Rules in DISA STIG for SUSE Linux Enterprise 12


Total Missing Implemented Coverage STIG ids missing rule
214 0 214 100.00%
V-ID CCI CAT Title SRG Description Check Procedures Fixtext Version Mapped Rule
V-217101 1230 high The SUSE operating system must be a vendor-supported release. SRG-OS-ID
An operating system is considered "supported" if the vendor continues to
provide security patches for the product.  With an unsupported release, it
will not be possible to resolve any security issue discovered in the system
software.
To verify that the installed operating system is supported, run
the following command:

$ grep -i "suse" /etc/os-release

SUSE Linux Enterprise 12
      Is it the case that the installed operating system is not supported?
      
The installed operating system must be maintained by a vendor.

SUSE Linux Enterprise is supported by SUSE. As the SUSE Linux Enterprise
vendor, SUSE is responsible for providing security patches.
SLES-12-010000 installed_OS_is_vendor_supported
V-217102 1227 medium Vendor-packaged SUSE operating system security patches and updates must be installed and up to date. SRG-OS-ID
Installing software updates is a fundamental mitigation against
the exploitation of publicly-known vulnerabilities. If the most
recent security patches and updates are not installed, unauthorized
users may take advantage of weaknesses in the unpatched software. The
lack of prompt attention to patching could result in a system compromise.
If the system is configured for online updates, invoking the following command will list available
security updates:
$ sudo zypper refresh && sudo zypper list-patches -g security
            
            
NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy
dictates.
SLES-12-010010 security_patches_up_to_date
V-217103 50 medium The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access to the local graphical user interface. SRG-OS-ID
Display of a standardized and approved use notification before granting access to the operating system
ensures privacy and security notification verbiage used is consistent with applicable federal laws,
Executive Orders, directives, policies, regulations, standards, and guidance.

              
For U.S. Government systems, system use notifications are required only for access via login interfaces
with human users and are not required when such human interfaces do not exist.
Verify the SUSE operating system displays the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on via the local GUI.

Note: If GNOME is not installed, this requirement is Not Applicable.

Check the configuration by running the following command:

# more /etc/gdm/Xsession

The beginning of the file must contain the following text immediately after #!/bin/sh:

if ! zenity --text-info \
--title "Consent" \
--filename=/etc/gdm/banner \
--no-markup \
--checkbox="Accept." 10 10; then
sleep 1;
exit 1;
fi

If the beginning of the file does not contain the above text immediately after the line (#!/bin/sh), this is a finding.
      Is it the case that the GNOME environment does not display the standard mandatory DoD notice and consent banner?
      
Display of a standardized and approved use notification before granting access to the SUSE operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
              

The banner must be acknowledged by the user prior to allowing the user access to the SUSE operating system. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD will not be in compliance with system use notifications required by law.
              

System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.
              

The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for the SUSE operating system:

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.

By using this IS (which includes any device attached to this IS), you consent to the following conditions:

-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.

-At any time, the USG may inspect and seize data stored on this IS.

-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.

-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.

-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.

Check the configuration by running the following command:

# more /etc/gdm/Xsession

The beginning of the file must contain the following text immediately after #!/bin/sh:

if ! zenity --text-info \
--title "Consent" \
--filename=/etc/gdm/banner \
--no-markup \
--checkbox="Accept." 10 10; then
sleep 1;
exit 1;
fi
            
SLES-12-010020 gui_login_dod_acknowledgement
V-217104 48 medium The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access via local console. SRG-OS-ID
Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
verbiage used is consistent with applicable federal laws, Executive Orders,
directives, policies, regulations, standards, and guidance.

            
System use notifications are required only for access via login interfaces
with human users and are not required when such human interfaces do not
exist.
To check if the system login banner is compliant,
run the following command:

$ cat /etc/issue
      Is it the case that it does not display the required banner?
      
To configure the system login banner edit /etc/issue. Replace the
default text with a message compliant with the local site policy or a legal
disclaimer.


The DoD required text is either:

            
            You are accessing a U.S. Government (USG) Information System (IS) that
is provided for USG-authorized use only. By using this IS (which includes
any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS
for purposes including, but not limited to, penetration testing, COMSEC
monitoring, network operations and defense, personnel misconduct (PM), law
enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private,
are subject to routine monitoring, interception, and search, and may be
disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access
controls) to protect USG interests -- not for your personal benefit or
privacy.
-Notwithstanding the above, using this IS does not constitute consent
to PM, LE or CI investigative searching or monitoring of the content of
privileged communications, or work product, related to personal
representation or services by attorneys, psychotherapists, or clergy, and
their assistants. Such communications and work product are private and
confidential. See User Agreement for details.
            
            
OR:

            
            I've read & consent to terms in IS user agreem't.
          
SLES-12-010030 banner_etc_issue
V-217105 1386 medium The SUSE operating system must display a banner before granting local or remote access to the system via a graphical user logon. SRG-OS-ID
Display of a standardized and approved use notification before granting access to the operating system
ensures privacy and security notification verbiage used is consistent with applicable federal laws,
Executive Orders, directives, policies, regulations, standards, and guidance.

              
For U.S. Government systems, system use notifications are required only for access via login interfaces
with human users and are not required when such human interfaces do not exist.
To ensure a login warning banner is enabled, run the following:
$ grep banner-message-enable /etc/dconf/db/gdm.d/*
If properly configured, the output should be true.
To ensure a login warning banner is locked and cannot be changed by a user, run the following:
$ grep banner-message-enable /etc/dconf/db/gdm.d/locks/*
If properly configured, the output should be /org/gnome/login-screen/banner-message-enable.
      Is it the case that it is not?
      
In the default graphical environment, displaying a login warning banner
in the GNOME Display Manager's login screen can be enabled on the login
screen by setting banner-message-enable to true.

              
To enable, add or edit banner-message-enable to
/etc/dconf/db/gdm.d/00-security-settings. For example:
[org/gnome/login-screen]
banner-message-enable=true
Once the setting has been added, add a lock to
/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/login-screen/banner-message-enable
After the settings have been set, run dconf update.
The banner text must also be set.
SLES-12-010040 dconf_gnome_banner_enabled
V-217106 1387 medium The SUSE operating system must display the approved Standard Mandatory DoD Notice before granting local or remote access to the system via a graphical user logon. SRG-OS-ID
An appropriate warning message reinforces policy awareness during the logon
process and facilitates possible legal action against attackers.
To ensure the login warning banner text is properly set, run the following:
$ grep banner-message-text /etc/dconf/db/gdm.d/*
If properly configured, the proper banner text will appear.
To ensure the login warning banner text is locked and cannot be changed by a user, run the following:
$ grep banner-message-text /etc/dconf/db/gdm.d/locks/*
If properly configured, the output should be /org/gnome/login-screen/banner-message-text.
      Is it the case that it does not?
      
In the default graphical environment, configuring the login warning banner text
in the GNOME Display Manager's login screen can be configured on the login
screen by setting banner-message-text to 'APPROVED_BANNER'
where APPROVED_BANNER is the approved banner for your environment.

              
To enable, add or edit banner-message-text to

/etc/dconf/db/gdm.d/00-security-settings. For example:
[org/gnome/login-screen]
banner-message-text='APPROVED_BANNER'
Once the setting has been added, add a lock to
/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/login-screen/banner-message-text

After the settings have been set, run dconf update.
When entering a warning banner that spans several lines, remember
to begin and end the string with ' and use \n for new lines.
SLES-12-010050 dconf_gnome_login_banner_text
V-217107 60 medium The SUSE operating system must be able to lock the graphical user interface (GUI). SRG-OS-ID
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
of the information system but does not want to logout because of the temporary nature of the absense.
To check the status of the idle screen lock activation, run the following command:

gsettings get org.gnome.desktop.lockdown disable-lock-screen
If the result is "true", this is a finding.
Configure the SUSE operating system to allow the user to lock the GUI.
Run the following command to configure the SUSE operating system to allow the user to lock the GUI:
gsettings set org.gnome.desktop.lockdown disable-lock-screen false
      Is it the case that screensaver locking is not enabled and/or has not been set or configured correctly?
      
To activate locking of the screensaver in the GNOME3 desktop when it is activated,
run the following command to configure the SUSE operating system to allow the user to lock the GUI:
gsettings set org.gnome.desktop.lockdown disable-lock-screen false
Validate that disable-lock-screen has been set to false with the command:
gsettings get org.gnome.desktop.lockdown disable-lock-screen
            
SLES-12-010060 dconf_gnome_screensaver_lock_enabled
V-217108 58 low The SUSE operating system must utilize vlock to allow for session locking. SRG-OS-ID
A session lock is a temporary action taken when a user stops work and
moves away from the immediate physical vicinity of the information
system but does not want to log out because of the temporary nature of
the absence.

The session lock is implemented at the point where session activity can
be determined.

Regardless of where the session lock is determined and implemented,
once invoked, the session lock must remain in place until the user
reauthenticates. No other activity aside from reauthentication must
unlock the system.
Run the following command to determine if the kbd package is installed:
$ rpm -q kbd
      Is it the case that the package is not installed?
      
The SUSE Linux Enterprise 12 operating system must have vlock installed to allow for session locking.


The kbd package can be installed with the following command:

$ sudo zypper install kbd
              
SLES-12-010070 vlock_installed
V-217109 57 medium The SUSE operating system must initiate a session lock after a 15-minute period of inactivity for the graphical user interface. SRG-OS-ID
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate
physical vicinity of the information system but does not logout because of the temporary nature of the absence.
Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,
GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the
session lock. As such, users should not be allowed to change session settings.
To ensure that users cannot change session idle and lock settings, run the following:
$ grep 'idle-delay' /etc/dconf/db/local.d/locks/*
If properly configured, the output should return:
/org/gnome/desktop/session/idle-delay
      Is it the case that idle-delay is not locked?
      
If not already configured, ensure that users cannot change GNOME3 session idle settings
by adding /org/gnome/desktop/session/idle-delay
to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/session/idle-delay
After the settings have been set, run dconf update.
SLES-12-010080 dconf_gnome_session_idle_user_locks
V-217110 57 medium The SUSE operating system must initiate a session lock after a 15-minute period of inactivity. SRG-OS-ID
Terminating an idle session within a short time period reduces
the window of opportunity for unauthorized personnel to take control of a
management session enabled on the console or console port that has been
left unattended.
Run the following command to ensure the TMOUT value is configured for all users
on the system:

$ sudo grep TMOUT /etc/profile.d/autologout.sh

The output should return the following:
TMOUT=

readonly TMOUT
export TMOUT
      Is it the case that value of TMOUT is not less than or equal to expected setting?
      
Setting the TMOUT option in /etc/profile ensures that
all user sessions will terminate based on inactivity.
The value of TMOUT should be exported and read only.
The TMOUT

setting in /etc/profile.d/autologout.sh should read as follows:
TMOUT=
            
readonly TMOUT
export TMOUT
SLES-12-010090 accounts_tmout
V-217111 60 low The SUSE operating system must conceal, via the session lock, information previously visible on the display with a publicly viewable image in the graphical user interface. SRG-OS-ID
Setting the screensaver mode to blank-only conceals the
contents of the display from passersby.
To ensure the screensaver is configured to be blank, run the following command:
$ gsettings get org.gnome.desktop.screensaver picture-uri
If properly configured, the output should be ''.

To ensure that users cannot set the screensaver background, run the following:
$ grep picture-uri /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/desktop/screensaver/picture-uri
      Is it the case that it is not set or configured properly?
      


On SUSE users should set the screensaver to use publicly viewable images or blank screen
by doing the following:
Find the Settings menu and then navigate to the Background selection section

- Click "Applications" on the bottom left.
              - Hover over "System Tools" with the mouse.
              - Click the "Settings" icon under System Tools.
              - Click "Background" and then "Lock Screen".
              - Select image and set the Lock Screen image to the user's choice.
              - Click "Select".
              - Exit Settings Dialog.


To set the screensaver mode in the GNOME3 desktop to a blank screen,
add or set picture-uri to string '' in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
picture-uri=string ''

Once the settings have been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/picture-uri
After the settings have been set, run dconf update.
SLES-12-010100 dconf_gnome_screensaver_mode_blank
V-251719 366 medium The SUSE operating system must specify the default "include" directory for the /etc/sudoers file. SRG-OS-ID
Some sudo configurtion options allow users to run programs without re-authenticating.
Use of these configuration options makes it easier for one compromised accound to be used to
compromise other accounts.
To determine whether sudo command includes configuration files from the appropriate directory,
run the following command:
$ sudo grep -rP '^[#@]include(dir)?' /etc/sudoers /etc/sudoers.d
If only the line /etc/sudoers:#includedir /etc/sudoers.d is returned, then the drop-in include configuration is set correctly.
Any other line returned is a finding.
      Is it the case that the /etc/sudoers doesn't include /etc/sudores.d or includes other directories??
      
Administrators can configure authorized sudo users via drop-in files, and it is possible to include
other directories and configuration files from the file currently being parsed.

Make sure that /etc/sudoers only includes drop-in configuration files from /etc/sudoers.d,
or that no drop-in file is included.
Either the /etc/sudoers should contain only one #includedir directive pointing to
/etc/sudoers.d, and no file in /etc/sudoers.d/ should include other files or directories;
Or the /etc/sudoers should not contain any #include,
@include, #includedir or @includedir directives.
Note that the '#' character doesn't denote a comment in the configuration file.
SLES-12-010109 sudoers_default_includedir
V-217112 2038 high The SUSE operating system must reauthenticate users when changing authenticators, roles, or escalating privileges. SRG-OS-ID
Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.

            
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate.
To determine if NOPASSWD has been configured for sudo, run the following command:
$ sudo grep -ri nopasswd /etc/sudoers /etc/sudoers.d/
The command should return no output.
      Is it the case that nopasswd is specified in the sudo config files?
      
The sudo NOPASSWD tag, when specified, allows a user to execute
commands using sudo without having to authenticate. This should be disabled
by making sure that the NOPASSWD tag does not exist in
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/.
SLES-12-010110 sudo_remove_nopasswd
V-237603 366 medium The SUSE operating system must restrict privilege elevation to authorized personnel. SRG-OS-ID
If the "sudoers" file is not configured correctly, any user defined
on the system can initiate privileged actions on the target system.
Determine if "sudoers" file restricts sudo access run the following commands:
$ sudo grep -PR '^\s*ALL\s+ALL\=\(ALL\)\s+ALL\s*$' /etc/sudoers /etc/sudoers.d/*
$ sudo grep -PR '^\s*ALL\s+ALL\=\(ALL\:ALL\)\s+ALL\s*$' /etc/sudoers /etc/sudoers.d/*
      Is it the case that either of the commands returned a line?
      
The sudo command allows a user to execute programs with elevated
(administrator) privileges. It prompts the user for their password
and confirms your request to execute a command by checking a file,
called sudoers.
Restrict privileged actions by removing the following entries from the sudoers file:
ALL ALL=(ALL) ALL
            ALL ALL=(ALL:ALL) ALL
          
SLES-12-010111 sudo_restrict_privilege_elevation_to_authorized
V-237604 2227 medium The SUSE operating system must use the invoking user's password for privilege escalation when using "sudo". SRG-OS-ID
If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt
the invoking user for the "root" user password.
Run the following command to Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation:
 sudo cvtsudoers -f sudoers /etc/sudoers | grep -E '^Defaults !?(rootpw|targetpw|runaspw)' 
or if cvtsudoers not supported:
 sudo find /etc/sudoers /etc/sudoers.d \( \! -name '*~' -a \! -name '*.*' \) -exec grep -E --with-filename '^[[:blank:]]*Defaults[[:blank:]](.*[[:blank:]])?!?\b(rootpw|targetpw|runaspw)' -- {} \; 
If no results are returned, this is a finding.
If conflicting results are returned, this is a finding.
If "Defaults !targetpw" is not defined, this is a finding.
If "Defaults !rootpw" is not defined, this is a finding.
If "Defaults !runaspw" is not defined, this is a finding.
      Is it the case that invoke user passwd when using sudo?
      
The sudoers security policy requires that users authenticate themselves before they can use sudo.
When sudoers requires authentication, it validates the invoking user's credentials.
The expected output for:
 sudo cvtsudoers -f sudoers /etc/sudoers | grep -E '^Defaults !?(rootpw|targetpw|runaspw)$' 
             Defaults !targetpw
      Defaults !rootpw
      Defaults !runaspw 
or if cvtsudoers not supported:
 sudo find /etc/sudoers /etc/sudoers.d \( \! -name '*~' -a \! -name '*.*' \) -exec grep -E --with-filename '^[[:blank:]]*Defaults[[:blank:]](.*[[:blank:]])?!?\b(rootpw|targetpw|runaspw)' -- {} \; 
             /etc/sudoers:Defaults !targetpw
      /etc/sudoers:Defaults !rootpw
      /etc/sudoers:Defaults !runaspw 
          
SLES-12-010112 sudoers_validate_passwd
V-237605 2038 medium The SUSE operating system must require re-authentication when using the "sudo" command. SRG-OS-ID
Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.

            
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate.
Verify the operating system requires re-authentication
when using the "sudo" command to elevate privileges, run the following command:
sudo grep -ri '^Defaults.*timestamp_timeout' /etc/sudoers /etc/sudoers.d
The output should be:
/etc/sudoers:Defaults timestamp_timeout=0 or "timestamp_timeout" is set to a positive number.
If conflicting results are returned, this is a finding.
      Is it the case that timestamp_timeout is not set with the appropriate value for sudo?
      
The sudo timestamp_timeout tag sets the amount of time sudo password prompt waits.
The default timestamp_timeout value is 5 minutes.
The timestamp_timeout should be configured by making sure that the
timestamp_timeout tag exists in
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/.
If the value is set to an integer less than 0, the user's time stamp will not expire
and the user will not have to re-authenticate for privileged actions until the user's session is terminated.
SLES-12-010113 sudo_require_reauthentication
V-251720 2038 medium The SUSE operating system must not be configured to bypass password requirements for privilege escalation. SRG-OS-ID
Without re-authentication, users may access resources or perform tasks for which they do not
have authorization. When operating systems provide the capability to escalate a functional
capability, it is critical the user re-authenticate.
Verify the operating system is not configured to bypass password requirements for privilege
escalation. Check the configuration of the "/etc/pam.d/sudo" file with the following command:
$ sudo grep pam_succeed_if /etc/pam.d/sudo
      Is it the case that system is configured to bypass password requirements for privilege escalation?
      
Verify the operating system is not configured to bypass password requirements for privilege
escalation. Check the configuration of the "/etc/pam.d/sudo" file with the following command:
$ sudo grep pam_succeed_if /etc/pam.d/sudo
If any occurrences of "pam_succeed_if" is returned from the command, this is a finding.
SLES-12-010114 disallow_bypass_password_sudo
V-217113 54 low The SUSE operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types. SRG-OS-ID
Limiting simultaneous user logins can insulate the system from denial of service
problems caused by excessive logins. Automated login processes operating improperly or
maliciously may result in an exceptional number of simultaneous login sessions.
Verify SUSE Linux Enterprise 12 limits the number of concurrent sessions to
"" for all
accounts and/or account types with the following command:
$ grep -r -s maxlogins /etc/security/limits.conf /etc/security/limits.d/*.conf
/etc/security/limits.conf:* hard maxlogins 10
This can be set as a global domain (with the * wildcard) but may be set differently for multiple domains.
      Is it the case that the "maxlogins" item is missing, commented out, or the value is set greater
than "" and
is not documented with the Information System Security Officer (ISSO) as an
operational requirement for all domains that have the "maxlogins" item
assigned'?
      
Limiting the number of allowed users and sessions per user can limit risks related to Denial of
Service attacks. This addresses concurrent sessions for a single account and does not address
concurrent sessions by a single user via multiple accounts. To set the number of concurrent
sessions per user add the following line in /etc/security/limits.conf or
a file under /etc/security/limits.d/:
* hard maxlogins 
            
          
SLES-12-010120 accounts_max_concurrent_login_sessions
V-217114 44 medium The SUSE operating system must lock an account after three consecutive invalid access attempts. SRG-OS-ID
By limiting the number of failed logon attempts, the risk of unauthorized
system access via user password guessing, otherwise known as brute-force
attacks, is reduced. Limits are imposed by locking the account.

To configure the operating system to lock an account after three
unsuccessful consecutive access attempts using pam_tally2.so,
modify the content of both /etc/pam.d/login and
/etc/pam.d/common-account as follows:

              
              
                 add or modify the pam_tally2.so module line in
/etc/pam.d/login to ensure both onerr=fail and
deny=
                   are present. For example:
auth required pam_tally2.so onerr=fail silent audit deny=
                  
                
                 add or modify the following line in /etc/pam.d/common-account:
account required pam_tally2.so
                
              
            
Check that the systems locks a user account after - at most - 
consecutive failed login attempts with the following command:

# grep -E '^\s*auth\s+\S+\s+pam_(tally2|unix)\.so' /etc/pam.d/login
auth required pam_tally2.so onerr=fail deny=

If no line is returned, the line is commented out, or the line is missing
"onerr=fail", this is a finding.
If the line has "deny" set to a value outside of the range 1-,
this is a finding.

Check that the system resets the failed login attempts counter after a
successful login using the following command:

# grep pam_tally2.so /etc/pam.d/common-account
account required pam_tally2.so deny=

If the account option is missing, or commented out, this is a finding.
      Is it the case that the account option is missing or commented out?
      
The SUSE Linux Enterprise 12 operating system must lock an account after - at most - 
consecutive invalid access attempts.
SLES-12-010130 accounts_passwords_pam_tally2
V-217116 366 medium The SUSE operating system must enforce a delay of at least four (4) seconds between logon prompts following a failed logon attempt. SRG-OS-ID
Increasing the time between a failed authentication attempt and re-prompting to
enter credentials helps to slow a single-threaded brute force attack.
Verify SUSE Linux Enterprise 12 enforces a delay of at least  seconds between console logon prompts following a failed logon attempt with the following command:

$ sudo grep -i "FAIL_DELAY" /etc/login.defs
FAIL_DELAY 
      Is it the case that the value of "FAIL_DELAY" is not set to "" or greater, or the line is commented out?
      
To ensure the logon failure delay controlled by /etc/login.defs is set properly,
add or correct the FAIL_DELAY setting in /etc/login.defs to read as follows:
FAIL_DELAY 
            
          
SLES-12-010140 accounts_logon_fail_delay
V-217117 192 medium The SUSE operating system must enforce passwords that contain at least one upper-case character. SRG-OS-ID
Requiring a minimum number of uppercase characters makes password guessing
attacks more difficult by ensuring a larger search space.
To check how many uppercase characters are required in a password, run the
following command:
grep pam_cracklib.so /etc/pam.d/common-password
password requisite pam_cracklib.so ucredit=
The ucredit parameter (as a negative number) will indicate how
many uppercase characters are required.
The DoD and FISMA require at least one uppercase character in a password.
This would appear as ucredit=-1.
      Is it the case that ucredit is not found or not set to the required value?
      
The pam_cracklib module's ucredit= parameter controls requirements
for usage of uppercase letters in a password. When set to a negative
number, any password will be required to contain that many uppercase
characters. When set to a positive number, pam_cracklib will grant +1
additional length credit for each uppercase character.
Add ucredit=-1 after pam_cracklib.so to require use of an upper
case character in passwords.
SLES-12-010150 cracklib_accounts_password_pam_ucredit
V-217118 193 medium The SUSE operating system must enforce passwords that contain at least one lower-case character. SRG-OS-ID
Requiring a minimum number of lowercase characters makes password guessing
attacks more difficult by ensuring a larger search space.
Check that the operating system enforces password complexity by requiring
that at least one lower-case character be used by using the following
command:

# grep pam_cracklib.so /etc/pam.d/common-password
password requisite pam_cracklib.so lcredit=

If the command does not return anything, the returned line is commented
out, or has a second column value different from "requisite", or does not
contain lcredit=, this is a finding.

The DoD and FISMA require at least one lowercase character in a password.
This would appear as lcredit=-1.
      Is it the case that lcredit is not found or not set to the required value?
      
The pam_cracklib module's lcredit= parameter controls requirements
for usage of lowercase letters in a password. When set to a negative
number, any password will be required to contain that many lowercase
characters. When set to a positive number, pam_cracklib will grant +1
additional length credit for each lowercase character.
Add lcredit=-1 after pam_cracklib.so to require use of a
lowercase character in passwords.
SLES-12-010160 cracklib_accounts_password_pam_lcredit
V-217119 194 medium The SUSE operating system must enforce passwords that contain at least one numeric character. SRG-OS-ID
Requiring digits makes password guessing attacks more difficult by ensuring
a larger search space.
To check how many digits are required in a password, run the following
command:
# grep pam_cracklib /etc/pam.d/common-password
password requisite pam_cracklib.so dcredit=
The dcredit parameter (as a negative number) will indicate how
many digits are required.
The DoD requires at least one digit in a password.
This would appear as dcredit=-1.
      Is it the case that dcredit is not found or not set to the required value?
      
The pam_cracklib module's dcredit parameter controls requirements
for usage of digits in a password. When set to a negative number, any
password will be required to contain that many digits. When set to a
positive number, pam_cracklib will grant +1 additional length credit for
each digit. Add dcredit=-1 after pam_cracklib.so to require use of
a digit in passwords.
SLES-12-010170 cracklib_accounts_password_pam_dcredit
V-217120 1619 medium The SUSE operating system must enforce passwords that contain at least one special character. SRG-OS-ID
Requiring a minimum number of special characters makes password guessing
attacks more difficult by ensuring a larger search space.
To check how many special characters are required in a password, run the
following command:
# grep pam_cracklib.so /etc/pam.d/common-password
password requisite pam_cracklib.so ocredit=
The ocredit parameter (as a negative number) will indicate how
many special characters are required.
The DoD and FISMA require at least one special character in a password.
This would appear as ocredit=-1.
      Is it the case that ocredit is not found or not set to the required value?
      
The pam_cracklib module's ocredit= parameter controls requirements
for usage of special (or ``other'') characters in a password. When set to a
negative number, any password will be required to contain that many special
characters. When set to a positive number, pam_cracklib will grant +1
additional length credit for each special character.
Make sure the ocredit parameter for the pam_cracklib module is
set to less than or equal to 
                  
                . For example, ocredit=
                .
SLES-12-010180 cracklib_accounts_password_pam_ocredit
V-217121 195 medium The SUSE operating system must require the change of at least eight (8) of the total number of characters when passwords are changed. SRG-OS-ID
Requiring a minimum number of different characters during password changes
ensures that newly changed passwords should not resemble previously
compromised ones. Note that passwords which are changed on compromised
systems will still be compromised, however.
To check how many characters must differ during a password change, run the
following command:
# grep pam_cracklib.so /etc/pam.d/common-password
password requisite pam_cracklib.so difok=
The difok parameter will indicate how many characters must differ.
The DoD requires at least eight characters differ during a password change.
This would appear as difok=8.
      Is it the case that difok is not found or not set to the required value?
      
The pam_cracklib module's difok parameter controls requirements for
usage of different characters during a password change. The number of
changed characters refers to the number of changes required with respect to
the total number of positions in the current password. In other words,
characters may be the same within the two passwords; however, the positions
of the like characters must be different.
Make sure the difok parameter for the pam_cracklib module is
configured to greater than or equal to 
                  
                .
SLES-12-010190 cracklib_accounts_password_pam_difok
V-217122 803 medium The SUSE operating system must employ FIPS 140-2 approved cryptographic hashing algorithm for system authentication (login.defs). SRG-OS-ID
Passwords need to be protected at all times, and encryption is the standard method for
protecting passwords. If passwords are not encrypted, they can be plainly read
(i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm
are no more protected than if they are kept in plain text.

              
Using a stronger hashing algorithm makes password cracking attacks more difficult.
Verify that the shadow password suite configuration is set to encrypt password with a FIPS 140-2 approved cryptographic hashing algorithm.

Check the hashing algorithm that is being used to hash passwords with the following command:

$ sudo grep -i ENCRYPT_METHOD /etc/login.defs

ENCRYPT_METHOD 
      Is it the case that ENCRYPT_METHOD is not set to ?
      
In /etc/login.defs, add or update the following line to ensure the system will use
 as the hashing algorithm:
ENCRYPT_METHOD 
              
            
SLES-12-010210 set_password_hashing_algorithm_logindefs
V-217123 196 medium The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords. SRG-OS-ID
Passwords need to be protected at all times, and encryption is the standard method for
protecting passwords. If passwords are not encrypted, they can be plainly read
(i.e., clear text) and easily compromised.
Verify that the interactive user account passwords are using a strong
password hash with the following command:

$ sudo cut -d: -f2 /etc/shadow

$6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/

Password hashes ! or * indicate inactive accounts not
available for logon and are not evaluated.
      Is it the case that any interactive user password hash does not begin with "$6"?
      
Verify the operating system requires the shadow password suite
configuration be set to encrypt interactive user passwords using a strong
cryptographic hash.
Check that the interactive user account passwords are using a strong
password hash with the following command:
$ sudo cut -d: -f2 /etc/shadow
$6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/
Password hashes ! or * indicate inactive accounts not
available for logon and are not evaluated.
If any interactive user password hash does not begin with $6,
this is a finding.
SLES-12-010220 accounts_password_all_shadowed_sha512
V-251721 366 high The SUSE operating system must not have accounts configured with blank or null passwords. SRG-OS-ID
If an account has an empty password, anyone could log in and
run commands with the privileges of that account. Accounts with
empty passwords should never be used in operational environments.
To verify that null passwords cannot be used, run the following command:
$ sudo awk -F: '!$2 {print $1}' /etc/shadow
If this produces any output, it may be possible to log into accounts
with empty passwords.
      Is it the case that Blank or NULL passwords can be used?
      
Check the "/etc/shadow" file for blank passwords with the
following command:
$ sudo awk -F: '!$2 {print $1}' /etc/shadow
If the command returns any results, this is a finding.
Configure all accounts on the system to have a password or lock
the account with the following commands:
Perform a password reset:
$ sudo passwd [username]
Lock an account:
$ sudo passwd -l [username]
            
SLES-12-010221 no_empty_passwords_etc_shadow
V-217124 803 medium The SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to only store encrypted representations of passwords. SRG-OS-ID
Passwords need to be protected at all times, and encryption is the standard method for
protecting passwords. If passwords are not encrypted, they can be plainly read
(i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm
are no more protected than if they are kept in plain text.

              
This setting ensures user and group account administration utilities are configured to store
only encrypted representations of passwords. Additionally, the crypt_style
configuration option in /etc/libuser.conf ensures the use of a strong hashing
algorithm that makes password cracking attacks more difficult.
Inspect the password section of /etc/pam.d/common-password
and ensure that the pam_unix.so module is configured to use the argument
:

$ sudo grep "^password.*pam_unix\.so.*" /etc/pam.d/common-password
password required pam_unix.so 

      Is it the case that "" is missing, or is commented out?
      
The PAM system service can be configured to only store encrypted representations of passwords.
In "/etc/pam.d/common-password", the password section of the file controls which
PAM modules to execute during a password change.

Set the pam_unix.so module in the password section to include the option

                
               and no other hashing
algorithms as shown below:

              password    required    pam_unix.so 
                other arguments...
              
              
This will help ensure that new passwords for local users will be stored using the
 algorithm.
SLES-12-010230 set_password_hashing_algorithm_systemauth
V-217125 366 medium The SUSE operating system must not be configured to allow blank or null passwords. SRG-OS-ID
If an account has an empty password, anyone could log in and
run commands with the privileges of that account. Accounts with
empty passwords should never be used in operational environments.
To verify that null passwords cannot be used, run the following command:

$ grep pam_unix.so /etc/pam.d/* | grep nullok

If this produces any output, it may be possible to log into accounts
with empty passwords. Remove any instances of the nullok option to
prevent logins with empty passwords.
      Is it the case that NULL passwords can be used?
      
If an account is configured for password authentication
but does not have an assigned password, it may be possible to log
into the account without authentication. Remove any instances of the
nullok in

password authentication configurations in /etc/pam.d/

to prevent logins with empty passwords.
SLES-12-010231 no_empty_passwords
V-217126 196 medium The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords. SRG-OS-ID
Passwords need to be protected at all times, and encryption is the standard
method for protecting passwords. If passwords are not encrypted, they can
be plainly read (i.e., clear text) and easily compromised. Passwords
that are encrypted with a weak algorithm are no more protected than if
they are kept in plain text.

              
Using more hashing rounds makes password cracking attacks more difficult.
Inspect /etc/login.defs and ensure that if eihter
SHA_CRYPT_MIN_ROUNDS or SHA_CRYPT_MAX_ROUNDS
are set, they must have the minimum value of 5000.
      Is it the case that it does not?
      
In /etc/login.defs, ensure SHA_CRYPT_MIN_ROUNDS and
SHA_CRYPT_MAX_ROUNDS has the minimum value of 5000.
For example:
SHA_CRYPT_MIN_ROUNDS 5000
SHA_CRYPT_MAX_ROUNDS 5000
Notice that if neither are set, they already have the default value of 5000.
If either is set, they must have the minimum value of 5000.
SLES-12-010240 set_password_hashing_min_rounds_logindefs
V-217127 205 medium The SUSE operating system must employ passwords with a minimum of 15 characters. SRG-OS-ID
Password length is one factor of several that helps to determine
strength and how long it takes to crack a password. Use of more characters in
a password helps to exponentially increase the time and/or resources
required to compromise the password.
To check how many characters are required in a password, run the following command:
$ grep pam_cracklib.so /etc/pam.d/common-password
Your output should contain minlen=
      Is it the case that minlen is not found or not set to the required value (or higher)?
      
The pam_cracklib module's minlen parameter controls requirements for
minimum characters required in a password. Add minlen=
                
 to set minimum password length requirements.
SLES-12-010250 cracklib_accounts_password_pam_minlen
V-217128 198 medium The SUSE operating system must be configured to create or update passwords with a minimum lifetime of 24 hours (one day). SRG-OS-ID
Enforcing a minimum password lifetime helps to prevent repeated password
changes to defeat the password reuse or history enforcement requirement. If
users are allowed to immediately and continually change their password,
then the password could be repeatedly changed in a short period of time to
defeat the organization's policy regarding password reuse.

              
Setting the minimum password age protects against users cycling back to a
favorite password after satisfying the password reuse requirement.
Verify SUSE Linux Enterprise 12 enforces 24 hours/one day as the minimum password lifetime for new user accounts.

Check for the value of "PASS_MIN_DAYS" in "/etc/login.defs" with the following command:

$ grep -i pass_min_days /etc/login.defs

PASS_MIN_DAYS 
      Is it the case that the "PASS_MIN_DAYS" parameter value is not "" or greater, or is commented out?
      
To specify password minimum age for new accounts,
edit the file /etc/login.defs
and add or correct the following line:
PASS_MIN_DAYS 
              
A value of 1 day is considered sufficient for many
environments. The DoD requirement is 1.
The profile requirement is 
                
              .
SLES-12-010260 accounts_minimum_age_login_defs
V-217129 198 medium The SUSE operating system must employ user passwords with a minimum lifetime of 24 hours (one day). SRG-OS-ID
Enforcing a minimum password lifetime helps to prevent repeated password
changes to defeat the password reuse or history enforcement requirement. If
users are allowed to immediately and continually change their password, the
password could be repeatedly changed in a short period of time to defeat the
organization's policy regarding password reuse.
Verify that SUSE Linux Enterprise 12 has configured the minimum time period between password changes for each user account is one day or greater with the following command:

$ sudo awk -F: '$4 < 1 {print $1 " " $4}' /etc/shadow
      Is it the case that any results are returned that are not associated with a system account?
      
Configure non-compliant accounts to enforce a 24 hours/1 day minimum password
lifetime by running the following command:
$ sudo chage -m 1 USER
              
            
SLES-12-010270 accounts_password_set_min_life_existing
V-217130 199 medium The SUSE operating system must be configured to create or update passwords with a maximum lifetime of 60 days. SRG-OS-ID
Any password, no matter how complex, can eventually be cracked. Therefore, passwords
need to be changed periodically. If the operating system does not limit the lifetime
of passwords and force users to change their passwords, there is the risk that the
operating system passwords could be compromised.

              
Setting the password maximum age ensures users are required to
periodically change their passwords. Requiring shorter password lifetimes
increases the risk of users writing down the password in a convenient
location subject to physical compromise.
Verify that SUSE Linux Enterprise 12 enforces a -day maximum password lifetime for new user accounts by running the following command:

$ grep -i pass_max_days /etc/login.defs

PASS_MAX_DAYS 
      Is it the case that the "PASS_MAX_DAYS" parameter value is greater than "", or commented out?
      
To specify password maximum age for new accounts,
edit the file /etc/login.defs
and add or correct the following line:
PASS_MAX_DAYS 
              
A value of 180 days is sufficient for many environments.
The DoD requirement is 60.
The profile requirement is 
                
              .
SLES-12-010280 accounts_maximum_age_login_defs
V-217131 199 medium The SUSE operating system must employ user passwords with a maximum lifetime of 60 days. SRG-OS-ID
Any password, no matter how complex, can eventually be cracked. Therefore,
passwords need to be changed periodically. If the operating system does
not limit the lifetime of passwords and force users to change their
passwords, there is the risk that the operating system passwords could be
compromised.
Check whether the maximum time period for existing passwords is restricted to  days with the following commands:

$ sudo awk -F: '$5 > 60 {print $1 " " $5}' /etc/shadow

$ sudo awk -F: '$5 <= 0 {print $1 " " $5}' /etc/shadow
      Is it the case that any results are returned that are not associated with a system account?
      
Configure non-compliant accounts to enforce a -day maximum password lifetime
restriction by running the following command:
$ sudo chage -M 
                USER
              
            
SLES-12-010290 accounts_password_set_max_life_existing
V-217132 200 medium The SUSE operating system must employ a password history file. SRG-OS-ID
The /etc/security/opasswd file stores old passwords to prevent
password reuse. Protection of this file is critical for system security.
To check the ownership of /etc/security/opasswd,
run the command:
$ ls -lL /etc/security/opasswd
If properly configured, the output should indicate the following owner:
root
To check the group ownership of /etc/security/opasswd,
run the command:
$ ls -lL /etc/security/opasswd
If properly configured, the output should indicate the following group-owner:
root
To check the permissions of /etc/security/opasswd,
run the command:
$ ls -l /etc/security/opasswd
If properly configured, the output should indicate the following permissions:
0600
      Is it the case that /etc/security/opasswd does not have an owner of root and /etc/security/opasswd does not have a group owner of root and /etc/security/opasswd does not have unix mode 0600?
      
 To properly set the owner of /etc/security/opasswd, run the command: $ sudo chown root /etc/security/opasswd 
To properly set the group owner of /etc/security/opasswd, run the command: $ sudo chgrp root /etc/security/opasswd
To properly set the permissions of /etc/security/opasswd, run the command: $ sudo chmod 0600 /etc/security/opasswd
            
SLES-12-010300 file_etc_security_opasswd
V-217133 200 medium The SUSE operating system must not allow passwords to be reused for a minimum of five (5) generations. SRG-OS-ID
Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.
Check that the SUSE operating system prohibits the reuse of a password for
a minimum of  generations with the following command:
# grep pam_pwhistory.so /etc/pam.d/common-password
password requisite pam_pwhistory.so remember= use_authtok
If the command does not return a result, or the returned line is commented
out, has a second column value different from "requisite", does not contain
"remember" value, the value is less than
, or is missing the
"use_authtok" keyword, this is a finding.
      Is it the case that the value of remember is not set equal to or greater than ?
      
Do not allow users to reuse recent passwords. This can be
accomplished by using the remember option for the
pam_pwhistory PAM modules.

              
In the file /etc/pam.d/common-password, make sure the parameters
remember and use_authtok are present, and that the value
for the remember parameter is  or greater. For example:
password requisite pam_pwhistory.so ...existing_options... remember= use_authtok
The DoD STIG requirement is 5 passwords.
SLES-12-010310 accounts_password_pam_pwhistory_remember
V-217134 366 medium The SUSE operating system must prevent the use of dictionary words for passwords. SRG-OS-ID
To reduce opportunities for successful guesses and brute-force attacks.
Check the password retry limit with the following command:

# grep pam_cracklib.so /etc/pam.d/common-password
password requisite pam_cracklib.so retry=

If the command does not return anything, or the returned line is
commented out, this is a finding.

If the value of retry is greater than
, this is a finding.
      Is it the case that retry is not found or not set to the required value (or lower)?
      
The pam_cracklib module's retry parameter controls the maximum
number of times to prompt the user for the password before returning
with error. Make sure it is configured with a value that is no more than
. For example, retry=1.
SLES-12-010320 cracklib_accounts_password_pam_retry
V-217135 1682 medium The SUSE operating system must never automatically remove or disable emergency administrator accounts. SRG-OS-ID
Emergency accounts are different from infrequently used accounts (i.e.,
local logon accounts used by the organization's system administrators when
network or normal logon/access is not available). Infrequently used
accounts are not subject to automatic termination dates. Emergency accounts
are accounts created in response to crisis situations, usually for use by
maintenance personnel. The automatic expiration or disabling time period
may be extended as needed until the crisis is resolved; however, it must
not be extended indefinitely. A permanent account should be established for
privileged users who need long-term maintenance accounts.

To address access requirements the SUSE operating system can be integrated
with enterprise-level authentication/access mechanisms that meet or exceed
access control policy requirements.
Check to see if an emergency administrator account password or account expires with the following command:

# sudo chage -l [Emergency_Administrator]

Password expires:never

If Password expires or Account expires is set to anything other than never, this is a finding.
      Is it the case that any emergency administrator account or account password has an expiration date set?
      
Emergency accounts are privileged accounts that are established in response
to crisis situations where the need for rapid account activation is
required. Therefore, emergency account activation may bypass normal account
authorization processes. If these accounts are automatically disabled,
system maintenance during emergencies may not be possible, thus adversely
affecting system availability.

Check to see if an emergency administrator account password or account expires with the following command:

# sudo chage -l [Emergency_Administrator]

Password expires:never

If Password expires or Account expires is set to anything other than never, this is a finding.
SLES-12-010330 account_emergency_admin
V-256980 1682 medium The SUSE operating system must automatically expire temporary accounts within 72 hours. SRG-OS-ID
If temporary user accounts remain active when no longer needed or for
an excessive period, these accounts may be used to gain unauthorized access.
To mitigate this risk, automated termination of all temporary accounts
must be set upon account creation.

            
Verify that temporary accounts have been provisioned with an expiration date
of 72 hours. For every temporary account, run the following command to
obtain its account aging and expiration information:
$ sudo chage -l temporary_account_name
Verify each of these accounts has an expiration date set within 72 hours or
as documented.
      Is it the case that any temporary accounts have no expiration date set or do not expire within 72 hours?
      
Temporary accounts are established as part of normal account activation
procedures when there is a need for short-term accounts. In the event
temporary accounts are required, configure the system to
terminate them after a documented time period. For every temporary account, run the following command to set an expiration date on
it, substituting 
                USER
               and 
                YYYY-MM-DD
              
appropriately:
$ sudo chage -E YYYY-MM-DD USER
              
              
                YYYY-MM-DD
               indicates the documented expiration date for the
account. For U.S. Government systems, the operating system must be
configured to automatically terminate these types of accounts after a
period of 72 hours.
SLES-12-010331 account_temp_expire_date
V-217136 795 medium The SUSE operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity after password expiration. SRG-OS-ID
Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system.
Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.
Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.
To verify the INACTIVE setting, run the following command:
$ grep "INACTIVE" /etc/default/useradd
The output should indicate the INACTIVE configuration option is set
to an appropriate integer as shown in the example below:
$ grep "INACTIVE" /etc/default/useradd
INACTIVE=
      Is it the case that the value of INACTIVE is greater than the expected value or is -1?
      
To specify the number of days after a password expires (which
signifies inactivity) until an account is permanently disabled, add or correct
the following line in /etc/default/useradd:
INACTIVE=
                  
                
              
If a password is currently on the verge of expiration, then

                
              
day(s) remain(s) until the account is automatically
disabled. However, if the password will not expire for another 60 days, then 60
days plus 
                
               day(s) could
elapse until the account would be automatically disabled. See the
useradd man page for more information.
SLES-12-010340 account_disable_post_pw_expiration
V-217138 366 medium The SUSE operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt. SRG-OS-ID
Limiting the number of logon attempts over a certain time interval reduces
the chances that an unauthorized user may gain access to an account.
Verify that the SUSE Linux Enterprise 12 operating system enforces a minimum delay betweeen
logon prompts following a failed logon attempt.

# grep pam_faildelay /etc/pam.d/common-auth
auth required pam_faildelay.so delay=

If the value of delay is not set to
 or greater,
"delay" is commented out, "delay" is missing, or the "pam_faildelay" line is missing
completely, this is a finding.
      Is it the case that the value of delay is not set properly or the line is commented or missing?
      
To configure the system to introduce a delay after failed logon attempts,
add or correct the pam_faildelay settings in
/etc/pam.d/common-auth to make sure its delay parameter
is at least  or greater. For example:
auth required pam_faildelay.so delay=
              
            
SLES-12-010370 accounts_passwords_pam_faildelay_delay
V-255915 1090 low The SUSE operating system must restrict access to the kernel message buffer. SRG-OS-ID
Unprivileged access to the kernel syslog can expose sensitive kernel
address information.
The runtime status of the kernel.dmesg_restrict kernel parameter can be queried
by running the following command:
$ sysctl kernel.dmesg_restrict
1.

      Is it the case that the correct value is not returned?
      
To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command: $ sudo sysctl -w kernel.dmesg_restrict=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.dmesg_restrict = 1
          
SLES-12-010375 sysctl_kernel_dmesg_restrict
V-217139 366 high The SUSE operating system must not allow unattended or automatic logon via the graphical user interface. SRG-OS-ID
Failure to restrict system access to authenticated users negatively impacts operating
system security.
To verify that automatic or unattended logins are disabled, run the following command:
grep -i ^DISPLAYMANAGER_AUTOLOGIN /etc/sysconfig/displaymanager
The output should show the following:
DISPLAYMANAGER_AUTOLOGIN=""
     DISPLAYMANAGER_PASSWORD_LESS_LOGIN="no"
      Is it the case that GDM allows users to automatically login or unattended login?
      
The GNOME Display Manager (GDM) can allow users to automatically login without
user interaction or credentials or unattended login. User should always be required to authenticate themselves
to the system that they are authorized to use. To disable user ability to automatically
login to the system, set the DISPLAYMANAGER_AUTOLOGIN=""
or DISPLAYMANAGER_PASSWORD_LESS_LOGIN="no" in the
/etc/sysconfig/displaymanager. For example:
DISPLAYMANAGER_AUTOLOGIN=""
DISPLAYMANAGER_PASSWORD_LESS_LOGIN="no"
            
SLES-12-010380 gnome_gdm_disable_unattended_automatic_login
V-217140 52 low The SUSE operating system must display the date and time of the last successful account logon upon logon. SRG-OS-ID
Users need to be aware of activity that occurs regarding their account. Providing users with
information regarding the number of unsuccessful attempts that were made to login to their
account allows the user to determine if any unauthorized activity has occurred and gives them
an opportunity to notify administrators.
Verify users are provided with feedback on when account accesses last occurred with the following command:

$ sudo grep pam_lastlog /etc/pam.d/login

session optional pam_lastlog.so showfailed
      Is it the case that "pam_lastlog.so" is not properly configured in "/etc/pam.d/login" file?
      
To configure the system to notify users of last logon/access using pam_lastlog,
add or correct the pam_lastlog settings in /etc/pam.d/login
to include showfailed option, such as:
session     optional    pam_lastlog.so showfailed
And make sure that the silent option is not set for this specific line.
SLES-12-010390 display_login_attempts
V-217141 366 high There must be no .shosts files on the SUSE operating system. SRG-OS-ID
The .shosts files are used to configure host-based authentication for
individual users or the system via SSH. Host-based authentication is not
sufficient for preventing unauthorized access to the system, as it does not
require interactive identification and authentication of a connection request,
or for the use of two-factor authentication.
To verify that there are no .shosts files
on the system, run the following command:
$ sudo find / -name '.shosts'
      Is it the case that .shosts files exist?
      
The ~/.shosts (in each user's home directory) files
list remote hosts and users that are trusted by the
local system. To remove these files, run the following command
to delete them from any location:
$ sudo find / -name '.shosts' -type f -delete
          
SLES-12-010400 no_user_host_based_files
V-217142 366 high There must be no shosts.equiv files on the SUSE operating system. SRG-OS-ID
The shosts.equiv files are used to configure host-based authentication for the system via SSH.
Host-based authentication is not sufficient for preventing unauthorized access to the system,
as it does not require interactive identification and authentication of a connection request,
or for the use of two-factor authentication.
Verify that there are no shosts.equiv files on the system, run the following command:
$ find / -name shosts.equiv
      Is it the case that shosts.equiv files exist?
      
The shosts.equiv file lists remote hosts and users that are trusted by the local
system. To remove these files, run the following command to delete them from any location:
$ sudo rm /[path]/[to]/[file]/shosts.equiv
          
SLES-12-010410 no_host_based_files
V-217143 2450 medium FIPS 140-2 mode must be enabled on the SUSE operating system. SRG-OS-ID
The Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS
PUB 140-2) is a computer security standard. The standard specifies security
requirements for cryptographic modules used to protect sensitive
unclassified information.  Refer to the full FIPS 140-2 standard at

    http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf
for further details on the requirements.
FIPS 140-2 validation is required by U.S. law when information systems use
cryptography to protect sensitive government information. In order to
achieve FIPS 140-2 certification, cryptographic modules are subject to
extensive testing by independent laboratories, accredited by National
Institute of Standards and Technology (NIST).
To verify that the installed operating system is supported or certified, run
the following command:

$ grep -i "suse" /etc/os-release

The output should contain something similar to:
SUSE Linux Enterprise 12
      Is it the case that the installed operating system is not FIPS 140-2 certified?
      
To enable processing of sensitive information the operating system must
provide certified cryptographic modules compliant with FIPS 140-2
standard.

SUSE Enterprise Linux is supported by SUSE Software Solutions Germany GmbH. As the SUSE Enterprise
Linux vendor, SUSE Software Solutions Germany GmbH is responsible for maintaining government
certifications and standards.
SLES-12-010420 installed_OS_is_FIPS_certified
V-217144 213 medium SUSE operating systems with a basic input/output system (BIOS) must require authentication upon booting into single-user and maintenance modes. SRG-OS-ID
Password protection on the boot loader configuration ensures
users with physical access cannot trivially alter
important bootloader settings. These include which kernel to use,
and whether to enter single-user mode.
First, check whether the password is defined in either /boot/grub2/user.cfg or
/boot/grub2/grub.cfg.
Run the following commands:
$ sudo grep '^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$' /boot/grub2/user.cfg
$ sudo grep '^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$' /boot/grub2/grub.cfg


Second, check that a superuser is defined in /boot/grub2/grub.cfg.
$ sudo grep '^[\s]*set[\s]+superusers=("?)[a-zA-Z_]+\1$'  /boot/grub2/grub.cfg
      Is it the case that it does not produce any output?
      
The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.

            
Since plaintext passwords are a security risk, generate a hash for the password
by running the following command:

# grub2-mkpasswd-pbkdf2

When prompted, enter the password that was selected.

            

Using the hash from the output, modify the /etc/grub.d/40_custom
file with the following content:
set superusers="boot"
password_pbkdf2 boot grub.pbkdf2.sha512.VeryLongString

NOTE: the bootloader superuser account and password MUST differ from the
root account and password.
Once the superuser password has been added,
update the
grub.cfg file by running:
grub2-mkconfig -o /boot/grub2/grub2.cfg
          
SLES-12-010430 grub2_password
V-217145 213 medium SUSE operating systems with Unified Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. SRG-OS-ID
Password protection on the boot loader configuration ensures
users with physical access cannot trivially alter
important bootloader settings. These include which kernel to use,
and whether to enter single-user mode.
To verify the boot loader superuser password has been set, run the following command:
$ sudo grep "^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$" /boot/efi/EFI/sles/user.cfg
The output should be similar to:
GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7
0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828
      Is it the case that no password is set?
      
The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.

            
Since plaintext passwords are a security risk, generate a hash for the password
by running the following command:

# grub2-mkpasswd-pbkdf2

When prompted, enter the password that was selected.

            

Using the hash from the output, modify the /etc/grub.d/40_custom
file with the following content:
set superusers="boot"
password_pbkdf2 boot grub.pbkdf2.sha512.VeryLongString

NOTE: the bootloader superuser account and password MUST differ from the
root account and password.
Once the superuser password has been added,
update the
grub.cfg file by running:
grub2-mkconfig -o /boot/grub2/grub2.cfg
          
SLES-12-010440 grub2_uefi_password
V-217146 2475 medium All SUSE operating system persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. SRG-OS-ID
The risk of a system's physical compromise, particularly mobile systems such as
laptops, places its data at risk of compromise.  Encrypting this data mitigates
the risk of its loss if the system is lost.
Check the system partitions to determine if they are encrypted with the following command:
blkid

Output will be similar to:
/dev/sda1: UUID=" ab12c3de-4f56-789a-8f33-3850cc8ce3a2
" TYPE="crypto_LUKS"
/dev/sda2: UUID=" bc98d7ef-6g54-321h-1d24-9870de2ge1a2
" TYPE="crypto_LUKS"

The boot partition and pseudo-file systems, such as /proc, /sys, and tmpfs,
are not required to use disk encryption and are not a finding.
      Is it the case that partitions do not have a type of crypto_LUKS?
      
SUSE Linux Enterprise 12 natively supports partition encryption through the
Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to
encrypt a partition is during installation time.

            
For manual installations, select the Encrypt checkbox during
partition creation to encrypt the partition. When this
option is selected the system will prompt for a passphrase to use in
decrypting the partition. The passphrase will subsequently need to be entered manually
every time the system boots.


            
Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on
the SUSE Linux Enterprise 12 Documentation web site:
            https://documentation.suse.com/sles/12-SP5/html/SLES-all/cha-security-cryptofs.html
.
SLES-12-010450 encrypt_partitions
V-217147 1090 medium The sticky bit must be set on all SUSE operating system world-writable directories. SRG-OS-ID
Failing to set the sticky bit on public directories allows unauthorized users to delete files
in the directory structure.

            
The only authorized public directories are those temporary directories supplied with the
system, or those designed to be temporary file repositories. The setting is normally reserved
for directories used by the system, by users for temporary file storage (such as /tmp),
and for directories requiring global read/write access.
To find world-writable directories that lack the sticky bit, run the following command:
$ sudo find / -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null
fixtext: |-
Configure all world-writable directories to have the sticky bit set to prevent unauthorized and unintended information transferred via shared system resources.

Set the sticky bit on all world-writable directories using the command, replace "[World-Writable Directory]" with any directory path missing the sticky bit:

$ chmod a+t [World-Writable Directory]
srg_requirement:
A sticky bit must be set on all SUSE Linux Enterprise 12 public directories to prevent unauthorized and unintended information transferred via shared system resources.
      Is it the case that any world-writable directories are missing the sticky bit?
      
When the so-called 'sticky bit' is set on a directory, only the owner of a given file may
remove that file from the directory. Without the sticky bit, any user with write access to a
directory may remove any file in the directory. Setting the sticky bit prevents users from
removing each other's files. In cases where there is no reason for a directory to be
world-writable, a better solution is to remove that permission rather than to set the sticky
bit. However, if a directory is used by a particular application, consult that application's
documentation instead of blindly changing modes.

To set the sticky bit on a world-writable directory DIR, run the following command:
$ sudo chmod +t DIR
            
          
SLES-12-010460 dir_perms_world_writable_sticky_bits
V-256981 1744 medium The SUSE operating system must be configured to allow sending email notifications of unauthorized configuration changes to designated personnel. SRG-OS-ID
Emails can be used to notify designated personnel about important
system events such as failures or warnings.
Run the following command to determine if the mailx package is installed: $ rpm -q mailx
      Is it the case that the package is not installed?
      
A mail server is required for sending emails.
The mailx package can be installed with the following command:

$ sudo zypper install mailx
        
SLES-12-010498 package_mailx_installed
V-255916 2696 medium The SUSE operating system must use a file integrity tool to verify correct operation of all security functions. SRG-OS-ID
For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files.
To find the location of the AIDE database file, run the following command:
$ sudo ls -l DBDIR/database_file_name
      Is it the case that there is no database file?
      
Run the following command to generate a new database:

$ sudo /usr/bin/aide --init

By default, the database will be written to the file

/var/lib/aide/aide.db.new.

Storing the database, the configuration file /etc/aide.conf, and the binary
/usr/bin/aide
(or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity.
The newly-generated database can be installed as follows:

$ sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

To initiate a manual check, run the following command:
$ sudo /usr/bin/aide --check
If this check produces any unexpected output, investigate.
SLES-12-010499 aide_build_database
V-217148 1744 medium Advanced Intrusion Detection Environment (AIDE) must verify the baseline SUSE operating system configuration at least weekly. SRG-OS-ID
By default, AIDE does not install itself for periodic execution. Periodically
running AIDE is necessary to reveal unexpected changes in installed files.

                
Unauthorized changes to the baseline configuration could make the system vulnerable
to various attacks or allow unauthorized access to the operating system. Changes to
operating system configurations can have unintended side effects, some of which may
be relevant to security.

                
Detecting such changes and providing an automated response can help avoid unintended,
negative consequences that could ultimately affect the security state of the operating
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item.
Verify the operating system routinely checks the baseline configuration for unauthorized changes.

To determine that periodic AIDE execution has been scheduled, run the following command:
$ grep aide /etc/crontab
The output should return something similar to the following:
05 4 * * * root /usr/bin/aide --check

NOTE: The usage of special cron times, such as @daily or @weekly, is acceptable.
      Is it the case that AIDE is not configured to scan periodically?
      
At a minimum, AIDE should be configured to run a weekly scan.
To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
05 4 * * * root /usr/bin/aide --check
To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
05 4 * * 0 root /usr/bin/aide --check
AIDE can be executed periodically through other means; this is merely one example.
The usage of cron's special time codes, such as  @daily and
@weekly is acceptable.
SLES-12-010500 aide_periodic_cron_checking
V-217149 2702 medium The SUSE operating system must notify the System Administrator (SA) when AIDE discovers anomalies in the operation of any security functions. SRG-OS-ID
Unauthorized changes to the baseline configuration could make the system vulnerable
to various attacks or allow unauthorized access to the operating system. Changes to
operating system configurations can have unintended side effects, some of which may
be relevant to security.

                
Detecting such changes and providing an automated response can help avoid unintended,
negative consequences that could ultimately affect the security state of the operating
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item.
To determine that periodic AIDE execution has been scheduled, run the following command:

$ grep aide /etc/crontab
The output should return something similar to the following:
05 4 * * * root /usr/bin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost
The email address that the notifications are sent to can be changed by overriding
.
      Is it the case that AIDE has not been configured or has not been configured to notify personnel of scan details?
      
AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
If AIDE has already been configured for periodic execution in /etc/crontab, append the
following line to the existing AIDE line:
 | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost
Otherwise, add the following line to /etc/crontab:
05 4 * * * root /usr/bin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost
AIDE can be executed periodically through other means; this is merely one example.
SLES-12-010510 aide_scan_notification
V-217150 366 low The SUSE operating system file integrity tool must be configured to verify Access Control Lists (ACLs). SRG-OS-ID
ACLs can provide permissions beyond those permitted through the file mode and must be
verified by the file integrity tools.
To determine that AIDE is verifying ACLs, run the following command:
$ grep acl /etc/aide.conf
Verify that the acl option is added to the correct ruleset.
      Is it the case that the acl option is missing or not added to the correct ruleset?
      
By default, the acl option is added to the FIPSR ruleset in AIDE.
If using a custom ruleset or the acl option is missing, add acl
to the appropriate ruleset.
For example, add acl to the following line in /etc/aide.conf:
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already
configured by default.


The remediation provided with this rule adds acl to all rule sets available in
/etc/aide.conf
              
SLES-12-010520 aide_verify_acls
V-217151 366 low The SUSE operating system file integrity tool must be configured to verify extended attributes. SRG-OS-ID
Extended attributes in file systems are used to contain arbitrary data and file metadata
with security implications.
To determine that AIDE is verifying extended file attributes, run the following command:
$ grep xattrs /etc/aide.conf
Verify that the xattrs option is added to the correct ruleset.
      Is it the case that the xattrs option is missing or not added to the correct ruleset?
      
By default, the xattrs option is added to the FIPSR ruleset in AIDE.
If using a custom ruleset or the xattrs option is missing, add xattrs
to the appropriate ruleset.
For example, add xattrs to the following line in /etc/aide.conf:
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already
configured by default.


The remediation provided with this rule adds xattrs to all rule sets available in
/etc/aide.conf
              
SLES-12-010530 aide_verify_ext_attributes
V-217152 1496 medium The SUSE operating system file integrity tool must be configured to protect the integrity of the audit tools. SRG-OS-ID
Protecting the integrity of the tools used for auditing purposes is a
critical step toward ensuring the integrity of audit information. Audit
information includes all information (e.g., audit records, audit settings,
and audit reports) needed to successfully audit information system
activity.

Audit tools include but are not limited to vendor-provided and open-source
audit tools needed to successfully view and manipulate audit information
system activity and records. Audit tools include custom queries and report
generators.

It is not uncommon for attackers to replace the audit tools or inject code
into the existing tools to provide the capability to hide or erase system
activity from the audit logs.

To address this risk, audit tools must be cryptographically signed to
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files.
Check that AIDE is properly configured to protect the integrity of the
audit tools by running the following command:

# sudo cat /etc/aide.conf | grep /usr/sbin/au

/usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
/usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
/usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
/usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
/usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
/usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512

/usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512


If AIDE is configured properly to protect the integrity of the audit tools,
all lines listed above will be returned from the command.

If one or more lines are missing, this is a finding.
      Is it the case that integrity checks of the audit tools are missing or incomplete?
      
The operating system file integrity tool must be configured to protect the integrity of the audit tools.
SLES-12-010540 aide_check_audit_tools
V-217153 1749 medium The SUSE operating system tool zypper must have gpgcheck enabled. SRG-OS-ID
Changes to any software components can have significant effects on the
overall security of the operating system. This requirement ensures the
software has not been tampered with and that it has been provided by a
trusted vendor.

Accordingly, patches, service packs, device drivers, or operating system
components must be signed with a certificate recognized and approved by the
organization.
Verifying the authenticity of the software prior to installation
validates the integrity of the patch or upgrade received from a vendor.
This ensures the software has not been tampered with and that it has been
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA).
Verify that zypper verifies the signature of packages from a repository prior to install with the following command:

$ grep gpgcheck /etc/zypp/zypp.conf

gpgcheck=1

If "gpgcheck" is not set to "1", or if the option is missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified.
      Is it the case that there is no process to validate certificates that is approved by the organization?
      
The gpgcheck option controls whether
RPM packages' signatures are always checked prior to installation.
To configure zypper to check package signatures before installing
them, ensure the following line appears in /etc/zypp/zypp.conf in
the [main] section:
gpgcheck=1
          
SLES-12-010550 ensure_gpgcheck_globally_activated
V-217154 2617 medium The SUSE operating system must remove all outdated software components after updated versions have been installed. SRG-OS-ID
Previous versions of software components that are not removed from the information
system after updates have been installed may be exploited by some adversaries.
Verify SUSE Linux Enterprise 12 removes all software components after updated versions have been installed.


To verify that solver.upgradeRemoveDroppedPackages is configured properly, run the
following command:
$ grep -i upgradeRemoveDroppedPackages /etc/zypp/zypp.conf
The output should return something similar to:
solver.upgradeRemoveDroppedPackages=true
      Is it the case that 'solver.upgradeRemoveDroppedPackages is not enabled or configured correctly'?
      
            zypper should be configured to remove previous software components after
new versions have been installed. To configure zypper to remove the

previous software components after updating, set the solver.upgradeRemoveDroppedPackages


to 1 in /etc/zypp/zypp.conf.
SLES-12-010570 clean_components_post_updating
V-217155 1958 medium The SUSE operating system must disable the USB mass storage kernel module. SRG-OS-ID
USB storage devices such as thumb drives can be used to introduce
malicious software.
If the system is configured to prevent the loading of the usb-storage kernel module,
it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
These lines instruct the module loading system to run another program (such as /bin/false) upon a module install event.

Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
$ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d
      Is it the case that no line is returned?
      
To prevent USB storage devices from being used, configure the kernel module loading system
to prevent automatic loading of the USB storage driver.

To configure the system to prevent the usb-storage
kernel module from being loaded, add the following line to the file /etc/modprobe.d/usb-storage.conf:
install usb-storage /bin/false

This will prevent the modprobe program from loading the usb-storage
module, but will not prevent an administrator (or another program) from using the
insmod program to load the module manually.
SLES-12-010580 kernel_module_usb-storage_disabled
V-217156 1958 medium The SUSE operating system must disable the file system automounter unless required. SRG-OS-ID
Disabling the automounter permits the administrator to
statically control filesystem mounting through /etc/fstab.

