit logs are stored in the /var/log/audit directory. Ensure that /var/log/audit has its own partition or logical volume at installation time, or migrate it using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.

Rationale

Placing /var/log/audit in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space.

Ensure /var/tmp Located On Separate Partition

Description

The /var/tmp directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.

Rationale

The /var/tmp partition is used as temporary storage by many programs. Placing /var/tmp in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.

Verify Permissions of Local Logs of audit Tools

Description

The SUSE operating system audit tools must have the proper permissions configured to protect against unauthorized access. Check that "permissions.local" file contains the correct permissions rules with the following command:

grep "^/usr/sbin/au" /etc/permissions.local

/usr/sbin/audispd root:root 0750
/usr/sbin/auditctl root:root 0750
/usr/sbin/auditd root:root 0750
/usr/sbin/ausearch root:root 0755
/usr/sbin/aureport root:root 0755
/usr/sbin/autrace root:root 0750
/usr/sbin/augenrules root:root 0750

Audit tools include but are not limited to vendor-provided and open-source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.

Rationale

Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. SUSE operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools.

Verify permissions of log files

Description

Any operating system providing too much information in error messages risks compromising the data and security of the structure, and content of error messages needs to be carefully considered by the organization. Organizations carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers.

Rationale

The Amazon Linux 2023 must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.

Verify that Local Logs of the audit Daemon are not World-Readable

Description

Files containing sensitive informations should be protected by restrictive permissions. Most of the time, there is no need that these files need to be read by any non-root user. Check that "permissions.local" file contains the correct permissions rules with the following command:

# grep -i audit /etc/permissions.local

/var/log/audit/ root:root 600
/var/log/audit/audit.log root:root 600
/etc/audit/audit.rules root:root 640
/etc/audit/rules.d/audit.rules root:root 640

Rationale

Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Verify the system-wide library files in directories "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root.

Description

System-wide library files are stored in the following directories by default:

/lib
/lib64
/usr/lib
/usr/lib64

All system-wide shared library files should be protected from unauthorised access. If any of these files is not group-owned by root, correct its group-owner with the following command:

$ sudo chgrp root FILE

Rationale

If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

OS commands and libraries must have the proper permissions to protect from unauthorized access

Description

Verify that the SUSE operating system prevents unauthorized users from accessing system command and library files. Check that all of the audit information files and folders have the correct permissions with the following command:

# sudo chkstat --warn --system

Set the correct permissions with the following command:

# sudo chkstat --set --system

Rationale

If the SUSE operating system were to allow any user to make changes to software libraries, those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components to initiate changes, including upgrades and modifications.

Enable Kernel Parameter to Enforce DAC on FIFOs

Description

To set the runtime status of the fs.protected_fifos kernel parameter, run the following command:

$ sudo sysctl -w fs.protected_fifos=2

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

fs.protected_fifos = 2

Rationale

This parameter is available since Linux Kernel 4.19 and allows to prohibit opening FIFOs that are not owned by the user in world and group writeable sticky directories. It avoids unintentional writes to an attacker-controlled FIFO where a program expects to create the regular file.

Enable Kernel Parameter to Enforce DAC on Hardlinks

Description

To set the runtime status of the fs.protected_hardlinks kernel parameter, run the following command:

$ sudo sysctl -w fs.protected_hardlinks=1

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

fs.protected_hardlinks = 1

Rationale

By enabling this kernel parameter, users can no longer create soft or hard links to files which they do not own. Disallowing such hardlinks mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat().

Enable Kernel Parameter to Enforce DAC on Regular files

Description

To set the runtime status of the fs.protected_regular kernel parameter, run the following command:

$ sudo sysctl -w fs.protected_regular=2

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

fs.protected_regular = 2

Rationale

This parameter is available since Linux Kernel 4.19 and allows to prohibit opening "regular" files that are not owned by the user in world and group writeable sticky directories. It avoids writes to an attacker-controlled regular file, for example, when a program expects to create the regular file.

Enable Kernel Parameter to Enforce DAC on Symlinks

Description

To set the runtime status of the fs.protected_symlinks kernel parameter, run the following command:

$ sudo sysctl -w fs.protected_symlinks=1

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

fs.protected_symlinks = 1

Rationale

By enabling this kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the UID of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat().