Definition of SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide for slmicro5

SLEM-05-211010: SLEM 5 must be a vendor-supported release.

Description: None

• high

Automated: yes

• installed_OS_is_vendor_supported: The Installed Operating System Is Vendor Supported

SLEM-05-211015: SLEM 5 must implement an endpoint security tool.

Description: None

• medium

Automated: no

No rules selected

SLEM-05-211020: SLEM 5 must display the Standard Mandatory DOD Notice and Consent Banner before granting any local or remote connection to the system.

Description: None

• medium

Automated: yes

• banner_etc_issue: Modify the System Login Banner
• login_banner_text = dod_banners

SLEM-05-211025: SLEM 5 must disable the x86 Ctrl-Alt-Delete key sequence.

Description: None

• high

Automated: yes

• disable_ctrlaltdel_reboot: Disable Ctrl-Alt-Del Reboot Activation

SLEM-05-212010: SLEM 5 with a basic input/output system (BIOS) must require authentication upon booting into single-user and maintenance modes.

Description: None

• high

Automated: yes

• grub2_password: Set Boot Loader Password in grub2

SLEM-05-212015: SLEM 5 with Unified Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.

Description: None

• high

Automated: yes

• grub2_uefi_password: Set the UEFI Boot Loader Password

SLEM-05-213010: SLEM 5 must restrict access to the kernel message buffer.

Description: None

• medium

Automated: yes

• sysctl_kernel_dmesg_restrict: Restrict Access to Kernel Message Buffer

SLEM-05-213015: SLEM 5 kernel core dumps must be disabled unless needed.

Description: None

• medium

Automated: yes

• service_kdump_disabled: Disable KDump Kernel Crash Analyzer (kdump)

SLEM-05-213020: Address space layout randomization (ASLR) must be implemented by SLEM 5 to protect memory from unauthorized code execution.

Description: None

• medium

Automated: yes

• sysctl_kernel_randomize_va_space: Enable Randomized Layout of Virtual Address Space

SLEM-05-213025: SLEM 5 must implement kptr-restrict to prevent the leaking of internal kernel addresses.

Description: None

• medium

Automated: yes

• sysctl_kernel_kptr_restrict: Restrict Exposed Kernel Pointer Addresses Access

SLEM-05-214010: Vendor-packaged SLEM 5 security patches and updates must be installed and up to date.

Description: None

• medium

Automated: yes

• security_patches_up_to_date: Ensure Software Patches Installed

SLEM-05-214015: The SLEM 5 tool zypper must have gpgcheck enabled.

Description: None

• high

Automated: yes

• ensure_gpgcheck_globally_activated: Ensure gpgcheck Enabled In Main zypper Configuration

SLEM-05-214020: SLEM 5 must remove all outdated software components after updated versions have been installed.

Description: None

• medium

Automated: yes

• clean_components_post_updating: Ensure zypper Removes Previous Package Versions

SLEM-05-215010: SLEM 5 must use vlock to allow for session locking.

Description: None

• medium

Automated: yes

• vlock_installed: Check that vlock is installed to allow session locking

SLEM-05-215015: SLEM 5 must not have the telnet-server package installed.

Description: None

• high

Automated: yes

• package_telnet-server_removed: Uninstall telnet-server Package

SLEM-05-231010: A separate file system must be used for SLEM 5 user home directories (such as /home or an equivalent).

Description: None

• medium

Automated: yes

• partition_for_home: Ensure /home Located On Separate Partition

SLEM-05-231015: SLEM 5 must use a separate file system for /var.

Description: None

• medium

Automated: yes

• partition_for_var: Ensure /var Located On Separate Partition

SLEM-05-231020: SLEM 5 must use a separate file system for the system audit data path.

Description: None

• medium

Automated: yes

• partition_for_var_log_audit: Ensure /var/log/audit Located On Separate Partition

SLEM-05-231025: SLEM 5 file systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed.

Description: None

• medium

Automated: yes

• mount_option_nosuid_remote_filesystems: Mount Remote Filesystems with nosuid

SLEM-05-231030: SLEM 5 file systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed.

Description: None

• medium

Automated: yes

• mount_option_noexec_remote_filesystems: Mount Remote Filesystems with noexec

SLEM-05-231035: SLEM 5 file systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed.

Description: None

• medium

Automated: yes

• mount_option_nosuid_removable_partitions: Add nosuid Option to Removable Media Partitions

SLEM-05-231040: All SLEM 5 persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at-rest protection.

Description: None

• high

Automated: yes

• encrypt_partitions: Encrypt Partitions

SLEM-05-231045: SLEM 5 file systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed.

Description: None

• medium

Automated: yes

• mount_option_home_nosuid: Add nosuid Option to /home

SLEM-05-231050: SLEM 5 must disable the file system automounter unless required.

Description: None

• medium

Automated: yes

• service_autofs_disabled: Disable the Automounter

SLEM-05-232010: SLEM 5 must have directories that contain system commands set to a mode of 755 or less permissive.

Description: None

• medium

Automated: yes

• dir_permissions_binary_dirs: Verify that System Executable Directories Have Restrictive Permissions

SLEM-05-232015: SLEM 5 must have system commands set to a mode of 755 or less permissive.

Description: None

• medium

Automated: yes

• file_permissions_binary_dirs: Verify that System Executables Have Restrictive Permissions

SLEM-05-232020: SLEM 5 library directories must have mode 755 or less permissive.

Description: None

• medium

Automated: yes

• dir_permissions_library_dirs: Verify that Shared Library Directories Have Restrictive Permissions

SLEM-05-232025: SLEM 5 library files must have mode 755 or less permissive.

Description: None

• medium

Automated: yes

• file_permissions_library_dirs: Verify that Shared Library Files Have Restrictive Permissions

SLEM-05-232030: All SLEM 5 local interactive user home directories must have mode 750 or less permissive.

Description: None

• medium

Automated: yes

• file_permissions_home_directories: All Interactive User Home Directories Must Have mode 0750 Or Less Permissive

SLEM-05-232035: All SLEM 5 local initialization files must have mode 740 or less permissive.

Description: None

• medium

Automated: yes

• file_permission_user_init_files: Ensure All User Initialization Files Have Mode 0740 Or Less Permissive

SLEM-05-232040: SLEM 5 SSH daemon public host key files must have mode 644 or less permissive.

Description: None

• medium

Automated: yes

• file_permissions_sshd_pub_key: Verify Permissions on SSH Server Public *.pub Key Files

SLEM-05-232045: SLEM 5 SSH daemon private host key files must have mode 640 or less permissive.

Description: None

• medium

Automated: yes

• file_permissions_sshd_private_key: Verify Permissions on SSH Server Private *_key Key Files

SLEM-05-232050: SLEM 5 library files must be owned by root.

Description: None

• medium

Automated: yes

• file_ownership_library_dirs: Verify that Shared Library Files Have Root Ownership

SLEM-05-232055: SLEM 5 library files must be group-owned by root.

Description: None

• medium

Automated: yes

• root_permissions_syslibrary_files: Verify the system-wide library files in directories "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root.

SLEM-05-232060: SLEM 5 library directories must be owned by root.

Description: None

• medium

Automated: yes

• dir_ownership_library_dirs: Verify that Shared Library Directories Have Root Ownership

SLEM-05-232065: SLEM 5 library directories must be group-owned by root.

Description: None

• medium

Automated: yes

• dir_group_ownership_library_dirs: Verify that Shared Library Directories Have Root Group Ownership

SLEM-05-232070: SLEM 5 must have system commands owned by root.

Description: None

• medium

Automated: yes

• file_ownership_binary_dirs: Verify that System Executables Have Root Ownership

SLEM-05-232075: SLEM 5 must have system commands group-owned by root or a system account.

Description: None

• medium

Automated: yes

• file_groupownership_system_commands_dirs: Verify that system commands files are group owned by root or a system account

SLEM-05-232080: SLEM 5 must have directories that contain system commands owned by root.

Description: None

• medium

Automated: yes

• dir_system_commands_root_owned: Verify that system commands directories have root ownership

SLEM-05-232085: SLEM 5 must have directories that contain system commands group-owned by root.

Description: None

• medium

Automated: yes

• dir_system_commands_group_root_owned: Verify that system commands directories have root as a group owner

SLEM-05-232090: All SLEM 5 files and directories must have a valid owner.

Description: None

• medium

Automated: yes

• no_files_unowned_by_user: Ensure All Files Are Owned by a User

SLEM-05-232095: All SLEM 5 files and directories must have a valid group owner.

Description: None

• medium

Automated: yes

• file_permissions_ungroupowned: Ensure All Files Are Owned by a Group

SLEM-05-232100: All SLEM 5 local interactive user home directories must be group-owned by the home directory owner's primary group.

Description: None

• medium

Automated: yes

• file_groupownership_home_directories: All Interactive User Home Directories Must Be Group-Owned By The Primary Group

SLEM-05-232105: All SLEM 5 world-writable directories must be group-owned by root, sys, bin, or an application group.

Description: None

• medium

Automated: yes

• dir_perms_world_writable_system_owned_group: Ensure All World-Writable Directories Are Group Owned by a System Account

SLEM-05-232110: The sticky bit must be set on all SLEM 5 world-writable directories.

Description: None

• medium

Automated: yes

• dir_perms_world_writable_sticky_bits: Verify that All World-Writable Directories Have Sticky Bits Set

SLEM-05-232115: SLEM 5 must prevent unauthorized users from accessing system error messages.

Description: None

• medium

Automated: yes

• file_permissions_local_var_log_messages: Verify that local /var/log/messages is not world-readable

SLEM-05-232120: SLEM 5 must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.

Description: None

• medium

Automated: yes

• permissions_local_var_log: Verify permissions of log files

SLEM-05-251010: SLEM 5 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.

Description: None

• medium

Automated: yes

• service_firewalld_enabled: Verify firewalld Enabled

SLEM-05-252010: SLEM 5 clock must, for networked systems, be synchronized to an authoritative DOD time source at least every 24 hours.

Description: None

• medium

Automated: yes

• chronyd_or_ntpd_set_maxpoll: Configure Time Service Maxpoll Interval
• chronyd_specify_remote_server: A remote time server for Chrony is configured
• var_multiple_time_servers = stig
• var_time_service_set_maxpoll = 18_hours

SLEM-05-252015: SLEM 5 must not have network interfaces in promiscuous mode unless approved and documented.

Description: None

• medium

Automated: yes

• network_sniffer_disabled: Ensure System is Not Acting as a Network Sniffer

SLEM-05-253010: SLEM 5 must not forward Internet Protocol version 4 (IPv4) source-routed packets.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_all_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces

SLEM-05-253015: SLEM 5 must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_default_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default

SLEM-05-253020: SLEM 5 must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_all_accept_redirects: Disable Accepting ICMP Redirects for All IPv4 Interfaces

SLEM-05-253025: SLEM 5 must not allow interfaces to accept Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_default_accept_redirects: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces

SLEM-05-253030: SLEM 5 must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_all_send_redirects: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces

SLEM-05-253035: SLEM 5 must not allow interfaces to send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_conf_default_send_redirects: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default

SLEM-05-253040: SLEM 5 must not be performing Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_ip_forward: Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces

SLEM-05-253045: SLEM 5 must be configured to use TCP syncookies.

Description: None

• medium

Automated: yes

• sysctl_net_ipv4_tcp_syncookies: Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces

SLEM-05-254010: SLEM 5 must not forward Internet Protocol version 6 (IPv6) source-routed packets.

Description: None

• medium

Automated: yes

• sysctl_net_ipv6_conf_all_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces

SLEM-05-254015: SLEM 5 must not forward Internet Protocol version 6 (IPv6) source-routed packets by default.

Description: None

• medium

Automated: yes

• sysctl_net_ipv6_conf_default_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default

SLEM-05-254020: SLEM 5 must prevent Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages from being accepted.

Description: None

• medium

Automated: yes

• sysctl_net_ipv6_conf_all_accept_redirects: Disable Accepting ICMP Redirects for All IPv6 Interfaces

SLEM-05-254025: SLEM 5 must not allow interfaces to accept Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by default.

Description: None

• medium

Automated: yes

• sysctl_net_ipv6_conf_default_accept_redirects: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces

SLEM-05-254030: SLEM 5 must not be performing Internet Protocol version 6 (IPv6) packet forwarding unless the system is a router.

Description: None

• medium

Automated: yes

• sysctl_net_ipv6_conf_all_forwarding: Disable Kernel Parameter for IPv6 Forwarding

SLEM-05-254035: SLEM 5 must not be performing Internet Protocol version 6 (IPv6) packet forwarding by default unless the system is a router.

Description: None

• medium

Automated: yes

• sysctl_net_ipv6_conf_default_forwarding: Disable Kernel Parameter for IPv6 Forwarding by default

SLEM-05-255010: SLEM 5 must have SSH installed to protect the confidentiality and integrity of transmitted information.

Description: None

• high

Automated: yes

• package_openssh-server_installed: Install the OpenSSH Server Package

SLEM-05-255015: SLEM 5 must use SSH to protect the confidentiality and integrity of transmitted information.

Description: None

• high

Automated: yes

• service_sshd_enabled: Enable the OpenSSH Service

SLEM-05-255020: SLEM 5 must display the Standard Mandatory DOD Notice and Consent Banner before granting access via SSH.

Description: None

• medium

Automated: yes

• sshd_enable_warning_banner: Enable SSH Warning Banner

SLEM-05-255025: SLEM 5 must not allow unattended or automatic logon via SSH.

Description: None

• high

Automated: yes

• sshd_disable_empty_passwords: Disable SSH Access via Empty Passwords
• sshd_do_not_permit_user_env: Do Not Allow SSH Environment Options

SLEM-05-255030: SLEM 5 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive.

Description: None

• medium

Automated: yes

• sshd_set_keepalive: Set SSH Client Alive Count Max
• var_sshd_set_keepalive = 1

SLEM-05-255035: SLEM 5 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive.

Description: None

• medium

Automated: yes

• sshd_idle_timeout_value = 10_minutes
• sshd_set_idle_timeout: Set SSH Client Alive Interval

SLEM-05-255040: SLEM 5 SSH daemon must disable forwarded remote X connections for interactive users, unless to fulfill documented and validated mission requirements.

Description: None

• medium

Automated: yes

• sshd_disable_x11_forwarding: Disable X11 Forwarding

SLEM-05-255045: SLEM 5 must implement DOD-approved encryption to protect the confidentiality of SSH remote connections.

Description: None

• high

Automated: yes

• sshd_use_approved_ciphers: Use Only FIPS 140-2 Validated Ciphers
• sshd_use_approved_ciphers_ordered_stig: Use Only FIPS 140-2 Validated Ciphers

SLEM-05-255050: SLEM 5 SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2/140-3 approved cryptographic hash algorithms.

Description: None

• high

Automated: yes

• sshd_use_approved_macs: Use Only FIPS 140-2 Validated MACs
• sshd_use_approved_macs_ordered_stig: Use Only FIPS 140-2 Validated MACs

SLEM-05-255055: SLEM 5 SSH server must be configured to use only FIPS 140-2/140-3 validated key exchange algorithms.

Description: None

• high

Automated: yes

• sshd_use_approved_kex_ordered_stig: Use Only FIPS 140-2 Validated Key Exchange Algorithms

SLEM-05-255060: SLEM 5 must deny direct logons to the root account using remote access via SSH.

Description: None

• medium

Automated: yes

• sshd_disable_root_login: Disable SSH Root Login

SLEM-05-255065: SLEM 5 must log SSH connection attempts and failures to the server.

Description: None

• medium

Automated: yes

• sshd_set_loglevel_verbose: Set SSH Daemon LogLevel to VERBOSE

SLEM-05-255070: SLEM 5 must display the date and time of the last successful account logon upon an SSH logon.

Description: None

• medium

Automated: yes

• sshd_print_last_log: Enable SSH Print Last Log

SLEM-05-255075: SLEM 5 SSH daemon must be configured to not allow authentication using known hosts authentication.

Description: None

• medium

Automated: yes

• sshd_disable_user_known_hosts: Disable SSH Support for User Known Hosts

SLEM-05-255080: SLEM 5 SSH daemon must perform strict mode checking of home directory configuration files.

Description: None

• medium

Automated: yes

• sshd_enable_strictmodes: Enable Use of Strict Mode Checking

SLEM-05-255085: SLEM 5, for PKI-based authentication, must enforce authorized access to the corresponding private key.

Description: None

• medium

Automated: no

• ssh_private_keys_have_passcode: OpenSSH Service Must Use Passcode for Their Private Keys

SLEM-05-255090: There must be no .shosts files on SLEM 5.

Description: None

• high

Automated: yes

• no_user_host_based_files: Remove User Host-Based Authentication Files

SLEM-05-255095: There must be no shosts.equiv files on SLEM 5.

Description: None

• high

Automated: yes

• no_host_based_files: Remove Host-Based Authentication Files

SLEM-05-272010: SLEM 5 must not allow unattended or automatic logon via the graphical user interface (GUI).

Description: None

• high

Automated: yes

• gnome_gdm_disable_unattended_automatic_login: Disable GDM Unattended or Automatic Login

SLEM-05-291010: SLEM 5 wireless network adapters must be disabled unless approved and documented.

Description: None

• medium

Automated: yes

• wireless_disable_interfaces: Deactivate Wireless Network Interfaces

SLEM-05-291015: SLEM 5 must disable the USB mass storage kernel module.

Description: None

• medium

Automated: yes

• kernel_module_usb-storage_disabled: Disable Modprobe Loading of USB Storage Driver

SLEM-05-411010: All SLEM 5 local interactive user accounts, upon creation, must be assigned a home directory.

Description: None

• medium

Automated: yes

• accounts_have_homedir_login_defs: Ensure Home Directories are Created for New Users

SLEM-05-411015: SLEM 5 default permissions must be defined in such a way that all authenticated users can only read and modify their own files.

Description: None

• medium

Automated: yes

• accounts_umask_etc_login_defs: Ensure the Default Umask is Set Correctly in login.defs

SLEM-05-411020: SLEM 5 shadow password suite must be configured to enforce a delay of at least five seconds between logon prompts following a failed logon attempt.

Description: None

• medium

Automated: yes

• accounts_logon_fail_delay: Ensure the Logon Failure Delay is Set Correctly in login.defs
• var_accounts_fail_delay = 5

SLEM-05-411025: All SLEM 5 local interactive users must have a home directory assigned in the /etc/passwd file.

Description: None

• medium

Automated: yes

• accounts_user_interactive_home_directory_defined: All Interactive Users Must Have A Home Directory Defined

SLEM-05-411030: All SLEM 5 local interactive user home directories defined in the /etc/passwd file must exist.

Description: None

• medium

Automated: yes

• accounts_user_interactive_home_directory_exists: All Interactive Users Home Directories Must Exist

SLEM-05-411035: All SLEM 5 local interactive user initialization files executable search paths must contain only paths that resolve to the users' home directory.

Description: None

• medium

Automated: yes

• accounts_user_home_paths_only: Ensure that Users Path Contains Only Local Directories

SLEM-05-411040: All SLEM 5 local initialization files must not execute world-writable programs.

Description: None

• medium

Automated: yes

• accounts_user_dot_no_world_writable_programs: User Initialization Files Must Not Run World-Writable Programs

SLEM-05-411045: SLEM 5 must automatically expire temporary accounts within 72 hours.

Description: None

• medium

Automated: yes

• account_temp_expire_date: Assign Expiration Date to Temporary Accounts

SLEM-05-411050: SLEM 5 must never automatically remove or disable emergency administrator accounts.

Description: None

• medium

Automated: yes

• account_emergency_admin: Never Automatically Remove or Disable Emergency Administrator Accounts

SLEM-05-411055: SLEM 5 must not have unnecessary accounts.

Description: None

• medium

Automated: yes

• accounts_authorized_local_users: Only Authorized Local User Accounts Exist on Operating System
• var_accounts_authorized_local_users_regex = slmicro5

SLEM-05-411060: SLEM 5 must not have unnecessary account capabilities.

Description: None

• medium

Automated: yes

• no_shelllogin_for_systemaccounts: Ensure that System Accounts Do Not Run a Shell Upon Login

SLEM-05-411065: SLEM 5 root account must be the only account with unrestricted access to the system.

Description: None

• high

Automated: yes

• accounts_no_uid_except_zero: Verify Only Root Has UID 0

SLEM-05-411070: SLEM 5 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity after password expiration.

Description: None

• medium

Automated: yes

• account_disable_post_pw_expiration: Set Account Expiration Following Inactivity

SLEM-05-411075: SLEM 5 must not have duplicate User IDs (UIDs) for interactive users.

Description: None

• medium

Automated: yes

• account_unique_id: Ensure All Accounts on the System Have Unique User IDs

SLEM-05-412010: SLEM 5 must display the date and time of the last successful account logon upon logon.

Description: None

• medium

Automated: yes

• display_login_attempts: Ensure PAM Displays Last Logon/Access Notification

SLEM-05-412015: SLEM 5 must initiate a session lock after a 15-minute period of inactivity.

Description: None

• medium

Automated: yes

• accounts_tmout: Set Interactive Session Timeout
• var_accounts_tmout = 15_min

SLEM-05-412020: SLEM 5 must lock an account after three consecutive invalid access attempts.

Description: None

• medium

Automated: yes

• accounts_passwords_pam_tally2: Set Deny For Failed Password Attempts
• var_password_pam_tally2 = 3

SLEM-05-412025: SLEM 5 must enforce a delay of at least five seconds between logon prompts following a failed logon attempt via pluggable authentication modules (PAM).

Description: None

• medium

Automated: yes

• accounts_passwords_pam_faildelay_delay: Enforce Delay After Failed Logon Attempts
• var_password_pam_delay = 4000000

SLEM-05-412030: SLEM 5 must use the default pam_tally2 tally directory.

Description: None

• medium

Automated: yes

• accounts_passwords_pam_tally2_file: SLEM 5 must use the default pam_tally2 tally directory.
• accounts_passwords_pam_tally2_file_selinux: An SELinux Context must be configured for default pam_tally2 file option

SLEM-05-412035: SLEM 5 must limit the number of concurrent sessions to 10 for all accounts and/or account types.

Description: None

• low

Automated: yes

• accounts_max_concurrent_login_sessions: Limit the Number of Concurrent Login Sessions Allowed Per User
• var_accounts_max_concurrent_login_sessions = 10

SLEM-05-431010: SLEM 5 must have policycoreutils package installed.

Description: None

• low

Automated: yes

• package_policycoreutils_installed: Install policycoreutils Package

SLEM-05-431015: SLEM 5 must use a Linux Security Module configured to enforce limits on system services.

Description: None

• high

Automated: yes

• selinux_state: Ensure SELinux State is Enforcing
• var_selinux_state = enforcing

SLEM-05-431020: SLEM 5 must enable the SELinux targeted policy.

Description: None

• medium

Automated: yes

• selinux_policytype: Configure SELinux Policy
• var_selinux_policy_name = targeted

SLEM-05-431025: SLEM 5 must prevent nonprivileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures.

Description: None

• medium

Automated: no

• selinux_user_login_roles: Map System Users To The Appropriate SELinux Role

SLEM-05-432010: SLEM 5 must use the invoking user's password for privilege escalation when using "sudo".

Description: None

• medium

Automated: yes

• sudoers_validate_passwd: Ensure invoking users password for privilege escalation when using sudo

SLEM-05-432015: SLEM 5 must reauthenticate users when changing authenticators, roles, or escalating privileges.

Description: None

• medium

Automated: yes

• sudo_remove_no_authenticate: Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
• sudo_remove_nopasswd: Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
• sudo_require_authentication: Ensure Users Re-Authenticate for Privilege Escalation - sudo

SLEM-05-432020: SLEM 5 must require reauthentication when using the "sudo" command.

Description: None

• medium

Automated: yes

• sudo_require_reauthentication: Require Re-Authentication When Using the sudo Command

SLEM-05-432025: SLEM 5 must restrict privilege elevation to authorized personnel.

Description: None

• medium

Automated: yes

• sudo_restrict_privilege_elevation_to_authorized: The operating system must restrict privilege elevation to authorized personnel

SLEM-05-432030: SLEM 5 must specify the default "include" directory for the /etc/sudoers file.

Description: None

• medium

Automated: yes

• sudoers_default_includedir: Ensure sudo only includes the default configuration directory

SLEM-05-611010: SLEM 5 must enforce passwords that contain at least one uppercase character.

Description: None

• medium

Automated: yes

• cracklib_accounts_password_pam_ucredit: Set Password Strength Minimum Uppercase Characters

SLEM-05-611015: SLEM 5 must enforce passwords that contain at least one lowercase character.

Description: None

• medium

Automated: yes

• cracklib_accounts_password_pam_lcredit: Set Password Strength Minimum Lowercase Characters

SLEM-05-611020: SLEM 5 must enforce passwords that contain at least one numeric character.

Description: None

• medium

Automated: yes

• cracklib_accounts_password_pam_dcredit: Set Password Strength Minimum Digit Characters

SLEM-05-611025: SLEM 5 must enforce passwords that contain at least one special character.

Description: None

• medium

Automated: yes

• cracklib_accounts_password_pam_ocredit: Set Password Strength Minimum Special Characters

SLEM-05-611030: SLEM 5 must prevent the use of dictionary words for passwords.

Description: None

• medium

Automated: yes

• cracklib_accounts_password_pam_retry: Set Password Retry Limit
• var_password_pam_retry = 3

SLEM-05-611035: SLEM 5 must employ passwords with a minimum of 15 characters.

Description: None

• medium

Automated: yes

• cracklib_accounts_password_pam_minlen: Set Password Minimum Length

SLEM-05-611040: SLEM 5 must require the change of at least eight of the total number of characters when passwords are changed.

Description: None

• medium

Automated: yes

• cracklib_accounts_password_pam_difok: Set Password Strength Minimum Different Characters

SLEM-05-611045: SLEM 5 must not allow passwords to be reused for a minimum of five generations.

Description: None

• medium

Automated: yes

• accounts_password_pam_pwhistory_remember: Limit Password Reuse
• var_password_pam_remember = 5
• var_password_pam_remember_control_flag = requisite

SLEM-05-611050: SLEM 5 must configure the Linux Pluggable Authentication Modules (PAM) to only store encrypted representations of passwords.

Description: None

• medium

Automated: yes

• set_password_hashing_algorithm_systemauth: Set PAM''s Password Hashing Algorithm

SLEM-05-611055: SLEM 5 must not be configured to allow blank or null passwords.

Description: None

• high

Automated: yes

• no_empty_passwords: Prevent Login to Accounts With Empty Password

SLEM-05-611060: SLEM 5 must not have accounts configured with blank or null passwords.

Description: None

• high

Automated: yes

• no_empty_passwords_etc_shadow: Ensure There Are No Accounts With Blank or Null Passwords

SLEM-05-611065: SLEM 5 must employ user passwords with a minimum lifetime of 24 hours (one day).

Description: None

• medium

Automated: yes

• accounts_password_set_min_life_existing: Set Existing Passwords Minimum Age
• var_accounts_minimum_age_login_defs = 1

SLEM-05-611070: SLEM 5 must employ user passwords with a maximum lifetime of 60 days.

Description: None

• medium

Automated: yes

• accounts_password_set_max_life_existing: Set Existing Passwords Maximum Age
• var_accounts_maximum_age_login_defs = 60

SLEM-05-611075: SLEM 5 must employ a password history file.

Description: None

• medium

Automated: yes

• file_etc_security_opasswd: Verify Permissions and Ownership of Old Passwords File

SLEM-05-611080: SLEM 5 must employ FIPS 140-2/140-3-approved cryptographic hashing algorithms for system authentication.

Description: None

• high

Automated: yes

• accounts_password_all_shadowed_sha512: Verify All Account Password Hashes are Shadowed with SHA512

SLEM-05-611085: SLEM 5 shadow password suite must be configured to use a sufficient number of hashing rounds.

Description: None

• high

Automated: yes

• set_password_hashing_min_rounds_logindefs: Set Password Hashing Rounds in /etc/login.defs

SLEM-05-611090: SLEM 5 must employ FIPS 140-2/140-3 approved cryptographic hashing algorithm for system authentication (login.defs).

Description: None

• medium

Automated: yes

• set_password_hashing_algorithm_logindefs: Set Password Hashing Algorithm in /etc/login.defs
• var_password_hashing_algorithm = SHA512

SLEM-05-611095: SLEM 5 must be configured to create or update passwords with a minimum lifetime of 24 hours (one day).

Description: None

• medium

Automated: yes

• accounts_minimum_age_login_defs: Set Password Minimum Age

SLEM-05-611100: SLEM 5 must be configured to create or update passwords with a maximum lifetime of 60 days.

Description: None

• medium

Automated: yes

• accounts_maximum_age_login_defs: Set Password Maximum Age

SLEM-05-612010: SLEM 5 must have the packages required for multifactor authentication to be installed.

Description: None

• medium

Automated: yes

• install_smartcard_packages: Install Smart Card Packages For Multifactor Authentication

SLEM-05-612015: SLEM 5 must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).

Description: None

• medium

Automated: yes

• smartcard_pam_enabled: Enable Smart Card Logins in PAM

SLEM-05-612020: SLEM 5 must implement certificate status checking for multifactor authentication.

Description: None

• medium

Automated: yes

• smartcard_configure_cert_checking: Configure Smart Card Certificate Status Checking

SLEM-05-631010: If Network Security Services (NSS) is being used by SLEM 5 it must prohibit the use of cached authentications after one day.

Description: None

• medium

Automated: yes

• sssd_memcache_timeout: Configure SSSD's Memory Cache to Expire
• var_sssd_memcache_timeout = 1_day

SLEM-05-631015: SLEM 5 must configure the Linux Pluggable Authentication Modules (PAM) to prohibit the use of cached offline authentications after one day.

Description: None

• medium

Automated: yes

• sssd_offline_cred_expiration: Configure SSSD to Expire Offline Credentials

SLEM-05-631020: SLEM 5, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.

Description: None

• medium

Automated: yes

• smartcard_configure_ca: Configure Smart Card Certificate Authority Validation

SLEM-05-631025: SLEM 5 must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes.

Description: None

• medium

Automated: yes

• pam_disable_automatic_configuration: The PAM configuration should not be changed automatically

SLEM-05-651010: SLEM 5 must use a file integrity tool to verify correct operation of all security functions.

Description: None

• medium

Automated: yes

• aide_build_database: Build and Test AIDE Database
• package_aide_installed: Install AIDE

SLEM-05-651015: SLEM 5 file integrity tool must be configured to verify Access Control Lists (ACLs).

Description: None

• medium

Automated: yes

• aide_verify_acls: Configure AIDE to Verify Access Control Lists (ACLs)

SLEM-05-651020: SLEM 5 file integrity tool must be configured to verify extended attributes.

Description: None

• medium

Automated: yes

• aide_verify_ext_attributes: Configure AIDE to Verify Extended Attributes

SLEM-05-651025: SLEM 5 file integrity tool must be configured to protect the integrity of the audit tools.

Description: None

• medium

Automated: yes

• aide_check_audit_tools: Configure AIDE to Verify the Audit Tools

SLEM-05-651030: Advanced Intrusion Detection Environment (AIDE) must verify the baseline SLEM 5 configuration at least weekly.

Description: None

• medium

Automated: yes

• aide_periodic_checking_systemd_timer: Configure Systemd Timer Execution of AIDE

SLEM-05-651035: SLEM 5 must notify the system administrator (SA) when Advanced Intrusion Detection Environment (AIDE) discovers anomalies in the operation of any security functions.

Description: None

• medium

Automated: yes

• aide_scan_notification: Configure Notification of Post-AIDE Scan Details

SLEM-05-652010: SLEM 5 must offload rsyslog messages for networked systems in real time and offload standalone systems at least weekly.

Description: None

• medium

Automated: no

• package_systemd-journal-remote_installed: Install systemd-journal-remote Package
• service_systemd-journal-upload_enabled: Enable systemd-journal-upload Service
• systemd_journal_upload_server_tls: Configure systemd-journal-upload TLS parameters: ServerKeyFile,ServerCertificateFile and TrustedCertificateFile
• systemd_journal_upload_url: Configure systemd-journal-upload URL

SLEM-05-653010: SLEM 5 must have the auditing package installed.

Description: None

• medium

Automated: yes

• package_audit_installed: Ensure the audit Subsystem is Installed

SLEM-05-653015: SLEM 5 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.

Description: None

• medium

Automated: yes

• service_auditd_enabled: Enable auditd Service

SLEM-05-653020: The audit-audispd-plugins package must be installed on SLEM 5.

Description: None

• medium

Automated: yes

• package_audit-audispd-plugins_installed: Ensure the default plugins for the audit dispatcher are Installed

SLEM-05-653025: SLEM 5 must allocate audit record storage capacity to store at least one week of audit records when audit records are not immediately sent to a central audit record storage facility.

Description: None

• medium

Automated: yes

• auditd_audispd_configure_sufficiently_large_partition: Configure a Sufficiently Large Partition for Audit Logs

SLEM-05-653030: SLEM 5 auditd service must notify the system administrator (SA) and information system security officer (ISSO) immediately when audit storage capacity is 75 percent full.

Description: None

• medium

Automated: yes

• auditd_data_retention_space_left_action: Configure auditd space_left Action on Low Disk Space
• auditd_data_retention_space_left_percentage: Configure auditd space_left on Low Disk Space
• var_auditd_space_left_action = email
• var_auditd_space_left_percentage = 25pc

SLEM-05-653035: SLEM 5 audit system must take appropriate action when the audit storage volume is full.

Description: None

• medium

Automated: yes

• auditd_data_disk_full_action: Configure auditd Disk Full Action when Disk Space Is Full

SLEM-05-653040: SLEM 5 must offload audit records onto a different system or media from the system being audited.

Description: None

• medium

Automated: yes

• auditd_audispd_network_failure_action: Configure audispd's Plugin network_failure_action On Network Failure

SLEM-05-653045: Audispd must take appropriate action when SLEM 5 audit storage is full.

Description: None

• medium

Automated: yes

• auditd_audispd_disk_full_action: Configure audispd's Plugin disk_full_action When Disk Is Full

SLEM-05-653050: SLEM 5 must protect audit rules from unauthorized modification.

Description: None

• medium

Automated: yes

• permissions_local_var_log_audit: Verify that Local Logs of the audit Daemon are not World-Readable

SLEM-05-653055: SLEM 5 audit tools must have the proper permissions configured to protect against unauthorized access.

Description: None

• medium

Automated: yes

• permissions_local_audit_binaries: Verify Permissions of Local Logs of audit Tools

SLEM-05-653060: SLEM 5 audit tools must have the proper permissions applied to protect against unauthorized access.

Description: None

• medium

Automated: no

No rules selected

SLEM-05-653065: SLEM 5 audit event multiplexor must be configured to use Kerberos.

Description: None

• low

Automated: yes

• auditd_audispd_encrypt_sent_records: Encrypt Audit Records Sent With audispd Plugin

SLEM-05-653070: Audispd must offload audit records onto a different system or media from SLEM 5 being audited.

Description: None

• medium

Automated: yes

• auditd_audispd_configure_remote_server: Configure audispd Plugin To Send Logs To Remote Server

SLEM-05-653075: The information system security officer (ISSO) and system administrator (SA), at a minimum, must have mail aliases to be notified of a SLEM 5 audit processing failure.

Description: None

• medium

Automated: yes

• postfix_client_configure_mail_alias: Configure System to Forward All Mail For The Root Account

SLEM-05-653080: The information system security officer (ISSO) and system administrator (SA), at a minimum, must be alerted of a SLEM 5 audit processing failure event.

Description: None

• medium

Automated: yes

• auditd_data_retention_action_mail_acct: Configure auditd mail_acct Action on Low Disk Space

SLEM-05-654010: SLEM 5 must generate audit records for all uses of the "chacl" command.

Description: None

• medium

Automated: yes

• audit_rules_execution_chacl: Record Any Attempts to Run chacl

SLEM-05-654015: SLEM 5 must generate audit records for all uses of the "chage" command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_chage: Ensure auditd Collects Information on the Use of Privileged Commands - chage

SLEM-05-654020: SLEM 5 must generate audit records for all uses of the "chcon" command.

Description: None

• medium

Automated: yes

• audit_rules_execution_chcon: Record Any Attempts to Run chcon

SLEM-05-654025: SLEM 5 must generate audit records for all uses of the "chfn" command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_chfn: Ensure auditd Collects Information on the Use of Privileged Commands - chfn

SLEM-05-654030: SLEM 5 must generate audit records for all uses of the "chmod" command.

Description: None

• medium

Automated: yes

• audit_rules_execution_chmod: Record Any Attempts to Run chmod

SLEM-05-654035: SLEM 5 must generate audit records for a uses of the "chsh" command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_chsh: Ensure auditd Collects Information on the Use of Privileged Commands - chsh

SLEM-05-654040: SLEM 5 must generate audit records for all uses of the "crontab" command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_crontab: Ensure auditd Collects Information on the Use of Privileged Commands - crontab

SLEM-05-654045: SLEM 5 must generate audit records for all uses of the "gpasswd" command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_gpasswd: Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd

SLEM-05-654050: SLEM 5 must generate audit records for all uses of the "insmod" command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_insmod: Ensure auditd Collects Information on the Use of Privileged Commands - insmod

SLEM-05-654055: SLEM 5 must generate audit records for all uses of the "kmod" command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_kmod: Ensure auditd Collects Information on the Use of Privileged Commands - kmod

SLEM-05-654060: SLEM 5 must generate audit records for all uses of the "modprobe" command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_modprobe: Ensure auditd Collects Information on the Use of Privileged Commands - modprobe

SLEM-05-654065: SLEM 5 must generate audit records for all uses of the "newgrp" command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_newgrp: Ensure auditd Collects Information on the Use of Privileged Commands - newgrp

SLEM-05-654070: SLEM 5 must generate audit records for all uses of the "pam_timestamp_check" command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_pam_timestamp_check: Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check

SLEM-05-654075: SLEM 5 must generate audit records for all uses of the "passwd" command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_passwd: Ensure auditd Collects Information on the Use of Privileged Commands - passwd

SLEM-05-654080: SLEM 5 must generate audit records for all uses of the "rm" command.

Description: None

• medium

Automated: yes

• audit_rules_execution_rm: Record Any Attempts to Run rm

SLEM-05-654085: SLEM 5 must generate audit records for all uses of the "rmmod" command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_rmmod: Ensure auditd Collects Information on the Use of Privileged Commands - rmmod

SLEM-05-654090: SLEM 5 must generate audit records for all uses of the "setfacl" command.

Description: None

• medium

Automated: yes

• audit_rules_execution_setfacl: Record Any Attempts to Run setfacl

SLEM-05-654095: SLEM 5 must generate audit records for all uses of the "ssh-agent" command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_ssh_agent: Record Any Attempts to Run ssh-agent

SLEM-05-654100: SLEM 5 must generate audit records for all uses of the "ssh-keysign" command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_ssh_keysign: Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign

SLEM-05-654105: SLEM 5 must generate audit records for all uses of the "su" command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_su: Ensure auditd Collects Information on the Use of Privileged Commands - su

SLEM-05-654110: SLEM 5 must generate audit records for all uses of the "sudo" command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_sudo: Ensure auditd Collects Information on the Use of Privileged Commands - sudo

SLEM-05-654115: SLEM 5 must generate audit records for all uses of the "sudoedit" command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_sudoedit: Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit

SLEM-05-654120: SLEM 5 must generate audit records for all uses of the "unix_chkpwd" or "unix2_chkpwd" commands.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_unix_chkpwd: Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd

SLEM-05-654125: SLEM 5 must generate audit records for all uses of the "usermod" command.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_usermod: Ensure auditd Collects Information on the Use of Privileged Commands - usermod

SLEM-05-654130: SLEM 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.

Description: None

• medium

Automated: yes

• audit_rules_usergroup_modification_group: Record Events that Modify User/Group Information - /etc/group

SLEM-05-654135: SLEM 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.

Description: None

• medium

Automated: yes

• audit_rules_usergroup_modification_opasswd: Record Events that Modify User/Group Information - /etc/security/opasswd

SLEM-05-654140: SLEM 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

Description: None

• medium

Automated: yes

• audit_rules_usergroup_modification_passwd: Record Events that Modify User/Group Information - /etc/passwd

SLEM-05-654145: SLEM 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.

Description: None

• medium

Automated: yes

• audit_rules_usergroup_modification_shadow: Record Events that Modify User/Group Information - /etc/shadow

SLEM-05-654150: SLEM 5 must generate audit records for all uses of the "chmod", "fchmod" and "fchmodat" system calls.

Description: None

• medium

Automated: yes

• audit_rules_dac_modification_fchmod: Record Events that Modify the System's Discretionary Access Controls - fchmod

SLEM-05-654155: SLEM 5 must generate audit records for all uses of the "chown", "fchown", "fchownat", and "lchown" system calls.

Description: None

• medium

Automated: yes

• audit_rules_dac_modification_lchown: Record Events that Modify the System's Discretionary Access Controls - lchown

SLEM-05-654160: SLEM 5 must generate audit records for all uses of the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" system calls.

Description: None

• medium

Automated: yes

• audit_rules_unsuccessful_file_modification_open: Record Unsuccessful Access Attempts to Files - open

SLEM-05-654165: SLEM 5 must generate audit records for all uses of the "delete_module" system call.

Description: None

• medium

Automated: yes

• audit_rules_kernel_module_loading_delete: Ensure auditd Collects Information on Kernel Module Unloading - delete_module

SLEM-05-654170: SLEM 5 must generate audit records for all uses of the "init_module" and "finit_module" system calls.

Description: None

• medium

Automated: yes

• audit_rules_kernel_module_loading_finit: Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module

SLEM-05-654175: SLEM 5 must generate audit records for all uses of the "mount" system call.

Description: None

• medium

Automated: yes

• audit_rules_media_export: Ensure auditd Collects Information on Exporting to Media (successful)

SLEM-05-654180: SLEM 5 must generate audit records for all uses of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls.

Description: None

• medium

Automated: yes

• audit_rules_dac_modification_fremovexattr: Record Events that Modify the System's Discretionary Access Controls - fremovexattr

SLEM-05-654185: SLEM 5 must generate audit records for all uses of the "umount" system call.

Description: None

• medium

Automated: yes

• audit_rules_dac_modification_umount2: Record Events that Modify the System's Discretionary Access Controls - umount2

SLEM-05-654190: SLEM 5 must generate audit records for all uses of the "unlink", "unlinkat", "rename", "renameat", and "rmdir" system calls.

Description: None

• medium

Automated: yes

• audit_rules_unsuccessful_file_modification_rename: Record Unsuccessful Delete Attempts to Files - rename

SLEM-05-654195: SLEM 5 must generate audit records for all uses of privileged functions.

Description: None

• medium

Automated: yes

• audit_rules_suid_privilege_function: Record Events When Privileged Executables Are Run

SLEM-05-654200: SLEM 5 must generate audit records for all modifications to the "lastlog" file.

Description: None

• medium

Automated: yes

• audit_rules_login_events_lastlog: Record Attempts to Alter Logon and Logout Events - lastlog

SLEM-05-654205: SLEM 5 must generate audit records for all modifications to the "tallylog" file must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_login_events_tallylog: Record Attempts to Alter Logon and Logout Events - tallylog

SLEM-05-654210: SLEM 5 must audit all uses of the sudoers file and all files in the "/etc/sudoers.d/" directory.

Description: None

• medium

Automated: yes

• audit_rules_sysadmin_actions: Ensure auditd Collects System Administrator Actions

SLEM-05-654215: Successful/unsuccessful uses of "setfiles" in SLEM 5 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_execution_setfiles: Record Any Attempts to Run setfiles

SLEM-05-654220: Successful/unsuccessful uses of "semanage" in SLEM 5 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_execution_semanage: Record Any Attempts to Run semanage
• package_policycoreutils-python-utils_installed: Install policycoreutils-python-utils package

SLEM-05-654225: Successful/unsuccessful uses of "setsebool" in SLEM 5 must generate an audit record.

Description: None

• medium

Automated: yes

• audit_rules_execution_setsebool: Record Any Attempts to Run setsebool

SLEM-05-654230: SLEM 5 must generate audit records for the "/run/utmp file".

Description: None

• medium

Automated: yes

• audit_rules_session_events_utmp: Record Attempts to Alter Process and Session Initiation Information utmp

SLEM-05-654235: SLEM 5 must generate audit records for the "/var/log/btmp" file.

Description: None

• medium

Automated: yes

• audit_rules_session_events_btmp: Record Attempts to Alter Process and Session Initiation Information btmp

SLEM-05-654240: SLEM 5 must generate audit records for the "/var/log/wtmp" file.

Description: None

• medium

Automated: yes

• audit_rules_session_events_wtmp: Record Attempts to Alter Process and Session Initiation Information wtmp

SLEM-05-654245: SLEM 5 must not disable syscall auditing.

Description: None

• medium

Automated: yes

• audit_rules_enable_syscall_auditing: Remove Default Configuration to Disable Syscall Auditing

SLEM-05-671010: FIPS 140-2/140-3 mode must be enabled on SLEM 5.

Description: None

• high

Automated: yes

• is_fips_mode_enabled: Verify '/proc/sys/crypto/fips_enabled' exists