            
Additionally, automatically mounting filesystems permits easy introduction of
unknown devices, thereby facilitating malicious activity.
To check that the autofs service is disabled in system boot configuration,
run the following command:
$ sudo systemctl is-enabled autofs
Output should indicate the autofs service has either not been installed,
or has been disabled at all runlevels, as shown in the example below:
$ sudo systemctl is-enabled autofs disabled

Run the following command to verify autofs is not active (i.e. not running) through current runtime configuration:
$ sudo systemctl is-active autofs

If the service is not running the command will return the following output:
inactive

The service will also be masked, to check that the autofs is masked, run the following command:
$ sudo systemctl show autofs | grep "LoadState\|UnitFileState"

If the service is masked the command will return the following outputs:

LoadState=masked

UnitFileState=masked
      Is it the case that the "autofs" is loaded and not masked?
      
The autofs daemon mounts and unmounts filesystems, such as user
home directories shared via NFS, on demand. In addition, autofs can be used to handle
removable media, and the default configuration provides the cdrom device as /misc/cd.
However, this method of providing access to removable media is not common, so autofs
can almost always be disabled if NFS is not in use. Even if NFS is required, it may be
possible to configure filesystem mounts statically by editing /etc/fstab
rather than relying on the automounter.

            

The autofs service can be disabled with the following command:
$ sudo systemctl mask --now autofs.service
          
SLES-12-010590 service_autofs_disabled
V-222385 1233 medium The SUSE operating system must implement the Endpoint Security for Linux Threat Prevention tool. SRG-OS-ID
Virus scanning software can be used to detect if a system has been compromised by
computer viruses, as well as to limit their spread to other systems.
To verify that McAfee Endpoint Security for Linux is
running, run the following command:
$ sudo ps -ef | grep -i mfetpd
      Is it the case that virus scanning software is not running?
      
Install McAfee Endpoint Security for Linux antivirus software
which is provided for DoD systems and uses signatures to search for the
presence of viruses on the filesystem.
SLES-12-010599 agent_mfetpd_running
V-217158 2235 medium The SUSE operating system Apparmor tool must be configured to control whitelisted applications and user home directory access control. SRG-OS-ID
Using a whitelist provides a configuration management method for allowing
the execution of only authorized software. Using only authorized software
decreases risk by limiting the number of potential vulnerabilities.
          

The organization must identify authorized software programs and permit
execution of authorized software by adding each authorized program to the
"pam_apparmor" exception policy. The process used to identify software
programs that are authorized to execute on organizational information
systems is commonly referred to as whitelisting.
          

Verification of whitelisted software occurs prior to execution or at system
startup.
          

Users' home directories/folders may contain information of a sensitive
nature. Nonprivileged users should coordinate any sharing of information
with a System Administrator (SA) through shared resources.
          

Apparmor can confine users to their home directory, not allowing them to
make any changes outside of their own home directories. Confining users to
their home directory will minimize the risk of sharing information.

Run the following command to determine the current status of the
apparmor service:
$ sudo systemctl is-active apparmor
If the service is running, it should return the following: active
      Is it the case that it is not?
      
Verify that the Apparmor tool is configured to
control whitelisted applications and user home directory access
control.
          

The apparmor service can be enabled with the following command:
$ sudo systemctl enable apparmor.service
        
SLES-12-010600 apparmor_configured
V-217159 366 high The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence. SRG-OS-ID
A locally logged-in user who presses Ctrl-Alt-Del, when at the console,
can reboot the system. If accidentally pressed, as could happen in
the case of mixed OS environment, this can create the risk of short-term
loss of availability of systems due to unintentional reboot.
To ensure the system is configured to mask the Ctrl-Alt-Del sequence, Check
that the ctrl-alt-del.target is masked and not active with the following
command:
sudo systemctl status ctrl-alt-del.target
The output should indicate that the target is masked and not active. It
might resemble following output:
ctrl-alt-del.target
Loaded: masked (/dev/null; bad)
Active: inactive (dead)
      Is it the case that the system is configured to reboot when Ctrl-Alt-Del is pressed?
      
By default, SystemD will reboot the system if the Ctrl-Alt-Del
key sequence is pressed.

            
To configure the system to ignore the Ctrl-Alt-Del key sequence from the

command line instead of rebooting the system, do either of the following:
ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
or
systemctl mask ctrl-alt-del.target
            
            
Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file,
as this file may be restored during future system updates.
SLES-12-010610 disable_ctrlaltdel_reboot
V-217160 366 high The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence for Graphical User Interfaces. SRG-OS-ID
Failure to have a functional DConf profile prevents GNOME3 configuration settings
from being enforced for all users and allows various security risks.
To verify that the DConf User profile is configured correctly, run the following
command:

$ cat /etc/dconf/profile/gdm
The output should show the following:
user-db:user
system-db:gdm
      Is it the case that DConf User profile does not exist or is not configured correctly?
      
By default, DConf provides a standard user profile. This profile contains a list
of DConf configuration databases. The user profile and database always take the
highest priority. As such the DConf User profile should always exist and be
configured correctly.

            

To make sure that the user profile is configured correctly, the /etc/dconf/profile/gdm
should be set as follows:
user-db:user
system-db:gdm

          
SLES-12-010611 enable_dconf_user_profile
V-217161 366 medium The SUSE operating system default permissions must be defined in such a way that all authenticated users can only read and modify their own files. SRG-OS-ID
The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read and
written to by unauthorized users.
Verify SUSE Linux Enterprise 12 defines default permissions for all authenticated users in such a way that the user can only read and modify their own files with the following command:

# grep -i umask /etc/login.defs

UMASK 
      Is it the case that the value for the "UMASK" parameter is not "", or the "UMASK" parameter is missing or is commented out?
      
To ensure the default umask controlled by /etc/login.defs is set properly,
add or correct the UMASK setting in /etc/login.defs to read as follows:
UMASK 
              
            
SLES-12-010620 accounts_umask_etc_login_defs
V-217162 366 medium The SUSE operating system must not have unnecessary accounts. SRG-OS-ID
Accounts providing no operational purpose provide additional opportunities for
system compromise. Unnecessary accounts include user accounts for individuals not
requiring access to the system and application accounts for applications not installed
on the system.
To verify that there are no unauthorized local user accounts, run the following command:
$ less /etc/passwd 
Inspect the results, and if unauthorized local user accounts exist, remove them by running
the following command:
$ sudo userdel unauthorized_user
      Is it the case that there are unauthorized local user accounts on the system?
      
Enterprise Application tends to use the server or virtual machine exclusively.
Besides the default operating system user, there should be only authorized local
users required by the installed software groups and applications that exist on
the operating system. The authorized user list can be customized in the refine
value variable var_accounts_authorized_local_users_regex.
OVAL regular expression is used for the user list.
Configure the system so all accounts on the system are assigned to an active system,
application, or user account. Remove accounts that do not support approved system
activities or that allow for a normal user to perform administrative-level actions.
To remove unauthorized system accounts, use the following command:
$ sudo userdel unauthorized_user
            
          
SLES-12-010630 accounts_authorized_local_users
V-237606 366 medium The SUSE operating system must not have unnecessary account capabilities. SRG-OS-ID
Ensuring shells are not given to system accounts upon login makes it more difficult for
attackers to make use of system accounts.
To obtain a listing of all users, their UIDs, and their shells, run the command:
$ awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd
Identify the system accounts from this listing. These will primarily be the accounts with UID
numbers less than 1000, other than root.
      Is it the case that any system account other than root has a login shell?
      
Some accounts are not associated with a human user of the system, and exist to perform some
administrative functions. Should an attacker be able to log into these accounts, they should
not be granted access to a shell.

              
The login shell for each local account is stored in the last field of each line in
/etc/passwd. System accounts are those user accounts with a user ID less than
1000. The user ID is stored in the third field. If any system account
other than root has a login shell, disable it with the command:
$ sudo usermod -s /sbin/nologin account
              
            
SLES-12-010631 no_shelllogin_for_systemaccounts
V-217163 804 medium The SUSE operating system must not have duplicate User IDs (UIDs) for interactive users. SRG-OS-ID
To assure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system.
Verify that SUSE Linux Enterprise 12 contains no duplicate User IDs (UIDs) for interactive users.

Check that the operating system contains no duplicate UIDs for interactive users with the following command:

$ sudo awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd
      Is it the case that output is produced and the accounts listed are interactive user accounts?
      
Change user IDs (UIDs), or delete accounts, so each has a unique name.
SLES-12-010640 account_unique_id
V-217164 366 high The SUSE operating system root account must be the only account having unrestricted access to the system. SRG-OS-ID
An account has root authority if it has a UID of 0. Multiple accounts
with a UID of 0 afford more opportunity for potential intruders to
guess a password for a privileged account. Proper configuration of
sudo is recommended to afford multiple system administrators
access to root privileges in an accountable manner.
Verify that only the "root" account has a UID "0" assignment with the
following command:
$ awk -F: '$3 == 0 {print $1}' /etc/passwd
root
      Is it the case that any accounts other than "root" have a UID of "0"?
      
If any account other than root has a UID of 0, this misconfiguration should
be investigated and the accounts other than root should be removed or have
their UID changed.

If the account is associated with system commands or applications the UID
should be changed to one greater than "0" but less than "1000."
Otherwise assign a UID greater than "1000" that has not already been
assigned.
SLES-12-010650 accounts_no_uid_except_zero
V-217166 2007 medium If Network Security Services (NSS) is being used by the SUSE operating system it must prohibit the use of cached authentications after one day. SRG-OS-ID
If cached authentication information is out-of-date, the validity of the
authentication information may be questionable.
To verify that SSSD's in-memory cache expires after a day, run the following command:
$ sudo grep memcache_timeout /etc/sssd/sssd.conf
If configured properly, output should be memcache_timeout = .
      Is it the case that it does not exist or is not configured properly?
      
SSSD's memory cache should be configured to set to expire records after

            
           seconds.
To configure SSSD to expire memory cache, set memcache_timeout to

            
           under the
[nss] section in /etc/sssd/sssd.conf.

For example:
[nss]
memcache_timeout = 
          
        
SLES-12-010670 sssd_memcache_timeout
V-217167 2007 medium The SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to prohibit the use of cached offline authentications after one day. SRG-OS-ID
If cached authentication information is out-of-date, the validity of the
authentication information may be questionable.
To verify that SSSD expires offline credentials, run the following command:
$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf
If configured properly, output should be
offline_credentials_expiration = 1
      Is it the case that it does not exist or is not configured properly?
      
SSSD should be configured to expire offline credentials after 1 day.

To configure SSSD to expire offline credentials, set
offline_credentials_expiration to 1 under the [pam]
section in /etc/sssd/sssd.conf. For example:
[pam]
offline_credentials_expiration = 1

        
SLES-12-010680 sssd_offline_cred_expiration
V-217168 2165 medium All SUSE operating system files and directories must have a valid owner. SRG-OS-ID
Unowned files do not directly imply a security problem, but they are generally a sign that
something is amiss. They may be caused by an intruder, by incorrect software installation or
draft software removal, or by failure to remove all files belonging to a deleted account, or
other similar cases. The files should be repaired so they will not cause problems when
accounts are created in the future, and the cause should be discovered and addressed.
The following command will locate the mount points related to local devices:
$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)

The following command will show files which do not belong to a valid user:
$ sudo find MOUNTPOINT -xdev -nouser 2>/dev/null

Replace MOUNTPOINT by the mount points listed by the fist command.

No files without a valid user should be located.
      Is it the case that files exist that are not owned by a valid user?
      
If any files are not owned by a user, then the cause of their lack of ownership should be
investigated. Following this, the files should be deleted or assigned to an appropriate user.

Locate the mount points related to local devices by the following command:
$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)

For all mount points listed by the previous command, it is necessary to search for files which
do not belong to a valid user using the following command:
$ sudo find MOUNTPOINT -xdev -nouser 2>/dev/null
          
SLES-12-010690 no_files_unowned_by_user
V-217169 2165 medium All SUSE operating system files and directories must have a valid group owner. SRG-OS-ID
Unowned files do not directly imply a security problem, but they are generally a sign that
something is amiss. They may be caused by an intruder, by incorrect software installation or
draft software removal, or by failure to remove all files belonging to a deleted account, or
other similar cases. The files should be repaired so they will not cause problems when
accounts are created in the future, and the cause should be discovered and addressed.
The following command will locate the mount points related to local devices:
$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)

The following command will show files which do not belong to a valid group:
$ sudo find MOUNTPOINT -xdev -nogroup 2>/dev/null

Replace MOUNTPOINT by the mount points listed by the fist command.

No files without a valid group should be located.
      Is it the case that there is output?
      
If any file is not group-owned by a group present in /etc/group, the cause of the lack of
group-ownership must be investigated. Following this, those files should be deleted or
assigned to an appropriate group.

Locate the mount points related to local devices by the following command:
$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)

For all mount points listed by the previous command, it is necessary to search for files which
do not belong to a valid group using the following command:
$ sudo find MOUNTPOINT -xdev -nogroup 2>/dev/null
          
SLES-12-010700 file_permissions_ungroupowned
V-217170 366 medium All SUSE operating system local interactive users must have a home directory assigned in the /etc/passwd file. SRG-OS-ID
If local interactive users are not assigned a valid home directory, there is no
place for the storage and control of files they should own.
Verify that interactive users on the system have a home directory assigned with the following command:

$ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd

Inspect the output and verify that all interactive users (normally users with a UID greater than 1000) have a home directory defined.
      Is it the case that users home directory is not defined?
      
Assign home directories to all interactive users that currently do not
have a home directory assigned.

This rule checks if the home directory is properly defined in a folder which has
at least one parent folder, like "user" in "/home/user" or "/remote/users/user".
Therefore, this rule will report a finding for home directories like /users,
/tmp or /.
SLES-12-010710 accounts_user_interactive_home_directory_defined
V-217171 366 medium All SUSE operating system local interactive user accounts, upon creation, must be assigned a home directory. SRG-OS-ID
If local interactive users are not assigned a valid home directory, there is no place
for the storage and control of files they should own.
Verify all local interactive users on SUSE Linux Enterprise 12 are assigned a home
directory upon creation with the following command:
$ grep -i create_home /etc/login.defs
CREATE_HOME yes
      Is it the case that the value for "CREATE_HOME" parameter is not set to "yes", the line is missing, or the line is commented out?
      
All local interactive user accounts, upon creation, should be assigned a home directory.

            
Configure the operating system to assign home directories to all new local interactive users by setting the CREATE_HOME
parameter in /etc/login.defs to yes as follows:

            
            CREATE_HOME yes
          
SLES-12-010720 accounts_have_homedir_login_defs
V-217172 366 medium All SUSE operating system local interactive user home directories defined in the /etc/passwd file must exist. SRG-OS-ID
If a local interactive user has a home directory defined that does not exist,
the user may be given access to the / directory as the current working directory
upon logon. This could create a Denial of Service because the user would not be
able to access their logon configuration files, and it may give them visibility
to system files they normally would not be able to access.
Verify the assigned home directories of all interactive users on the system exist with the following command:

$ sudo pwck -r

user 'mailnull': directory 'var/spool/mqueue' does not exist

The output should not return any interactive users.
      Is it the case that users home directory does not exist?
      
Create home directories to all local interactive users that currently do not
have a home directory assigned. Use the following commands to create the user
home directory assigned in /etc/passwd:
$ sudo mkdir /home/USER
            
          
SLES-12-010730 accounts_user_interactive_home_directory_exists
V-217173 366 medium All SUSE operating system local interactive user home directories must have mode 0750 or less permissive. SRG-OS-ID
Excessive permissions on local interactive user home directories may allow
unauthorized access to user files by other users.
To verify the assigned home directory of all interactive user home directories
have a mode of 0750 or less permissive, run the following command:
$ sudo ls -l /home
Inspect the output for any directories with incorrect permissions.
      Is it the case that they are more permissive?
      
Change the mode of interactive users home directories to 0750. To
change the mode of interactive users home directory, use the
following command:
$ sudo chmod 0750 /home/USER
            
          
SLES-12-010740 file_permissions_home_directories
V-217174 366 medium All SUSE operating system local interactive user home directories must be group-owned by the home directory owners primary group. SRG-OS-ID
If the Group Identifier (GID) of a local interactive users home directory is
not the same as the primary GID of the user, this would allow unauthorized
access to the users files, and users that share the same group may not be
able to access files that they legitimately should.
To verify the assigned home directory of all interactive users is group-
owned by that users primary GID, run the following command:
# ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)
      Is it the case that the group ownership is incorrect?
      
Change the group owner of interactive users home directory to the
group found in /etc/passwd. To change the group owner of
interactive users home directory, use the following command:
$ sudo chgrp USER_GROUP /home/USER
            

This rule ensures every home directory related to an interactive user is
group-owned by an interactive user. It also ensures that interactive users
are group-owners of one and only one home directory.
SLES-12-010750 file_groupownership_home_directories
V-217175 366 medium All SUSE operating system local initialization files must have mode 0740 or less permissive. SRG-OS-ID
Local initialization files are used to configure the user's shell environment
upon logon. Malicious modification of these files could compromise accounts upon
logon.
To verify that all user initialization files have a mode of 0740 or
less permissive, run the following command:
$ sudo find /home -type f -name '\.*' \( -perm -0002 -o -perm -0020 \)
There should be no output.
      Is it the case that they are not 0740 or more permissive?
      
Set the mode of the user initialization files to 0740 with the
following command:
$ sudo chmod 0740 /home/USER/.INIT_FILE
            
          
SLES-12-010760 file_permission_user_init_files
V-217176 366 medium All SUSE operating system local interactive user initialization files executable search paths must contain only paths that resolve to the users home directory. SRG-OS-ID
The executable search path (typically the PATH environment variable) contains a
list of directories for the shell to search to find executables. If this path
includes the current working directory (other than the users home directory),
executables in these directories may be executed instead of system commands.
This variable is formatted as a colon-separated list of directories. If there is
an empty entry, such as a leading or trailing colon or two consecutive colons,
this is interpreted as the current working directory. If deviations from the
default system search path for the local interactive user are required, they
must be documented with the Information System Security Officer (ISSO).
Verify that all local interactive user initialization file executable search path statements do not contain statements that will reference a working directory other than user home directories with the following commands:

$ sudo grep -i path= /home/*/.*

/home/[localinteractiveuser]/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin
      Is it the case that any local interactive user initialization files have executable search path statements that include directories outside of their home directory and is not documented with the ISSO as an operational requirement?
      
Ensure that all interactive user initialization files executable search
path statements do not contain statements that will reference a working
directory other than the users home directory.
SLES-12-010770 accounts_user_home_paths_only
V-217177 366 medium All SUSE operating system local initialization files must not execute world-writable programs. SRG-OS-ID
If user start-up files execute world-writable programs, especially in
unprotected directories, they could be maliciously modified to destroy user
files or otherwise compromise the system at the user level. If the system is
compromised at the user level, it is easier to elevate privileges to eventually
compromise the system at the root and network level.
Verify that local initialization files do not execute world-writable programs with the following command:

Note: The example will be for a system that is configured to create user home directories in the "/home" directory.

$ sudo find /home -perm -002 -type f -name ".[^.]*" -exec ls -ld {} \;
      Is it the case that any local initialization files are found to reference world-writable files?
      
Set the mode on files being executed by the user initialization files with the
following command:
$ sudo chmod o-w FILE
            
          
SLES-12-010780 accounts_user_dot_no_world_writable_programs
V-217178 366 medium SUSE operating system file systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed. SRG-OS-ID
The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from user home directory partitions.
Verify the nosuid option is configured for the /home mount point,
    run the following command:
    $ sudo mount | grep '\s/home\s'
    . . . /home . . . nosuid . . .

      Is it the case that the "/home" file system does not have the "nosuid" option set?
      
The nosuid mount option can be used to prevent
execution of setuid programs in /home. The SUID and SGID permissions
should not be required in these user data directories.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/home.
SLES-12-010790 mount_option_home_nosuid
V-217179 366 medium SUSE operating system file systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed. SRG-OS-ID
The presence of SUID and SGID executables should be tightly controlled. Allowing
users to introduce SUID or SGID binaries from partitions mounted off of
removable media would allow them to introduce their own highly-privileged programs.
Verify file systems that are used for removable media are mounted with the "nosuid" option with the following command:

$ sudo more /etc/fstab

UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0
      Is it the case that file system found in "/etc/fstab" refers to removable media and it does not have the "nosuid" option set?
      
The nosuid mount option prevents set-user-identifier (SUID)
and set-group-identifier (SGID) permissions from taking effect. These permissions
allow users to execute binaries with the same permissions as the owner and group
of the file respectively. Users should not be allowed to introduce SUID and SGID
files into the system via partitions mounted from removeable media.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of

    any removable media partitions.
SLES-12-010800 mount_option_nosuid_removable_partitions
V-217180 366 medium SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed. SRG-OS-ID
NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables
should be installed to their default location on the local filesystem.
To verify the nosuid option is configured for all NFS mounts, run
the following command:
$ mount | grep nfs
All NFS mounts should show the nosuid setting in parentheses. This
is not applicable if NFS is not implemented.
      Is it the case that the setting does not show?
      
Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of
any NFS mounts.
SLES-12-010810 mount_option_nosuid_remote_filesystems
V-217181 366 medium SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed. SRG-OS-ID
The noexec mount option causes the system not to execute binary files. This option must be used
for mounting any file system not containing approved binary files as they may be incompatible. Executing
files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized
administrative access.
To verify the noexec option is configured for all NFS mounts, run the following command:
$ mount | grep nfs
All NFS mounts should show the noexec setting in parentheses.  This is not applicable if NFS is
not implemented.
      Is it the case that the setting does not show?
      
Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of
any NFS mounts.
SLES-12-010820 mount_option_noexec_remote_filesystems
V-217182 366 medium All SUSE operating system world-writable directories must be group-owned by root, sys, bin, or an application group. SRG-OS-ID
Allowing a user account to group own a world-writable directory is
undesirable because it allows the owner of that directory to remove
or replace any files that may be placed in the directory by other
users.
The following command will discover and print world-writable directories that
are not group owned by a system account, given the assumption that only system
accounts have a gid lower than 1000.  Run it once for each local partition PART:
$ sudo find PART -xdev -type d -perm -0002 -gid +999 -print
      Is it the case that there is output?
      
All directories in local partitions which are
world-writable should be group owned by root or another
system account. If any world-writable directories are not
group owned by a system account, this should be investigated.
Following this, the files should be deleted or assigned to an
appropriate group.
SLES-12-010830 dir_perms_world_writable_system_owned_group
V-217183 366 medium SUSE operating system kernel core dumps must be disabled unless needed. SRG-OS-ID
Kernel core dumps may contain the full contents of system memory at the
time of the crash. Kernel core dumps consume a considerable amount of disk
space and may result in denial of service by exhausting the available space
on the target file system partition. Unless the system is used for kernel
development or testing, there is little need to run the kdump service.
To check that the kdump service is disabled in system boot configuration,
run the following command:
$ sudo systemctl is-enabled kdump
Output should indicate the kdump service has either not been installed,
or has been disabled at all runlevels, as shown in the example below:
$ sudo systemctl is-enabled kdump disabled

Run the following command to verify kdump is not active (i.e. not running) through current runtime configuration:
$ sudo systemctl is-active kdump

If the service is not running the command will return the following output:
inactive

The service will also be masked, to check that the kdump is masked, run the following command:
$ sudo systemctl show kdump | grep "LoadState\|UnitFileState"

If the service is masked the command will return the following outputs:

LoadState=masked

UnitFileState=masked
      Is it the case that the "kdump" is loaded and not masked?
      
The kdump service provides a kernel crash dump analyzer. It uses the kexec
system call to boot a secondary kernel ("capture" kernel) following a system
crash, which can load information from the crashed kernel for analysis.

The kdump service can be disabled with the following command:
$ sudo systemctl mask --now kdump.service
        
SLES-12-010840 service_kdump_disabled
V-217184 366 low A separate file system must be used for SUSE operating system user home directories (such as /home or an equivalent). SRG-OS-ID
Ensuring that /home is mounted on its own partition enables the
setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage.
Verify that a separate file system/partition has been created for /home with the following command:

$ mountpoint /home

      Is it the case that "/home is not a mountpoint" is returned?
      
If user home directories will be stored locally, create a separate partition
for /home at installation time (or migrate it later using LVM). If
/home will be mounted from another system such as an NFS server, then
creating a separate partition is not necessary at installation time, and the
mountpoint can instead be configured later.
SLES-12-010850 partition_for_home
V-217185 366 low The SUSE operating system must use a separate file system for /var. SRG-OS-ID
Ensuring that /var is mounted on its own partition enables the
setting of more restrictive mount options. This helps protect
system services such as daemons or other programs which use it.
It is not uncommon for the /var directory to contain
world-writable directories installed by other software packages.
Verify that a separate file system/partition has been created for /var with the following command:

$ mountpoint /var

      Is it the case that "/var is not a mountpoint" is returned?
      
The /var directory is used by daemons and other system
services to store frequently-changing data. Ensure that /var has its own partition
or logical volume at installation time, or migrate it using LVM.
SLES-12-010860 partition_for_var
V-217186 366 low The SUSE operating system must use a separate file system for the system audit data path. SRG-OS-ID
Placing /var/log/audit in its own partition
enables better separation between audit files
and other files, and helps ensure that
auditing cannot be halted due to the partition running out
of space.
Verify that a separate file system/partition has been created for /var/log/audit with the following command:

$ mountpoint /var/log/audit

      Is it the case that "/var/log/audit is not a mountpoint" is returned?
      
Audit logs are stored in the /var/log/audit directory.

Ensure that /var/log/audit has its own partition or logical
volume at installation time, or migrate it using LVM.
Make absolutely certain that it is large enough to store all
audit logs that will be created by the auditing daemon.
SLES-12-010870 partition_for_var_log_audit
V-237607 1499 medium The SUSE operating system library files must have mode 0755 or less permissive. SRG-OS-ID
Files from shared library directories are loaded into the address
space of processes (including privileged ones) or of the kernel itself at
runtime. Restrictive permissions are necessary to protect the integrity of the system.
Verify the system-wide shared library files contained in the following directories have mode "755" or less permissive with the following command:

$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f -exec ls -l {} \;
      Is it the case that any system-wide shared library file is found to be group-writable or world-writable?
      
System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
/lib
/lib64
/usr/lib
/usr/lib64

Kernel modules, which can be added to the kernel during runtime, are
stored in /lib/modules. All files in these directories
should not be group-writable or world-writable. If any file in these
directories is found to be group-writable or world-writable, correct
its permission with the following command:
$ sudo chmod go-w FILE
              
            
SLES-12-010871 file_permissions_library_dirs
V-237608 1499 medium The SUSE operating system library directories must have mode 0755 or less permissive. SRG-OS-ID
If the operating system were to allow any user to make changes to software libraries,
then those changes might be implemented without undergoing the appropriate testing
and approvals that are part of a robust change management process.

This requirement applies to operating systems with software libraries that are accessible
and configurable, as in the case of interpreted languages. Software libraries also include
privileged programs which execute with escalated privileges. Only qualified and authorized
individuals must be allowed to obtain access to information system components for purposes
of initiating changes, including upgrades and modifications.
Shared libraries are stored in the following directories:
/lib
/lib64
/usr/lib
/usr/lib64

To find shared libraries that are group-writable or world-writable,
run the following command for each directory DIR which contains shared libraries:
$ sudo find -L DIR -perm /022 -type d
      Is it the case that any of these files are group-writable or world-writable?
      
System-wide shared library directories, which contain are linked to executables
during process load time or run time, are stored in the following directories
by default:
/lib
/lib64
/usr/lib
/usr/lib64

Kernel modules, which can be added to the kernel during runtime, are
stored in /lib/modules. All sub-directories in these directories
should not be group-writable or world-writable. If any file in these
directories is found to be group-writable or world-writable, correct
its permission with the following command:
$ sudo chmod go-w DIR
              
            
SLES-12-010872 dir_permissions_library_dirs
V-237609 1499 medium The SUSE operating system library files must be owned by root. SRG-OS-ID
Files from shared library directories are loaded into the address
space of processes (including privileged ones) or of the kernel itself at
runtime. Proper ownership is necessary to protect the integrity of the system.
Verify the system-wide shared library files are owned by "root" with the following command:

$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -user root -exec ls -l {} \;
      Is it the case that any system wide shared library file is not owned by root?
      
System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
/lib
/lib64
/usr/lib
/usr/lib64

Kernel modules, which can be added to the kernel during runtime, are also
stored in /lib/modules. All files in these directories should be
owned by the root user. If the directory, or any file in these
directories, is found to be owned by a user other than root correct its
ownership with the following command:
$ sudo chown root FILE
              
            
SLES-12-010873 file_ownership_library_dirs
V-237610 1499 medium The SUSE operating system library directories must be owned by root. SRG-OS-ID
Files from shared library directories are loaded into the address
space of processes (including privileged ones) or of the kernel itself at
runtime. Proper ownership of library directories is necessary to protect
the integrity of the system.
Verify the system-wide shared library directories are owned by "root" with the following command:

$ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d -exec stat -c "%n %U" '{}' \;
      Is it the case that any system-wide shared library directory is not owned by root?
      
System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
/lib
/lib64
/usr/lib
/usr/lib64

Kernel modules, which can be added to the kernel during runtime, are also
stored in /lib/modules. All files in these directories should be
owned by the root user. If the  directories, is found to be owned
by a user other than root correct its
ownership with the following command:
$ sudo chown root DIR
              
            
SLES-12-010874 dir_ownership_library_dirs
V-237611 1499 medium The SUSE operating system library files must be group-owned by root. SRG-OS-ID
If the operating system were to allow any user to make changes to software libraries,
then those changes might be implemented without undergoing the appropriate testing and
approvals that are part of a robust change management process.

This requirement applies to operating systems with software libraries that are
accessible and configurable, as in the case of interpreted languages. Software libraries
also include privileged programs which execute with escalated privileges. Only qualified
and authorized individuals must be allowed to obtain access to information system components
for purposes of initiating changes, including upgrades and modifications.
Verify the system-wide shared library files are group-owned by "root" with the following command:

$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -group root -exec ls -l {} \;
      Is it the case that any system wide shared library file is returned and is not group-owned by a required system account?
      
System-wide library files are stored in the following directories
by default:
/lib
/lib64
/usr/lib
/usr/lib64

All system-wide shared library files should be protected from unauthorised
access. If any of these files is not group-owned by root, correct its group-owner with
the following command:
$ sudo chgrp root FILE
              
            
SLES-12-010875 root_permissions_syslibrary_files
V-237612 1499 medium The SUSE operating system library directories must be group-owned by root. SRG-OS-ID
Files from shared library directories are loaded into the address
space of processes (including privileged ones) or of the kernel itself at
runtime. Proper ownership of library directories is necessary to protect
the integrity of the system.
Verify the system-wide shared library directories are group-owned by "root" with the following command:

$ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec stat -c "%n %G" '{}' \;

If any system-wide shared library directory is returned and is not group-owned by a required system account, this is a finding.
      Is it the case that any system-wide shared library directory is returned and is not group-owned by a required system account?
      
System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
/lib
/lib64
/usr/lib
/usr/lib64

Kernel modules, which can be added to the kernel during runtime, are also
stored in /lib/modules. All files in these directories should be
group-owned by the root user. If the  directories, is found to be owned
by a user other than root correct its
ownership with the following command:
$ sudo chgrp root DIR
              
            
SLES-12-010876 dir_group_ownership_library_dirs
V-237613 1499 medium The SUSE operating system must have system commands set to a mode of 755 or less permissive. SRG-OS-ID
System binaries are executed by privileged users, as well as system services,
and restrictive permissions are necessary to ensure execution of these programs
cannot be co-opted.
System commands are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/local/bin
/usr/local/sbin
/usr/sbin
To find system commands that have mode 0755 or less permissive,
run the following command for each directory DIR which contains system executables:
$ sudo find -L DIR -perm /022 -type f
      Is it the case that any system commands are found to be group or world writable?
      
System commands are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/sbin
/usr/local/bin
/usr/local/sbin
All files in these directories should not be group-writable or world-writable.
If any file FILE in these directories is found
to be group-writable or world-writable, correct its permission with the
following command:
$ sudo chmod 755 FILE
              
            
SLES-12-010877 file_permissions_system_commands_dirs
V-237614 1499 medium The SUSE operating system must have directories that contain system commands set to a mode of 0755 or less permissive. SRG-OS-ID
System binaries are executed by privileged users, as well as system services,
and restrictive permissions are necessary to ensure execution of these programs
cannot be co-opted.
Verify the system commands contained in the following directories have mode "755" or less permissive with the following command:

$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/local/bin /usr/local/sbin -perm /022 -exec ls -l {} \;
      Is it the case that any system commands are found to be group-writable or world-writable?
      
System executables are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin
All files in these directories should not be group-writable or world-writable.
If any file FILE in these directories is found
to be group-writable or world-writable, correct its permission with the
following command:
$ sudo chmod go-w FILE
              
            
SLES-12-010878 file_permissions_binary_dirs
V-237615 1499 medium The SUSE operating system must have system commands owned by root. SRG-OS-ID
System binaries are executed by privileged users as well as system services,
and restrictive permissions are necessary to ensure that their
execution of these programs cannot be co-opted.
Verify the system commands contained in the following directories are owned by "root" with the following command:

$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/local/bin /usr/local/sbin ! -user root -exec ls -l {} \;
      Is it the case that any system commands are found to not be owned by root?
      
System executables are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin
All files in these directories should be owned by the root user.
If any file FILE in these directories is found
to be owned by a user other than root, correct its ownership with the
following command:
$ sudo chown root FILE
              
            
SLES-12-010879 file_ownership_binary_dirs
V-237616 1499 medium The SUSE operating system must have directories that contain system commands owned by root. SRG-OS-ID
If the operating system were to allow any user to make changes to 
software libraries, then those changes might be implemented without 
undergoing the appropriate testing and approvals that are part of a 
robust change management process.

This requirement applies to operating systems with software libraries
that are accessible and configurable, as in the case of interpreted languages. 
Software libraries also include privileged programs which execute with escalated 
privileges. Only qualified and authorized individuals must be allowed to obtain 
access to information system components for purposes of initiating changes, 
including upgrades and modifications.
System commands are stored in the following directories:
/bin 
/sbin 
/usr/bin 
/usr/sbin 
/usr/local/bin 
/usr/local/sbin
For each of these directories, run the following command to find directories not
owned by root:
$ sudo find -L $DIR ! -user root -type d
      Is it the case that any of these directories are not owned by root?
      
System commands are stored in the following directories by default:
/bin 
/sbin 
/usr/bin 
/usr/sbin 
/usr/local/bin 
/usr/local/sbin

All these directories should be owned by the root user. 
If any system command directory is not owned by a user other than root 
correct its ownership with the following command:
$ sudo chown root DIR
            
          
SLES-12-010881 dir_system_commands_root_owned
V-237617 1499 medium The SUSE operating system must have system commands group-owned by root or a system account. SRG-OS-ID
If the operating system allows any user to make changes to software
libraries, then those changes might be implemented without undergoing the
appropriate testing and approvals that are part of a robust change management
process.
This requirement applies to operating systems with software libraries
that are accessible and configurable, as in the case of interpreted languages.
Software libraries also include privileged programs which execute with
escalated privileges. Only qualified and authorized individuals must be
allowed to obtain access to information system components for purposes
of initiating changes, including upgrades and modifications.
Verify the system commands contained in the following directories are group-owned by "root", or a required system account, with the following command:

$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -exec ls -l {} \;
      Is it the case that any system commands are returned and is not group-owned by a required system account?
      
System commands files are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/sbin
/usr/local/bin
/usr/local/sbin

All files in these directories should be owned by the root group,
or a system account.
If the directory, or any file in these directories, is found to be owned
by a group other than root or a a system account correct its ownership
with the following command:
$ sudo chgrp root FILE
              
            
SLES-12-010882 file_groupownership_system_commands_dirs
V-237618 1499 medium The SUSE operating system must have directories that contain system commands group-owned by root. SRG-OS-ID
If the operating system were to allow any user to make changes to 
software libraries, then those changes might be implemented without 
undergoing the appropriate testing and approvals that are part of a 
robust change management process.

This requirement applies to operating systems with software libraries
that are accessible and configurable, as in the case of interpreted languages. 
Software libraries also include privileged programs which execute with escalated 
privileges. Only qualified and authorized individuals must be allowed to obtain 
access to information system components for purposes of initiating changes, 
including upgrades and modifications.
System commands are stored in the following directories:
/bin 
/sbin 
/usr/bin 
/usr/sbin 
/usr/local/bin 
/usr/local/sbin
For each of these directories, run the following command to find directories not
owned by root:
$ sudo find -L $DIR ! -group root -type d -exec chgrp root {} \;
      Is it the case that any of these directories are not group owned by root?
      
System commands are stored in the following directories:
by default:
/bin 
/sbin 
/usr/bin 
/usr/sbin 
/usr/local/bin 
/usr/local/sbin

All these directories should have root user as a group owner. 
If any system command directory is not group owned by a user other than root 
correct its ownership with the following command:
$ sudo chgrp root DIR
            
          
SLES-12-010883 dir_system_commands_group_root_owned
V-217188 1314 medium The SUSE operating system must prevent unauthorized users from accessing system error messages. SRG-OS-ID
The /var/log/messages file contains system error messages. Only
authorized personnel should be aware of errors and the details of the
errors. Error messages are an indicator of an organization's operational
state or can identify the SUSE operating system or platform. Additionally,
Personally Identifiable Information (PII) and operational information must
not be revealed through error messages to unauthorized personnel or their
designated representatives.
To check the permissions of /var/log/messages,
run the command:
$ ls -l /var/log/messages
If properly configured, the output should indicate the following permissions:
-rw-r-----

Check that permissions.local file contains the correct permissions rules with the following command:

# grep -i messages /etc/permissions.local

/var/log/messages root:root 640

If the command does not return any or different output, this is a finding.

Run the following command to correct the permissions after adding the missing entry:

# sudo chkstat --set --system
      Is it the case that Make sure /var/log/messages is not world-readable?
      
Files containing sensitive informations should be protected by restrictive
permissions. Most of the time, there is no need that these files need to be read by any non-root user

To properly set the permissions of /var/log/messages, run the command:
$ sudo chmod 0640 /var/log/messages

Check that "permissions.local" file contains the correct permissions rules with the following command:

# grep -i messages /etc/permissions.local

/var/log/messages root:root 640
          
SLES-12-010890 file_permissions_local_var_log_messages
V-217189 366 medium The SUSE operating system must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes. SRG-OS-ID
            pam-config is a command line utility that automatically generates
a system PAM configuration as packages are installed, updated or removed
from the system. pam-config removes configurations for PAM modules
and parameters that it does not know about. It may render ineffective PAM
configuration by the system administrator and thus impact system security.
Check that soft links between PAM configuration files are removed with the following command:

# find /etc/pam.d/ -type l -iname "common-*"

If any results are returned, this is a finding.
      Is it the case that there is output?
      
Verify the SUSE operating system is configured to not overwrite Pluggable
Authentication Modules (PAM) configuration on package changes.
SLES-12-010910 pam_disable_automatic_configuration
V-217190 1881 medium The SUSE operating system must have the auditing package installed. SRG-OS-ID
The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.
Run the following command to determine if the audit package is installed: $ rpm -q audit
      Is it the case that the audit package is not installed?
      
The audit package should be installed.
SLES-12-020000 package_audit_installed
V-217191 2884 medium SUSE operating system audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. SRG-OS-ID
Without establishing what type of events occurred, it would be difficult
to establish, correlate, and investigate the events leading up to an outage or attack.
Ensuring the auditd service is active ensures audit records
generated by the kernel are appropriately recorded.

        
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions.

Run the following command to determine the current status of the
auditd service:
$ sudo systemctl is-active auditd
If the service is running, it should return the following: active
      Is it the case that the auditd service is not running?
      
The auditd service is an essential userspace component of
the Linux Auditing System, as it is responsible for writing audit records to
disk.

The auditd service can be enabled with the following command:
$ sudo systemctl enable auditd.service
      
SLES-12-020010 service_auditd_enabled
V-217192 1849 medium The SUSE operating system must allocate audit record storage capacity to store at least one weeks worth of audit records when audit records are not immediately sent to a central audit record storage facility. SRG-OS-ID
Information stored in one location is vulnerable to accidental or incidental
deletion or alteration. Off-loading is a common process in information
systems with limited audit storage capacity.
To verify whether audispd plugin off-loads audit records onto a different
system or media from the system being audited, run the following command:

$ sudo grep -i remote_server /etc/audit/audisp-remote.conf

The output should return something similar to where REMOTE_SYSTEM
is an IP address or hostname:
remote_server = REMOTE_SYSTEM

Determine which partition the audit records are being written to with the
following command:

$ sudo grep log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log

Check the size of the partition that audit records are written to with the
following command and verify whether it is sufficiently large:

$ sudo df -h /var/log/audit/
/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit
      Is it the case that audispd is not sending logs to a remote system and the local partition has inadequate space?
      
The SUSE Linux Enterprise 12 operating system must allocate audit record storage
capacity to store at least one weeks worth of audit records when audit
records are not immediately sent to a central audit record storage
facility.

The partition size needed to capture a week's worth of audit records is
based on the activity level of the system and the total storage capacity
available.

In normal circumstances, 10.0 GB of storage space for audit
records will be sufficient.


Determine which partition the audit records are being written to with the
following command:

$ sudo grep log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log

Check the size of the partition that audit records are written to with the
following command:

$ sudo df -h /var/log/audit/
/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit
        
SLES-12-020020 auditd_audispd_configure_sufficiently_large_partition
V-217193 1855 medium The SUSE operating system auditd service must notify the System Administrator (SA) and Information System Security Officer (ISSO) immediately when audit storage capacity is 75 percent full. SRG-OS-ID
Notifying administrators of an impending disk space problem may allow them to
take corrective action prior to any disruption.
Inspect /etc/audit/auditd.conf and locate the following line to
determine if the system is configured correctly:
space_left SIZE_in_MB
      Is it the case that the system is not configured a specfic size in MB to notify administrators of an issue?
      
The auditd service can be configured to take an action
when disk space is running low but prior to running out of space completely.
Edit the file /etc/audit/auditd.conf. Add or modify the following line,
substituting SIZE_in_MB appropriately:
space_left = SIZE_in_MB
          
Set this value to the appropriate size in Megabytes cause the system to
notify the user of an issue.
SLES-12-020030 auditd_data_retention_space_left
V-217194 139 medium The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must be alerted of a SUSE operating system audit processing failure event. SRG-OS-ID
Email sent to the root account is typically aliased to the
administrators of the system, who can take appropriate action.
Verify that SUSE Linux Enterprise 12 is configured to notify the SA and/or ISSO (at a minimum) in the event of an audit processing failure with the following command:

$ sudo grep action_mail_acct /etc/audit/auditd.conf

action_mail_acct = 
      Is it the case that the value of the "action_mail_acct" keyword is not set to "" and/or other accounts for security personnel, the "action_mail_acct" keyword is missing, or the retuned line is commented out, ask the system administrator to indicate how they and the ISSO are notified of an audit process failure. If there is no evidence of the proper personnel being notified of an audit processing failure?
      
The auditd service can be configured to send email to
a designated account in certain situations. Add or correct the following line
in /etc/audit/auditd.conf to ensure that administrators are notified
via email for those situations:
action_mail_acct = 
          
        
SLES-12-020040 auditd_data_retention_action_mail_acct
V-217195 139 medium The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must have mail aliases to be notified of a SUSE operating system audit processing failure. SRG-OS-ID
A number of system services utilize email messages sent to the root user to
notify system administrators of active or impending issues.  These messages must
be forwarded to at least one monitored email address.
Find the list of alias maps used by the Postfix mail server:
$ sudo postconf alias_maps
Query the Postfix alias maps for an alias for the root user:
$ sudo postmap -q root hash:/etc/aliases
The output should return an alias.
      Is it the case that the alias is not set?
      
Make sure that mails delivered to root user are forwarded to a monitored
email address. Make sure that the address
 is a valid email address
reachable from the system in question. Use the following command to
configure the alias:
$ sudo echo "root: " >> /etc/aliases
$ sudo newaliases
          
SLES-12-020050 postfix_client_configure_mail_alias
V-217196 140 medium The SUSE operating system audit system must take appropriate action when the audit storage volume is full. SRG-OS-ID
Taking appropriate action in case of a filled audit storage volume will minimize
the possibility of losing audit records.
Verify SUSE Linux Enterprise 12 takes the appropriate action when the audit storage volume is full.

Check that SUSE Linux Enterprise 12 takes the appropriate action when the audit storage volume is full with the following command:

$ sudo grep disk_full_action /etc/audit/auditd.conf

disk_full_action = 

If the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit storage volume is full.
      Is it the case that there is no evidence of appropriate action?
      
The auditd service can be configured to take an action
when disk space is running low but prior to running out of space completely.
Edit the file /etc/audit/auditd.conf. Add or modify the following line,
substituting ACTION appropriately:
disk_full_action = ACTION
          
Set this value to single to cause the system to switch to single-user
mode for corrective action. Acceptable values also include syslog,

single, and halt. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined. Details regarding all possible values for ACTION are described in the
auditd.conf man page.
SLES-12-020060 auditd_data_disk_full_action
V-217197 1851 medium The audit-audispd-plugins must be installed on the SUSE operating system. SRG-OS-ID
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
      Is it the case that the package is not installed?
      
The audit-audispd-plugins package should be installed.
SLES-12-020070 package_audit-audispd-plugins_installed
V-217198 1851 low The SUSE operating system audit event multiplexor must be configured to use Kerberos. SRG-OS-ID
Information stored in one location is vulnerable to accidental or incidental deletion
or alteration. Off-loading is a common process in information systems with limited
audit storage capacity.
To verify the audispd plugin encrypts audit records off-loaded onto a different
system or media from the system being audited, run the following command:

$ sudo grep -i enable_krb5 /etc/audit/audisp-remote.conf
The output should return the following:
enable_krb5 = yes
      Is it the case that audispd is not encrypting audit records when sent over the network?
      
Configure the operating system to encrypt the transfer of off-loaded audit
records onto a different system or media from the system being audited.

Uncomment the enable_krb5 option in /etc/audit/audisp-remote.conf,
and set it with the following line:
enable_krb5 = yes
        
SLES-12-020080 auditd_audispd_encrypt_sent_records
V-217199 1851 low Audispd must off-load audit records onto a different system or media from the SUSE operating system being audited. SRG-OS-ID
Information stored in one location is vulnerable to accidental or incidental
deletion or alteration.Off-loading is a common process in information systems
with limited audit storage capacity.
To verify the audispd plugin off-loads audit records onto a different system or
media from the system being audited, run the following command:
$ sudo grep -i remote_server /etc/audit/audisp-remote.conf
The output should return something similar to
remote_server = 
      Is it the case that audispd is not sending logs to a remote system?
      
Configure the audispd plugin to off-load audit records onto a different
system or media from the system being audited.

Set the remote_server option in /etc/audit/audisp-remote.conf
with an IP address or hostname of the system that the audispd plugin should
send audit records to. For example
remote_server = 
              
            
          
        
SLES-12-020090 auditd_audispd_configure_remote_server
V-217200 1851 medium The audit system must take appropriate action when the network cannot be used to off-load audit records. SRG-OS-ID
Taking appropriate action when there is an error sending audit records to a
remote system will minimize the possibility of losing audit records.
Inspect /etc/audit/audisp-remote.conf and locate the following line to
determine if the system is configured to perform a correct action according to the policy:
$ sudo grep -i network_failure_action /etc/audit/audisp-remote.conf
The output should return:
network_failure_action = 
      Is it the case that the system is not configured to switch to single user mode for corrective action?
      
Configure the action the operating system takes if there is an error sending
audit records to a remote system. Edit the file /etc/audit/audisp-remote.conf.
Add or modify the following line, substituting ACTION appropriately:
network_failure_action = ACTION
          
Set this value to single to cause the system to switch to single user
mode for corrective action. Acceptable values also include syslog and
halt. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined.
This profile configures the action to be 
            
          .
SLES-12-020100 auditd_audispd_network_failure_action
V-217201 1851 medium Audispd must take appropriate action when the SUSE operating system audit storage is full. SRG-OS-ID
Taking appropriate action in case of a filled audit storage volume will
minimize the possibility of losing audit records.
Inspect /etc/audit/audisp-remote.conf and locate the following line to
determine if the system is configured to either send to syslog, switch to single user mode,
or halt when the disk is full:
$ sudo grep -i disk_full_action /etc/audit/audisp-remote.conf
The output should return something similar to:
disk_full_action = single
Acceptable values also include syslog and halt.
      Is it the case that the system is not configured to switch to single user mode for corrective action?
      
Configure the action the operating system takes if the disk the audit records
are written to becomes full. Edit the file /etc/audit/audisp-remote.conf.
Add or modify the following line, substituting ACTION appropriately:
disk_full_action = ACTION
          
Set this value to single to cause the system to switch to single user
mode for corrective action. Acceptable values also include syslog and
halt. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined.
SLES-12-020110 auditd_audispd_disk_full_action
V-217202 164 medium The SUSE operating system must protect audit rules from unauthorized modification. SRG-OS-ID
Without the capability to restrict which roles and individuals can select
which events are audited, unauthorized personnel may be able to prevent the
auditing of critical events. Misconfigured audits may degrade the system's
performance by overwhelming the audit log. Misconfigured audits may also
make it more difficult to establish, correlate, and investigate the events
relating to an incident or identify those responsible for one.
Check that permissions.local file contains the correct permissionsi
rules with the following command:

# grep -i audit /etc/permissions.local

/var/log/audit/ root:root 600
/var/log/audit/audit.log root:root 600
/etc/audit/audit.rules root:root 640
/etc/audit/rules.d/audit.rules root:root 640

If the command does not return all the above lines, the missing ones need
to be added.

Run the following command to correct the permissions after adding missing
entries:

# sudo chkstat --set --system
      Is it the case that ?
      
Files containing sensitive informations should be protected by restrictive
permissions. Most of the time, there is no need that these files need to be
read by any non-root user.

Check that "permissions.local" file contains the correct permissions rules with the following command:

# grep -i audit /etc/permissions.local

/var/log/audit/ root:root 600
/var/log/audit/audit.log root:root 600
/etc/audit/audit.rules root:root 640
/etc/audit/rules.d/audit.rules root:root 640
          
SLES-12-020120 permissions_local_var_log_audit
V-217203 1495 medium The SUSE operating system audit tools must have the proper permissions configured to protect against unauthorized access. SRG-OS-ID
Protecting audit information also includes identifying and protecting the
tools used to view and manipulate log data. Therefore, protecting audit
tools is necessary to prevent unauthorized operation on audit information.

SUSE operating systems providing tools to interface with audit information
will leverage user permissions and roles identifying the user accessing the
tools and the corresponding rights the user enjoys to make access decisions
regarding the access to audit tools.
Check that permissions.local file contains the correct permissions
rules with the following command:

grep "^/usr/sbin/au" /etc/permissions.local

/usr/sbin/audispd root:root 0750
/usr/sbin/auditctl root:root 0750
/usr/sbin/auditd root:root 0750
/usr/sbin/ausearch root:root 0755
/usr/sbin/aureport root:root 0755
/usr/sbin/autrace root:root 0750
/usr/sbin/augenrules root:root 0750


If the command does not return all the above lines, the missing ones need
to be added.

Run the following command to correct the permissions after adding missing
entries:

# sudo chkstat --set --system
      Is it the case that ?
      
The SUSE operating system audit tools must have the proper permissions
configured to protect against unauthorized access.

Check that "permissions.local" file contains the correct permissions rules
with the following command:

grep "^/usr/sbin/au" /etc/permissions.local

/usr/sbin/audispd root:root 0750
/usr/sbin/auditctl root:root 0750
/usr/sbin/auditd root:root 0750
/usr/sbin/ausearch root:root 0755
/usr/sbin/aureport root:root 0755
/usr/sbin/autrace root:root 0750
/usr/sbin/augenrules root:root 0750


Audit tools include but are not limited to vendor-provided and open-source
audit tools needed to successfully view and manipulate audit information
system activity and records. Audit tools include custom queries and report
generators.
SLES-12-020130 permissions_local_audit_binaries
V-217204 366 medium The SUSE operating system must not disable syscall auditing. SRG-OS-ID
Audit rules for syscalls do not take effect unless this line is removed.
To check for the offending line, run the following command:
$ grep task,never /etc/audit/{rules.d,.}/audit.rules
There must not be any output, or else these lines must be removed from
the matching files.
      Is it the case that syscall auditing is still disabled?
      
By default, SUSE Linux Enterprise 12 ships an audit rule to disable syscall
auditing for performance reasons.

To make sure that syscall auditing works, this line must be removed from
/etc/audit/rules.d/audit.rules and /etc/audit/audit.rules:

-a task,never
        
SLES-12-020199 audit_rules_enable_syscall_auditing
V-217205 2132 medium The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. SRG-OS-ID
In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy.
Verify SUSE Linux Enterprise 12 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command:

$  sudo auditctl -l | grep -E '(/etc/passwd)'

-w /etc/passwd -p wa -k identity
      Is it the case that the command does not return a line, or the line is commented out?
      
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, in order to capture events that modify
account changes:

          
          -w /etc/passwd -p wa -k audit_rules_usergroup_modification
          
          
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:

          
          -w /etc/passwd -p wa -k audit_rules_usergroup_modification
        
SLES-12-020200 audit_rules_usergroup_modification_passwd
V-217206 2132 medium The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. SRG-OS-ID
In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy.
Verify SUSE Linux Enterprise 12 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group" with the following command:

$ sudo auditctl -l | grep -E '(/etc/group)'

-w /etc/group -p wa -k identity
      Is it the case that the command does not return a line, or the line is commented out?
      
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, in order to capture events that modify
account changes:

          
          -w /etc/group -p wa -k audit_rules_usergroup_modification
          
          
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:

          
          -w /etc/group -p wa -k audit_rules_usergroup_modification
        
SLES-12-020210 audit_rules_usergroup_modification_group
V-217207 2130 medium The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. SRG-OS-ID
In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy.
Verify SUSE Linux Enterprise 12 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd with the following command:

$  sudo auditctl -l | grep -E '(/etc/shadow)'

-w /etc/shadow -p wa -k identity
      Is it the case that command does not return a line, or the line is commented out?
      
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, in order to capture events that modify
account changes:

          
          -w /etc/shadow -p wa -k audit_rules_usergroup_modification
          
          
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:

          
          -w /etc/shadow -p wa -k audit_rules_usergroup_modification
        
SLES-12-020220 audit_rules_usergroup_modification_shadow
V-217208 2132 medium The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd. SRG-OS-ID
In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy.
Verify SUSE Linux Enterprise 12 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command:

$ sudo auditctl -l | grep -E '(/etc/security/opasswd)'

-w /etc/security/opasswd -p wa -k identity
      Is it the case that the command does not return a line, or the line is commented out?
      
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, in order to capture events that modify
account changes:

          
          -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
          
          
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:

          
          -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
        
SLES-12-020230 audit_rules_usergroup_modification_opasswd
V-217209 2234 low The SUSE operating system must generate audit records for all uses of the privileged functions. SRG-OS-ID
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have
compromised information system accounts, is a serious and ongoing concern
and can have significant adverse impacts on organizations. Auditing the use
of privileged functions is one way to detect such misuse and identify the
risk from insider threats and the advanced persistent threat.
Verify SUSE Linux Enterprise 12 audits the execution of privileged functions.

Check if SUSE Linux Enterprise 12 is configured to audit the execution of the "execve" system call using the following command:

$ sudo grep execve /etc/audit/audit.rules

The output should be the following:


-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid
-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid
      Is it the case that the command does not return all lines, or the lines are commented out?
      
Verify the system generates an audit record when privileged functions are executed.

If audit is using the "auditctl" tool to load the rules, run the following command:

$ sudo grep execve /etc/audit/audit.rules

If audit is using the "augenrules" tool to load the rules, run the following command:

$ sudo grep -r execve /etc/audit/rules.d
          -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid
          -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid
          -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid
          -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid


If both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding.
If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding.
SLES-12-020240 audit_rules_suid_privilege_function
V-217210 2884 medium The SUSE operating system must generate audit records for all uses of the su command. SRG-OS-ID
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.

            
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.
Verify that SUSE Linux Enterprise 12 is configured to audit the execution of the "su" command with the following command:

$ sudo auditctl -l | grep su

-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-su
      Is it the case that the command does not return a line, or the line is commented out?
      
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          
SLES-12-020250 audit_rules_privileged_commands_su
V-217211 2884 low The SUSE operating system must generate audit records for all uses of the sudo command. SRG-OS-ID
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.

            
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.
Verify that SUSE Linux Enterprise 12 is configured to audit the execution of the "sudo" command with the following command:

$ sudo auditctl -l | grep sudo

-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-sudo
      Is it the case that the command does not return a line, or the line is commented out?
      
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          
SLES-12-020260 audit_rules_privileged_commands_sudo
V-217212 2884 low The SUSE operating system must generate audit records for all uses of the chfn command. SRG-OS-ID
Without generating audit records that are specific to the security and
mission needs of the organization, it would be difficult to establish,
correlate, and investigate the events relating to an incident or identify
those responsible for one.

Audit records can be generated from various components within the
information system (e.g., module or policy filter).
To verify that auditing of privileged command use is configured, run the
following command:
$ sudo grep chfn /etc/audit/audit.rules /etc/audit/rules.d/*
It should return a relevant line in the audit rules.
      Is it the case that the command does not return a line, or the line is commented out?
      
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          
SLES-12-020280 audit_rules_privileged_commands_chfn
V-217213 2884 low The SUSE operating system must generate audit records for all uses of the mount command. SRG-OS-ID
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.

            
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.
Verify that SUSE Linux Enterprise 12 is configured to audit the execution of the "mount" command with the following command:

$ sudo auditctl -l | grep mount

-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount
      Is it the case that the command does not return a line, or the line is commented out?
      
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          
SLES-12-020290 audit_rules_privileged_commands_mount
V-217214 2884 low The SUSE operating system must generate audit records for all uses of the umount command. SRG-OS-ID
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.

            
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.
Verify that SUSE Linux Enterprise 12 is configured to audit the execution of the "umount" command with the following command:

$ sudo auditctl -l | grep umount

-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-umount
      Is it the case that the command does not return a line, or the line is commented out?
      
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          
SLES-12-020300 audit_rules_privileged_commands_umount
V-217215 2884 low The SUSE operating system must generate audit records for all uses of the ssh-agent command. SRG-OS-ID
Without generating audit records that are specific to the security and
mission needs of the organization, it would be difficult to establish,
correlate, and investigate the events relating to an incident or identify
those responsible for one.

Audit records can be generated from various components within the
information system (e.g., module or policy filter).
Verify that SUSE Linux Enterprise 12 is configured to audit the execution of the "ssh-agent" command with the following command:

$ sudo auditctl -l | grep ssh-agent

-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
      Is it the case that the command does not return a line, or the line is commented out?
      
At a minimum, the audit system should collect any execution attempt
of the ssh-agent command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
          
SLES-12-020310 audit_rules_privileged_commands_ssh_agent
V-217216 2884 low The SUSE operating system must generate audit records for all uses of the ssh-keysign command. SRG-OS-ID
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.

            
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.
Verify that SUSE Linux Enterprise 12 is configured to audit the execution of the "ssh-keysign" command with the following command:

$ sudo auditctl -l | grep ssh-keysign

-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-keysign
      Is it the case that the command does not return a line, or the line is commented out?
      
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/lib/ssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/lib/ssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          
SLES-12-020320 audit_rules_privileged_commands_ssh_keysign
V-217217 2884 medium The SUSE operating system must generate audit records for all uses of the kmod command. SRG-OS-ID
Without generating audit records that are specific to the security and
mission needs of the organization, it would be difficult to establish,
correlate, and investigate the events relating to an incident or identify
those responsible for one.

Audit records can be generated from various components within the
information system (e.g., module or policy filter).
Verify that SUSE Linux Enterprise 12 is configured to audit the execution of the "kmod" command with the following command:

$ sudo auditctl -l | grep kmod

-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-kmod
      Is it the case that the command does not return a line, or the line is commented out?
      
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-w /usr/bin/kmod -p x -k modules
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-w /usr/bin/kmod -p x -k modules
          
SLES-12-020360 audit_rules_privileged_commands_kmod
V-217218 2884 medium The SUSE operating system must generate audit records for all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr syscalls. SRG-OS-ID
The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.
To determine if the system is configured to audit calls to the
setxattr system call, run the following command:
$ sudo grep "setxattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      
At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
          
SLES-12-020370 audit_rules_dac_modification_setxattr
V-251722 2884 medium The SUSE operating system must generate audit records for all uses of the unlink, unlinkat, rename, renameat and rmdir syscalls. SRG-OS-ID
Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.
Verify SUSE Linux Enterprise 12 generates an audit record for unsuccessful attempts to use the unlinkat system call.

If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:

$ sudo grep -r unlinkat /etc/audit/rules.d

If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:

$ sudo grep unlinkat /etc/audit/audit.rules

The output should be the following:

-a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k unsuccessful-delete
-a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k unsuccessful-delete
-a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k unsuccessful-delete
-a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k unsuccessful-delete
      Is it the case that the command does not return a line, or the line is commented out?
      
The operating system must generate audit records for all uses of the unlinkat system call.
Without generating audit records specific to the security and mission needs of the organization, it would be
difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).
Add or update the following lines to /etc/audit/rules.d/audit.rules to configure the operating system to generate
an audit record for all uses of the unlinkat system call:

-a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=-1 -k perm_mod
-a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=-1 -k perm_mod
          
SLES-12-020411 audit_rules_unsuccessful_file_modification_unlinkat
V-217223 2884 medium The SUSE operating system must generate audit records for all uses of the chown, fchown, fchownat, and lchown syscalls. SRG-OS-ID
The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.
To determine if the system is configured to audit calls to the
lchown system call, run the following command:
$ sudo grep "lchown" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      
At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
          
SLES-12-020420 audit_rules_dac_modification_lchown
V-217227 2884 medium The SUSE operating system must generate audit records for all uses of the chmod, fchmod, and fchmodat system calls. SRG-OS-ID
The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.
To determine if the system is configured to audit calls to the
fchmodat system call, run the following command:
$ sudo grep "fchmodat" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      
At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
          
SLES-12-020460 audit_rules_dac_modification_fchmodat
V-217230 2884 medium The SUSE operating system must generate audit records for all uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate syscalls. SRG-OS-ID
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.
Verify SUSE Linux Enterprise 12 generates an audit record for unsuccessful attempts to use the truncate system call.

If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:

$ sudo grep -r truncate /etc/audit/rules.d

If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:

$ sudo grep truncate /etc/audit/audit.rules

The output should be the following:

-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
      Is it the case that the command does not return a line, or the line is commented out?
      
At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
          
SLES-12-020490 audit_rules_unsuccessful_file_modification_truncate
V-217236 2884 low The SUSE operating system must generate audit records for all uses of the passwd command. SRG-OS-ID
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.

            
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.
Verify that SUSE Linux Enterprise 12 is configured to audit the execution of the "passwd" command with the following command:

$ sudo auditctl -l | grep passwd

-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd
      Is it the case that the command does not return a line, or the line is commented out?
      
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          
SLES-12-020550 audit_rules_privileged_commands_passwd
V-217237 2884 low The SUSE operating system must generate audit records for all uses of the gpasswd command. SRG-OS-ID
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.

            
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.
Verify that SUSE Linux Enterprise 12 is configured to audit the execution of the "gpasswd" command with the following command:

$ sudo auditctl -l | grep gpasswd

-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd
      Is it the case that the command does not return a line, or the line is commented out?
      
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          
SLES-12-020560 audit_rules_privileged_commands_gpasswd
V-217238 2884 low The SUSE operating system must generate audit records for all uses of the newgrp command. SRG-OS-ID
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.

            
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.
Verify that SUSE Linux Enterprise 12 is configured to audit the execution of the "newgrp" command with the following command:

$ sudo auditctl -l | grep newgrp

-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-newgrp
      Is it the case that the command does not return a line, or the line is commented out?
      
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          
SLES-12-020570 audit_rules_privileged_commands_newgrp
V-217239 2884 low The SUSE operating system must generate audit records for a uses of the chsh command. SRG-OS-ID
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.

            
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.
Verify that SUSE Linux Enterprise 12 is configured to audit the execution of the "chsh" command with the following command:

$ sudo auditctl -l | grep chsh

-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chsh
      Is it the case that the command does not return a line, or the line is commented out?
      
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          
SLES-12-020580 audit_rules_privileged_commands_chsh
V-217240 2130 medium The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. SRG-OS-ID
In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy.
Verify SUSE Linux Enterprise 12 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow" with the following command:

$ sudo auditctl -l | grep -E '(/etc/gshadow)'

-w /etc/gshadow -p wa -k identity

If the command does not return a line, or the line is commented out, this is a finding.
      Is it the case that the system is not configured to audit account changes?
      
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, in order to capture events that modify
account changes:

          
          -w /etc/gshadow -p wa -k audit_rules_usergroup_modification
          
          
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:

          
          -w /etc/gshadow -p wa -k audit_rules_usergroup_modification
        
SLES-12-020590 audit_rules_usergroup_modification_gshadow
V-217241 2884 medium The SUSE operating system must generate audit records for all uses of the chmod command. SRG-OS-ID
Without generating audit records that are specific to the security and
mission needs of the organization, it would be difficult to establish,
correlate, and investigate the events relating to an incident or identify
those responsible for one.

Audit records can be generated from various components within the
information system (e.g., module or policy filter).
To verify that execution of the command is being audited, run the following command:
$ sudo grep "path=/usr/bin/chmod" /etc/audit/audit.rules /etc/audit/rules.d/*
The output should return something similar to:
-a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
      Is it the case that ?
      
At a minimum, the audit system should collect any execution attempt
of the chmod command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          
SLES-12-020600 audit_rules_execution_chmod
V-217242 2884 medium The SUSE operating system must generate audit records for all uses of the setfacl command. SRG-OS-ID
Without generating audit records that are specific to the security and
mission needs of the organization, it would be difficult to establish,
correlate, and investigate the events relating to an incident or identify
those responsible for one.
Audit records can be generated from various components within the
information system (e.g., module or policy filter).
Verify that SUSE Linux Enterprise 12 is configured to audit the execution of the "setfacl" command with the following command:

$ sudo auditctl -l | grep setfacl

-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod
      Is it the case that the command does not return a line, or the line is commented out?
      
At a minimum, the audit system should collect any execution attempt
of the setfacl command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          
SLES-12-020610 audit_rules_execution_setfacl
V-217243 2884 medium The SUSE operating system must generate audit records for all uses of the chacl command. SRG-OS-ID
Without generating audit records that are specific to the security and
mission needs of the organization, it would be difficult to establish,
correlate, and investigate the events relating to an incident or identify
those responsible for one.
Audit records can be generated from various components within the
information system (e.g., module or policy filter).
Verify that SUSE Linux Enterprise 12 is configured to audit the execution of the "chacl" command with the following command:

$ sudo auditctl -l | grep chacl

-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod
      Is it the case that the command does not return a line, or the line is commented out?
      
At a minimum, the audit system should collect any execution attempt
of the chacl command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          
SLES-12-020620 audit_rules_execution_chacl
V-217244 2884 medium Successful/unsuccessful attempts to modify categories of information (e.g., classification levels) must generate audit records. SRG-OS-ID
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.

            
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.
Verify that SUSE Linux Enterprise 12 is configured to audit the execution of the "chcon" command with the following command:

$ sudo auditctl -l | grep chcon

-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod
      Is it the case that the command does not return a line, or the line is commented out?
      
At a minimum, the audit system should collect any execution attempt
of the chcon command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          
SLES-12-020630 audit_rules_execution_chcon
V-217245 2884 medium The SUSE operating system must generate audit records for all uses of the rm command. SRG-OS-ID
Without generating audit records that are specific to the security and
mission needs of the organization, it would be difficult to establish,
correlate, and investigate the events relating to an incident or identify
those responsible for one.

Audit records can be generated from various components within the
information system (e.g., module or policy filter).
To verify that execution of the command is being audited, run the following command:
$ sudo grep "path=/usr/bin/rm" /etc/audit/audit.rules /etc/audit/rules.d/*
The output should return something similar to:
-a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
      Is it the case that ?
      
At a minimum, the audit system should collect any execution attempt
of the rm command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          
SLES-12-020640 audit_rules_execution_rm
V-217246 2884 medium The SUSE operating system must generate audit records for all modifications to the tallylog file must generate an audit record. SRG-OS-ID
Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion.
Verify SUSE Linux Enterprise 12 generates audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/tallylog" with the following command:

$ sudo auditctl -l | grep /var/log/tallylog

-w /var/log/tallylog -p wa -k logins
      Is it the case that the command does not return a line, or the line is commented out?
      
The audit system already collects login information for all users
and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing logon events:
-w /var/log/tallylog -p wa -k logins
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for unattempted manual
edits of files involved in storing logon events:
-w /var/log/tallylog -p wa -k logins
          
SLES-12-020650 audit_rules_login_events_tallylog
V-217247 2884 medium The SUSE operating system must generate audit records for all modifications to the lastlog file. SRG-OS-ID
Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion.
Verify SUSE Linux Enterprise 12 generates audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/lastlog" with the following command:

$ sudo auditctl -l | grep /var/log/lastlog

-w /var/log/lastlog -p wa -k logins
      Is it the case that the command does not return a line, or the line is commented out?
      
The audit system already collects login information for all users
and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing logon events:
-w /var/log/lastlog -p wa -k logins
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for unattempted manual
edits of files involved in storing logon events:
-w /var/log/lastlog -p wa -k logins
          
SLES-12-020660 audit_rules_login_events_lastlog
V-217248 2884 medium The SUSE operating system must generate audit records for all uses of the passmass command. SRG-OS-ID
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.

            
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.
To verify that auditing of privileged command use is configured, run the
following command:
$ sudo grep passmass /etc/audit/audit.rules /etc/audit/rules.d/*
It should return a relevant line in the audit rules.
      Is it the case that the command does not return a line, or the line is commented out?
      
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/passmass -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/passmass -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          
SLES-12-020670 audit_rules_privileged_commands_passmass
V-217249 2884 medium The SUSE operating system must generate audit records for all uses of the unix_chkpwd command. SRG-OS-ID
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.

            
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.
Verify that SUSE Linux Enterprise 12 is configured to audit the execution of the "unix_chkpwd" command with the following command:

$ sudo auditctl -l | grep unix_chkpwd

-a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix_chkpwd
      Is it the case that the command does not return a line, or the line is commented out?
      
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          
SLES-12-020680 audit_rules_privileged_commands_unix_chkpwd
V-217250 2884 medium The SUSE operating system must generate audit records for all uses of the chage command. SRG-OS-ID
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.

            
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.
Verify that SUSE Linux Enterprise 12 is configured to audit the execution of the "chage" command with the following command:

$ sudo auditctl -l | grep chage

-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage
      Is it the case that the command does not return a line, or the line is commented out?
      
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          
SLES-12-020690 audit_rules_privileged_commands_chage
V-217251 2884 medium The SUSE operating system must generate audit records for all uses of the usermod command. SRG-OS-ID
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.

            
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.
Verify that SUSE Linux Enterprise 12 is configured to audit the execution of the "usermod" command with the following command:

$ sudo auditctl -l | grep usermod

-a always,exit -F path=/usr/bin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod
      Is it the case that the command does not return a line, or the line is commented out?
      
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          
SLES-12-020700 audit_rules_privileged_commands_usermod
V-217252 2884 medium The SUSE operating system must generate audit records for all uses of the crontab command. SRG-OS-ID
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.

            
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.
Verify that SUSE Linux Enterprise 12 is configured to audit the execution of the "crontab" command with the following command:

$ sudo auditctl -l | grep crontab

-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab
      Is it the case that the command does not return a line, or the line is commented out?
      
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          
SLES-12-020710 audit_rules_privileged_commands_crontab
V-217253 2884 medium The SUSE operating system must generate audit records for all uses of the pam_timestamp_check command. SRG-OS-ID
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.

            
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/sbin/pam_timestamp_check
-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/sbin/pam_timestamp_check
-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
          
SLES-12-020720 audit_rules_privileged_commands_pam_timestamp_check
V-217254 2884 medium The SUSE operating system must generate audit records for all uses of the delete_module command. SRG-OS-ID
The removal of kernel modules can be used to alter the behavior of
the kernel and potentially introduce malicious code into kernel space. It is important
to have an audit trail of modules that have been introduced into the kernel.
To determine if the system is configured to audit calls to the
delete_module system call, run the following command:
$ sudo grep "delete_module" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      
To capture kernel module unloading events, use following line, setting ARCH to
either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:

-a always,exit -F arch=ARCH -S delete_module -F key=modules


Place to add the line depends on a way auditd daemon is configured. If it is configured
to use the augenrules program (the default), add the line to a file with suffix
.rules in the directory /etc/audit/rules.d.

If the auditd daemon is configured to use the auditctl utility,
add the line to file /etc/audit/audit.rules.
SLES-12-020730 audit_rules_kernel_module_loading_delete
V-217255 2884 medium The SUSE operating system must generate audit records for all uses of the init_module and finit_module syscalls. SRG-OS-ID
The addition of kernel modules can be used to alter the behavior of
the kernel and potentially introduce malicious code into kernel space. It is important
to have an audit trail of modules that have been introduced into the kernel.
To determine if the system is configured to audit calls to the
init_module system call, run the following command:
$ sudo grep "init_module" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      
To capture kernel module loading events, use following line, setting ARCH to
either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:

-a always,exit -F arch=ARCH -S init_module -F key=modules


Place to add the line depends on a way auditd daemon is configured. If it is configured
to use the augenrules program (the default), add the line to a file with suffix
.rules in the directory /etc/audit/rules.d.

If the auditd daemon is configured to use the auditctl utility,
add the line to file /etc/audit/audit.rules.
SLES-12-020740 audit_rules_kernel_module_loading_init
V-217257 2884 medium The SUSE operating system must generate audit records for all modifications to the faillog file. SRG-OS-ID
Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion.
To verify that auditing is configured for system administrator actions, run the following command:
Configure the operating system to generate an audit record for any all modifications to the "faillog" file occur.
Add or update the following rules in the "/etc/audit/audit.rules" file:
-w /var/log/faillog -p wa -k logins
The audit daemon must be restarted for the changes to take effect.
# sudo systemctl restart auditd.service
      Is it the case that there is no output?
      
The audit system already collects login information for all users
and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing logon events:
-w /var/log/faillog -p wa -k logins
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for unattempted manual
edits of files involved in storing logon events:
-w /var/log/faillog -p wa -k logins
          
SLES-12-020760 audit_rules_login_events_faillog
V-217258 381 medium The SUSE operating system must not have the telnet-server package installed. SRG-OS-ID
It is detrimental for operating systems to provide, or install by default,
functionality exceeding requirements or mission objectives. These
unnecessary capabilities are often overlooked and therefore may remain
unsecure. They increase the risk to the platform by providing additional
attack vectors.

The telnet service provides an unencrypted remote access service which does
not provide for the confidentiality and integrity of user passwords or the
remote session. If a privileged user were to login using this service, the
privileged user password could be compromised.

Removing the telnet-server package decreases the risk of the
telnet service's accidental (or intentional) activation.
Run the following command to determine if the telnet-server package is installed:
$ rpm -q telnet-server
      Is it the case that the package is installed?
      
The telnet-server package can be removed with the following command:

$ sudo zypper remove telnet-server
          
SLES-12-030000 package_telnet-server_removed
V-237619 381 medium The SUSE operating system must not have the vsftpd package installed if not required for operational support. SRG-OS-ID
Removing the vsftpd package decreases the risk of its
accidental activation.
Run the following command to determine if the vsftpd package is installed:
$ rpm -q vsftpd
      Is it the case that the package is installed?
      
The vsftpd package can be removed with the following command:  $ sudo zypper remove vsftpd
          
SLES-12-030011 package_vsftpd_removed
V-217260 50 medium The SUSE operating system file /etc/gdm/banner must contain the Standard Mandatory DoD Notice and Consent banner text. SRG-OS-ID
Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
verbiage used is consistent with applicable federal laws, Executive Orders,
directives, policies, regulations, standards, and guidance.

              
System use notifications are required only for access via login interfaces
with human users and are not required when such human interfaces do not
exist.
To check if the system login banner is compliant,
run the following command:
$ cat /etc/gdm/banner
      Is it the case that it does not display the required banner?
      
To configure the GUI system login banner edit /etc/gdm/banner.
Replace the default text with a message compliant with the local site
policy or a legal disclaimer.

The DoD required text is either:

              
              You are accessing a U.S. Government (USG) Information System (IS) that
is provided for USG-authorized use only. By using this IS (which includes
any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS
for purposes including, but not limited to, penetration testing, COMSEC
monitoring, network operations and defense, personnel misconduct (PM), law
enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private,
are subject to routine monitoring, interception, and search, and may be
disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access
controls) to protect USG interests -- not for your personal benefit or
privacy.
-Notwithstanding the above, using this IS does not constitute consent
to PM, LE or CI investigative searching or monitoring of the content of
privileged communications, or work product, related to personal
representation or services by attorneys, psychotherapists, or clergy, and
their assistants. Such communications and work product are private and
confidential. See User Agreement for details.
              
              
OR:

              
              I've read & consent to terms in IS user agreem't.
            
SLES-12-030020 banner_etc_gdm_banner
V-217261 2080 medium The SUSE operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. SRG-OS-ID
To prevent unauthorized connection of devices, unauthorized transfer of
information, or unauthorized tunneling (i.e., embedding of data types
within data types), organizations must disable or restrict unused or
unnecessary physical and logical ports/protocols on information systems.

SUSE operating systems are capable of providing a wide variety of functions
and services. Some of the functions and services provided by default may not
be necessary to support essential organizational operations. Additionally,
it is sometimes convenient to provide multiple services from a single
component (e.g., VPN and IPS); however, doing so increases risk over
limiting the services provided by any one component.

To support the requirements and principles of least functionality, the SUSE
operating system must support the organizational requirements, providing
only essential capabilities and limiting the use of ports, protocols,
and/or services to only those required, authorized, and approved to conduct
official business or address authorized quality-of-life issues.
Run the following command to determine if the SuSEfirewall2 package is installed:
$ rpm -q SuSEfirewall2


Run the following command to determine the current status of the
SuSEfirewall2 service:
$ sudo systemctl is-active SuSEfirewall2
If the service is running, it should return the following: active

Check the firewall configuration for any unnecessary or prohibited 
functions, ports, protocols, and/or services by running the following 
command:

# grep ^FW_ /etc/sysconfig/SuSEfirewall2
FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"

Ask the System Administrator for the site or program PPSM Component Local 
Services Assessment (Component Local Services Assessment (CLSA). Verify the     services allowed by the firewall match the PPSM CLSA.

If there are any additional ports, protocols, or services that are not 
included in the PPSM CLSA, this is a finding.

If there are any ports, protocols, or services that are prohibited by the 
PPSM CAL, this is a finding.
      Is it the case that unauthorized network services can be accessed from the network?
      
The SuSEfirewall2 package can be installed with the following command:

$ sudo zypper install SuSEfirewall2

The SuSEfirewall2 service can be enabled with the following command:
$ sudo systemctl enable SuSEfirewall2.service

Check the firewall configuration for any unnecessary or prohibited
functions, ports, protocols, and/or services by running the following
command:

# grep ^FW_ /etc/sysconfig/SuSEfirewall2
FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"

Ask the System Administrator for the site or program PPSM Component Local
Services Assessment (Component Local Services Assessment (CLSA). Verify the
services allowed by the firewall match the PPSM CLSA. 
SLES-12-030030 susefirewall2_only_required_services
V-217262 2385 high SuSEfirewall2 must protect against or limit the effects of Denial-of-Service (DoS) attacks on the SUSE operating system by implementing rate-limiting measures on impacted network interfaces. SRG-OS-ID
DoS is a condition when a resource is not available for legitimate users.
When this occurs, the organization either cannot accomplish its mission or
must operate at degraded capacity.

This requirement addresses the configuration of the SUSE operating system to
mitigate the impact on system availability of DoS attacks that have occurred
or are ongoing. For each system, known and potential DoS attacks must be
identified and solutions for each type implemented. A variety of
technologies exist to limit or, in some cases, eliminate the effects of
DoS attacks (e.g., limiting processes or establishing memory partitions).
Employing increased capacity and bandwidth, combined with service
redundancy, may reduce the susceptibility to some DoS attacks.
Run the following command to determine if the SuSEfirewall2 package is installed:
$ rpm -q SuSEfirewall2


Run the following command to determine the current status of the
SuSEfirewall2 service:
$ sudo systemctl is-active SuSEfirewall2
If the service is running, it should return the following: active

Run the following command:

# grep -i fw_services_accept_ext /etc/sysconfig/SuSEfirewall2
FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"

If the "FW_SERVICES_ACCEPT_EXT" rule does not contain both the
hitcount and blockseconds parameters, this is a finding.
      Is it the case that the DoS protection is not active?
      
The SuSEfirewall2 package can be installed with the following command:

$ sudo zypper install SuSEfirewall2

The SuSEfirewall2 service can be enabled with the following command:
$ sudo systemctl enable SuSEfirewall2.service

Verify "SuSEfirewall2" is configured to protect the SUSE operating system
against or limit the effects of DoS attacks. 

Run the following command:

# grep -i fw_services_accept_ext /etc/sysconfig/SuSEfirewall2
FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"

If the "FW_SERVICES_ACCEPT_EXT" rule does not contain both the
hitcount and blockseconds parameters, this is a finding.
SLES-12-030040 susefirewall2_ddos_protection
V-217263 48 medium The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access via SSH. SRG-OS-ID
The warning message reinforces policy awareness during the logon process and
facilitates possible legal action against attackers. Alternatively, systems
whose ownership should not be obvious should ensure usage of a banner that does
not provide easy attribution.
To determine how the SSH daemon's Banner option is set, run the following command:

$ sudo grep -i Banner /etc/ssh/sshd_config

If a line indicating /etc/issue is returned, then the required value is set.

      Is it the case that the required value is not set?
      
To enable the warning banner and ensure it is consistent
across the system, add or correct the following line in


/etc/ssh/sshd_config:

Banner /etc/issue
Another section contains information on how to create an
appropriate system-wide warning banner.
SLES-12-030050 sshd_enable_warning_banner
V-217264 2422 high All networked SUSE operating systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. SRG-OS-ID
Without protection of the transmitted information, confidentiality, and
integrity may be compromised because unprotected communications can be
intercepted and either read or altered.

          
This checklist item applies to both internal and external networks and all types
of information system components from which information can be transmitted (e.g., servers,
mobile devices, notebook computers, printers, copiers, scanners, etc). Communication paths
outside the physical protection of a controlled boundary are exposed to the possibility
of interception and modification.

Run the following command to determine the current status of the
sshd service:
$ sudo systemctl is-active sshd
If the service is running, it should return the following: active
      Is it the case that sshd service is disabled?
      
The SSH server service, sshd, is commonly needed.

The sshd service can be enabled with the following command:
$ sudo systemctl enable sshd.service
        
SLES-12-030100 service_sshd_enabled
V-217265 67 medium The SUSE operating system must log SSH connection attempts and failures to the server. SRG-OS-ID
SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically
not recommended other than strictly for debugging SSH communications since it provides
so much data that it is difficult to identify important security information. INFO or
VERBOSE level is the basic level that only records login activity of SSH users. In many
situations, such as Incident Response, it is important to determine when a particular user was active
on a system. The logout record can eliminate those users who disconnected, which helps narrow the
field.
To determine how the SSH daemon's LogLevel option is set, run the following command:

$ sudo grep -i LogLevel /etc/ssh/sshd_config

If a line indicating VERBOSE is returned, then the required value is set.

      Is it the case that the required value is not set?
      
The VERBOSE parameter configures the SSH daemon to record login and logout activity.
To specify the log level in
SSH, add or correct the following line in


/etc/ssh/sshd_config:

LogLevel VERBOSE
          
SLES-12-030110 sshd_set_loglevel_verbose
V-217266 52 medium The SUSE operating system must display the date and time of the last successful account logon upon an SSH logon. SRG-OS-ID
Providing users feedback on when account accesses last occurred facilitates user
recognition and reporting of unauthorized account use.
To determine how the SSH daemon's PrintLastLog option is set, run the following command:

$ sudo grep -i PrintLastLog /etc/ssh/sshd_config

If a line indicating yes is returned, then the required value is set.

      Is it the case that the required value is not set?
      
Ensure that SSH will display the date and time of the last successful account logon.

The default SSH configuration enables print of the date and time of the last login.
The appropriate configuration is used if no value is set for PrintLastLog.

To explicitly enable LastLog in SSH, add or correct the following line in


/etc/ssh/sshd_config:

PrintLastLog yes
          
SLES-12-030130 sshd_print_last_log
V-217267 770 medium The SUSE operating system must deny direct logons to the root account using remote access via SSH. SRG-OS-ID
Even though the communications channel may be encrypted, an additional layer of
security is gained by extending the policy of not logging directly on as root.
In addition, logging in with a user-specific account provides individual
accountability of actions performed on the system and also helps to minimize
direct attack attempts on root's password.
To determine how the SSH daemon's PermitRootLogin option is set, run the following command:

$ sudo grep -i PermitRootLogin /etc/ssh/sshd_config

If a line indicating no is returned, then the required value is set.

      Is it the case that the required value is not set?
      
The root user should never be allowed to login to a
system directly over a network.
To disable root login via SSH, add or correct the following line in


/etc/ssh/sshd_config:

PermitRootLogin no
          
SLES-12-030140 sshd_disable_root_login
V-217268 366 high The SUSE operating system must not allow automatic logon via SSH. SRG-OS-ID
Configuring this setting for the SSH daemon provides additional assurance
that remote login via SSH will require a password, even in the event of
misconfiguration elsewhere.
To determine how the SSH daemon's PermitEmptyPasswords option is set, run the following command:

$ sudo grep -i PermitEmptyPasswords /etc/ssh/sshd_config

If a line indicating no is returned, then the required value is set.

      Is it the case that the required value is not set?
      
Disallow SSH login with empty passwords.
The default SSH configuration disables logins with empty passwords. The appropriate
configuration is used if no value is set for PermitEmptyPasswords.

To explicitly disallow SSH login from accounts with empty passwords,
add or correct the following line in


/etc/ssh/sshd_config:


            PermitEmptyPasswords no
Any accounts with empty passwords should be disabled immediately, and PAM configuration
should prevent users from being able to assign themselves empty passwords.
SLES-12-030150 sshd_disable_empty_passwords
V-217269 366 medium The SUSE operating system must not allow users to override SSH environment variables. SRG-OS-ID
SSH environment options potentially allow users to bypass
access restriction in some configurations.
To determine how the SSH daemon's PermitUserEnvironment option is set, run the following command:

$ sudo grep -i PermitUserEnvironment /etc/ssh/sshd_config

If a line indicating no is returned, then the required value is set.

      Is it the case that the required value is not set?
      
Ensure that users are not able to override environment variables of the SSH daemon.

The default SSH configuration disables environment processing. The appropriate
configuration is used if no value is set for PermitUserEnvironment.

To explicitly disable Environment options, add or correct the following


/etc/ssh/sshd_config:

PermitUserEnvironment no
          
SLES-12-030151 sshd_do_not_permit_user_env
V-217270 2890 medium The SUSE operating system must implement DoD-approved encryption to protect the confidentiality of SSH remote connections. SRG-OS-ID
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore
cannot be relied upon to provide confidentiality or integrity, and system data may be compromised.

Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to
cryptographic modules.

FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules
utilize authentication that meets industry and government requirements. For government systems, this allows
Security Levels 1, 2, 3, or 4 for use on SUSE Linux Enterprise 12.
Only FIPS ciphers should be used. To verify that only FIPS-approved
ciphers are in use, run the following command:
$ sudo grep Ciphers /etc/ssh/sshd_config
The output should contain only those ciphers which are FIPS-approved.
      Is it the case that FIPS ciphers are not configured or the enabled ciphers are not FIPS-approved?
      
Limit the ciphers to those algorithms which are FIPS-approved.
Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode.
The following line in /etc/ssh/sshd_config
demonstrates use of FIPS-approved ciphers:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
The man page sshd_config(5) contains a list of supported ciphers.

The rule is parametrized to use the following ciphers: 
              
            .
SLES-12-030170 sshd_use_approved_ciphers
V-217271 3123 medium The SUSE operating system SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms. SRG-OS-ID
DoD Information Systems are required to use FIPS-approved cryptographic hash
functions. The only SSHv2 hash algorithms meeting this requirement is SHA2.
Only FIPS-approved MACs should be used. To verify that only FIPS-approved
MACs are in use, run the following command:
$ sudo grep -i macs /etc/ssh/sshd_config
The output should contain only those MACs which are FIPS-approved. Any use of other
ciphers or algorithms will result in the module entering the non-FIPS mode of
operation.
      Is it the case that MACs option is commented out or not using FIPS-approved hash algorithms?
      
Limit the MACs to those hash algorithms which are FIPS-approved.
The following line in /etc/ssh/sshd_config
demonstrates use of FIPS-approved MACs:

MACs hmac-sha2-512,hmac-sha2-256

The man page sshd_config(5) contains a list of supported MACs.

The rule is parametrized to use the following MACs: 
              
            .
SLES-12-030180 sshd_use_approved_macs
V-217272 2361 medium The SUSE operating system SSH daemon must be configured with a timeout interval. SRG-OS-ID
Terminating an idle ssh session within a short time period reduces the window of
opportunity for unauthorized personnel to take control of a management session
enabled on the console or console port that has been let unattended.
Run the following command to see what the timeout interval is:
$ sudo grep ClientAliveInterval /etc/ssh/sshd_config
If properly configured, the output should be:
ClientAliveInterval 
      Is it the case that it is commented out or not configured properly?
      
SSH allows administrators to set a network responsiveness timeout interval.
After this interval has passed, the unresponsive client will be automatically logged out.

            
To set this timeout interval, edit the following line in /etc/ssh/sshd_config as
follows:
ClientAliveInterval 
                
              
            
            
            
The timeout interval is given in seconds. For example, have a timeout
of 10 minutes, set interval to 600.

            
If a shorter timeout has already been set for the login shell, that value will
preempt any SSH setting made in /etc/ssh/sshd_config. Keep in mind that
some processes may stop SSH from correctly detecting that the user is idle.
SLES-12-030190 sshd_set_idle_timeout
V-217273 2361 medium The SUSE operating system for all network connections associated with SSH traffic must immediately terminate at the end of the session or after 10 minutes of inactivity. SRG-OS-ID
This ensures a user login will be terminated as soon as the ClientAliveInterval
is reached.
To ensure ClientAliveInterval is set correctly, run the following command:
$ sudo grep ClientAliveCountMax /etc/ssh/sshd_config
If properly configured, the output should be:
ClientAliveCountMax 
For SSH earlier than v8.2, a ClientAliveCountMax value of 0 causes a timeout precisely when
the ClientAliveInterval is set.  Starting with v8.2, a value of 0 disables the timeout
functionality completely.
If the option is set to a number greater than 0, then the session will be disconnected after
ClientAliveInterval * ClientAliveCountMax seconds without receiving a keep alive message.
      Is it the case that it is commented out or not configured properly?
      
The SSH server sends at most ClientAliveCountMax messages
during a SSH session and waits for a response from the SSH client.
The option ClientAliveInterval configures timeout after
each ClientAliveCountMax message. If the SSH server does not
receive a response from the client, then the connection is considered unresponsive
and terminated.
For SSH earlier than v8.2, a ClientAliveCountMax value of 0
causes a timeout precisely when the ClientAliveInterval is set.
Starting with v8.2, a value of 0 disables the timeout functionality
completely. If the option is set to a number greater than 0, then
the session will be disconnected after
ClientAliveInterval * ClientAliveCountMax seconds without receiving
a keep alive message.
SLES-12-030191 sshd_set_keepalive
V-217274 366 medium The SUSE operating system SSH daemon must be configured to not allow authentication using known hosts authentication. SRG-OS-ID
Configuring this setting for the SSH daemon provides additional
assurance that remote login via SSH will require a password, even
in the event of misconfiguration elsewhere.
To determine how the SSH daemon's IgnoreUserKnownHosts option is set, run the following command:

$ sudo grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config

If a line indicating yes is returned, then the required value is set.

      Is it the case that the required value is not set?
      
SSH can allow system users to connect to systems if a cache of the remote
systems public keys is available.  This should be disabled.

            
To ensure this behavior is disabled, add or correct the following line in


/etc/ssh/sshd_config:

IgnoreUserKnownHosts yes
          
SLES-12-030200 sshd_disable_user_known_hosts
V-217275 366 medium The SUSE operating system SSH daemon public host key files must have mode 0644 or less permissive. SRG-OS-ID
If a public host key file is modified by an unauthorized user, the SSH service
may be compromised.
To check the permissions of /etc/ssh/*.pub,
run the command:
$ ls -l /etc/ssh/*.pub
If properly configured, the output should indicate the following permissions:
-rw-r--r--
      Is it the case that /etc/ssh/*.pub does not have unix mode -rw-r--r--?
      
 To properly set the permissions of /etc/ssh/*.pub, run the command: $ sudo chmod 0644 /etc/ssh/*.pub
        
SLES-12-030210 file_permissions_sshd_pub_key
V-217276 366 medium The SUSE operating system SSH daemon private host key files must have mode 0640 or less permissive. SRG-OS-ID
If an unauthorized user obtains the private SSH host key file, the host could be
impersonated.
To check the permissions of /etc/ssh/*_key,
run the command:
$ ls -l /etc/ssh/*_key
If properly configured, the output should indicate the following permissions:
-rw-r-----
      Is it the case that /etc/ssh/*_key does not have unix mode -rw-r-----?
      
SSH server private keys - files that match the /etc/ssh/*_key glob, have to have restricted permissions.
If those files are owned by the root user and the root group, they have to have the 0640 permission or stricter.
SLES-12-030220 file_permissions_sshd_private_key
V-217277 366 medium The SUSE operating system SSH daemon must perform strict mode checking of home directory configuration files. SRG-OS-ID
If other users have access to modify user-specific SSH configuration files, they
may be able to log into the system as another user.
To determine how the SSH daemon's StrictModes option is set, run the following command:

$ sudo grep -i StrictModes /etc/ssh/sshd_config

If a line indicating yes is returned, then the required value is set.

      Is it the case that the required value is not set?
      
SSHs StrictModes option checks file and ownership permissions in
the user's home directory .ssh folder before accepting login. If world-
writable permissions are found, logon is rejected.

The default SSH configuration has StrictModes enabled. The appropriate
configuration is used if no value is set for StrictModes.

To explicitly enable StrictModes in SSH, add or correct the following line in


/etc/ssh/sshd_config:

StrictModes yes
          
SLES-12-030230 sshd_enable_strictmodes
V-217278 366 medium The SUSE operating system SSH daemon must use privilege separation. SRG-OS-ID
SSH daemon privilege separation causes the SSH process to drop root privileges
when not needed which would decrease the impact of software vulnerabilities in
the unprivileged section.
To check if UsePrivilegeSeparation is enabled or set correctly, run the
following command:
$ sudo grep UsePrivilegeSeparation /etc/ssh/sshd_config
If configured properly, output should be .
      Is it the case that it is commented out or is not enabled?
      
When enabled, SSH will create an unprivileged child process that
has the privilege of the authenticated user. To enable privilege separation in
SSH, add or correct the following line in the /etc/ssh/sshd_config file:
UsePrivilegeSeparation 
            
          
SLES-12-030240 sshd_use_priv_separation
V-217279 366 medium The SUSE operating system SSH daemon must not allow compression or must only allow compression after successful authentication. SRG-OS-ID
If compression is allowed in an SSH connection prior to authentication,
vulnerabilities in the compression software could result in compromise of the
system from an unauthenticated connection, potentially with root privileges.
To check if compression is enabled or set correctly, run the
following command:
$ sudo grep Compression /etc/ssh/sshd_config
If configured properly, output should be no or delayed.
      Is it the case that it is commented out, or is not set to no or delayed?
      
Compression is useful for slow network connections over long
distances but can cause performance issues on local LANs. If use of compression
is required, it should be enabled only after a user has authenticated; otherwise,
it should be disabled. To disable compression or delay compression until after
a user has successfully authenticated, add or correct the following line in the
/etc/ssh/sshd_config file:
Compression 
            
          
SLES-12-030250 sshd_disable_compression
V-217280 366 medium The SUSE operating system SSH daemon must disable forwarded remote X connections for interactive users, unless to fulfill documented and validated mission requirements. SRG-OS-ID
Non-encrypted X displays allow an attacker to capture keystrokes and to execute commands
remotely.
To determine how the SSH daemon's X11Forwarding option is set, run the following command:

$ sudo grep -i X11Forwarding /etc/ssh/sshd_config

If a line indicating yes is returned, then the required value is set.

      Is it the case that the required value is not set?
      
By default, remote X11 connections are not encrypted when initiated
by users. SSH has the capability to encrypt remote X11 connections when SSH's
X11Forwarding option is enabled.

            
To enable X11 Forwarding, add or correct the following line in


/etc/ssh/sshd_config:

X11Forwarding yes
          
SLES-12-030260 sshd_enable_x11_forwarding
V-233308 366 medium The SUSE operating system SSH daemon must prevent remote hosts from connecting to the proxy display. SRG-OS-ID
When X11 forwarding is enabled, there may be additional exposure to the
server and client displays if the sshd proxy display is configured to listen
on the wildcard address. By default, sshd binds the forwarding server to the
loopback address and sets the hostname part of the DISPLAY
environment variable to localhost. This prevents remote hosts from
connecting to the proxy display.
To determine how the SSH daemon's X11UseLocalhost option is set, run the following command:

$ sudo grep -i X11UseLocalhost /etc/ssh/sshd_config

If a line indicating yes is returned, then the required value is set.
      Is it the case that the display proxy is listening on wildcard address?
      
The SSH daemon should prevent remote hosts from connecting to the proxy
display.

The default SSH configuration for X11UseLocalhost is yes,
which prevents remote hosts from connecting to the proxy display.

To explicitly prevent remote connections to the proxy display, add or correct
the following line in


/etc/ssh/sshd_config:

X11UseLocalhost yes
          
SLES-12-030261 sshd_x11_use_localhost
V-255914 1453 medium The SUSE operating system SSH server must be configured to use only FIPS-validated key exchange algorithms. SRG-OS-ID
DoD information systems are required to use FIPS-approved key exchange algorithms.
The system will attempt to use the first algorithm presented by the client that matches
the server list. Listing the values "strongest to weakest" is a method to ensure the use
of the strongest algorithm available to secure the SSH connection.
Only FIPS-approved key exchange algorithms must be used. To verify that only FIPS-approved
key exchange algorithms are in use, run the following command:
$ sudo grep -i kexalgorithms /etc/ssh/sshd_config
The output should contain only following algorithms (or a subset) in the exact order:
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
      Is it the case that KexAlgorithms option is commented out, contains non-approved algorithms, or the FIPS-approved algorithms are not in the exact order?
      
Limit the key exchange algorithms to those  which are FIPS-approved.
Add or modify the following line in /etc/ssh/sshd_config
            KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
This rule ensures that only the key exchange algorithms mentioned
above (or their subset) are configured for use, keeping the given
order of algorithms.
SLES-12-030270 sshd_use_approved_kex_ordered_stig
V-217281 1891 medium The SUSE operating system clock must, for networked systems, be synchronized to an authoritative DoD time source at least every 24 hours. SRG-OS-ID
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.
Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.
Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints).
Verify SUSE Linux Enterprise 12 is securely comparing internal information system clocks at a regular interval with an NTP server with the following command:
$ sudo grep maxpoll /etc/ntp.conf /etc/chrony.conf /etc/chrony.d/
server [ntp.server.name] iburst maxpoll .
      Is it the case that "maxpoll" has not been set to the value of "", is commented out, or is missing?
      
The maxpoll should be configured to
 in /etc/ntp.conf or
/etc/chrony.conf (or /etc/chrony.d/) to continuously poll time servers. To configure
maxpoll in /etc/ntp.conf or /etc/chrony.conf (or /etc/chrony.d/)
add the following after each server, pool or peer entry:
maxpoll 
          
to server directives. If using chrony, any pool directives
should be configured too.
SLES-12-030300 chronyd_or_ntpd_set_maxpoll
V-217282 1890 low The SUSE operating system must be configured to use Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). SRG-OS-ID
If time stamps are not consistently applied and there is no common
time reference, it is difficult to perform forensic analysis.

Time stamps generated by the operating system include date and time.
Time is commonly expressed in UTC, a modern continuation of GMT, or
local time with an offset from UTC.
To verify that the system real-time clock is set to UTC or GMT, run the following command:

# timedatectl status | grep -i "time zone"
# Time zone: UTC (UTC, +0000)

If "Timezone" is not set to UTC, this is a finding.
Fix Text: Configure the SUSE operating system is configured to use UTC.
To configure the system time zone to use UTC or GMT, run the following command, replacing [ZONE] with "UTC" or "GMT".
# sudo timedatectl set-timezone [ZONE]
      Is it the case that the system real-time clock is not configured to use UTC as its time base?
      
Ensure that the system real-time clock (RTC) is set to Coordinated Universal Time (UTC).
SLES-12-030310 ensure_rtc_utc_configuration
V-217283 2824 medium The SUSE operating system must implement kptr-restrict to prevent the leaking of internal kernel addresses. SRG-OS-ID
Exposing kernel pointers (through procfs or seq_printf()) exposes kernel
writeable structures which may contain functions pointers. If a write vulnerability
occurs in the kernel, allowing write access to any of this structure, the kernel can
be compromised. This option disallow any program without the CAP_SYSLOG capability
to get the addresses of kernel pointers by replacing them with 0.
The runtime status of the kernel.kptr_restrict kernel parameter can be queried
by running the following command:
$ sysctl kernel.kptr_restrict
The output of the command should indicate either:
kernel.kptr_restrict = 1
or:
kernel.kptr_restrict = 2
The output of the command should not indicate:
kernel.kptr_restrict = 0

The preferable way how to assure the runtime compliance is to have
correct persistent configuration, and rebooting the system.

The persistent kernel parameter configuration is performed by specifying the appropriate
assignment in any file located in the /etc/sysctl.d directory.
Verify that there is not any existing incorrect configuration by executing the following command:
$ grep -r '^\s*kernel.kptr_restrict\s*=' /etc/sysctl.conf /etc/sysctl.d
The command should not find any assignments other than:
kernel.kptr_restrict = 1
or:
kernel.kptr_restrict = 2

Conflicting assignments are not allowed.
      Is it the case that the kernel.kptr_restrict is not set to 1 or 2 or is configured to be 0?
      
To set the runtime status of the kernel.kptr_restrict kernel parameter, run the following command: $ sudo sysctl -w kernel.kptr_restrict=
              
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.kptr_restrict = 
              
            
SLES-12-030320 sysctl_kernel_kptr_restrict
V-217284 2824 medium Address space layout randomization (ASLR) must be implemented by the SUSE operating system to protect memory from unauthorized code execution. SRG-OS-ID
Address space layout randomization (ASLR) makes it more difficult for an
attacker to predict the location of attack code they have introduced into a
process's address space during an attempt at exploitation. Additionally,
ASLR makes it more difficult for an attacker to know the location of
existing code in order to re-purpose it using return oriented programming
(ROP) techniques.
The runtime status of the kernel.randomize_va_space kernel parameter can be queried
by running the following command:
$ sysctl kernel.randomize_va_space
2.

      Is it the case that the correct value is not returned?
      
To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command: $ sudo sysctl -w kernel.randomize_va_space=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.randomize_va_space = 2
            
SLES-12-030330 sysctl_kernel_randomize_va_space
V-217285 1851 medium The SUSE operating system must off-load rsyslog messages for networked systems in real time and off-load standalone systems at least weekly. SRG-OS-ID
A log server (loghost) receives syslog messages from one or more
systems. This data can be used as an additional log source in the event a
system is compromised and its local logs are suspect. Forwarding log messages
to a remote loghost also provides system administrators with a centralized
place to view the status of multiple hosts within the enterprise.
To ensure logs are sent to a remote host, examine the file
/etc/rsyslog.conf.
If using UDP, a line similar to the following should be present:
 *.* @
If using TCP, a line similar to the following should be present:
 *.* @@
If using RELP, a line similar to the following should be present:
 *.* :omrelp:
      Is it the case that no evidence that the audit logs are being off-loaded to another system or media?
      
To configure rsyslog to send logs to a remote log server,
open /etc/rsyslog.conf and read and understand the last section of the file,
which describes the multiple directives necessary to activate remote
logging.
Along with these other directives, the system can be configured
to forward its logs to a particular log server by
adding or correcting one of the following lines,
substituting 
              
                
              
             appropriately.
The choice of protocol depends on the environment of the system;
although TCP and RELP provide more reliable message delivery,
they may not be supported in all environments.

To use UDP for log message delivery:
*.* @
                
              
            
            
To use TCP for log message delivery:
*.* @@
                
              
            
            
To use RELP for log message delivery:
*.* :omrelp:
                
              
            
            
There must be a resolvable DNS CNAME or Alias record set to "" for logs to be sent correctly to the centralized logging utility.
SLES-12-030340 rsyslog_remote_loghost
V-217286 1095 medium The SUSE operating system must be configured to use TCP syncookies. SRG-OS-ID
A TCP SYN flood attack can cause a denial of service by filling a
system's TCP connection table with connections in the SYN_RCVD state.
Syncookies can be used to track a connection when a subsequent ACK is received,
verifying the initiator is attempting a valid connection and is not a flood
source. This feature is activated when a flood condition is detected, and
enables the system to continue servicing valid connection requests.
The runtime status of the net.ipv4.tcp_syncookies kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.tcp_syncookies
1.

      Is it the case that the correct value is not returned?
      
To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_syncookies=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.tcp_syncookies = 1
            
SLES-12-030350 sysctl_net_ipv4_tcp_syncookies
V-217287 366 medium The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets. SRG-OS-ID
Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router,
which can be used to bypass network security measures. This requirement
applies only to the forwarding of source-routerd traffic, such as when IPv4
forwarding is enabled and the system is functioning as a router.

              
Accepting source-routed packets in the IPv4 protocol has few legitimate
uses. It should be disabled unless it is absolutely required.
The runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.conf.all.accept_source_route
0.

      Is it the case that the correct value is not returned?
      
To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.accept_source_route = 0
            
SLES-12-030360 sysctl_net_ipv4_conf_all_accept_source_route
V-217288 366 medium The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets. SRG-OS-ID
Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router, which can
be used to bypass network security measures. This requirement applies only to the
forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
the system is functioning as a router.

              
Accepting source-routed packets in the IPv6 protocol has few legitimate
uses. It should be disabled unless it is absolutely required.
The runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter can be queried
by running the following command:
$ sysctl net.ipv6.conf.all.accept_source_route
0.

      Is it the case that the correct value is not returned?
      
To set the runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_source_route = 0
            
SLES-12-030361 sysctl_net_ipv6_conf_all_accept_source_route
V-237620 366 medium The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets by default. SRG-OS-ID
Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router, which can
be used to bypass network security measures. This requirement applies only to the
forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
the system is functioning as a router.

Accepting source-routed packets in the IPv6 protocol has few legitimate
uses. It should be disabled unless it is absolutely required.
The runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter can be queried
by running the following command:
$ sysctl net.ipv6.conf.default.accept_source_route
0.

      Is it the case that the correct value is not returned?
      
To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_source_route = 0
            
SLES-12-030362 sysctl_net_ipv6_conf_default_accept_source_route
V-237621 366 medium The SUSE operating system must prevent Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages from being accepted. SRG-OS-ID
An illicit ICMP redirect message could result in a man-in-the-middle attack.
The runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter can be queried
by running the following command:
$ sysctl net.ipv6.conf.all.accept_redirects
0.

      Is it the case that the correct value is not returned?
      
To set the runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_redirects = 0
            
SLES-12-030363 sysctl_net_ipv6_conf_all_accept_redirects
V-237622 366 medium The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding unless the system is a router. SRG-OS-ID
IP forwarding permits the kernel to forward packets from one network
interface to another. The ability to forward packets between two networks is
only appropriate for systems acting as routers.
The runtime status of the net.ipv6.conf.all.forwarding kernel parameter can be queried
by running the following command:
$ sysctl net.ipv6.conf.all.forwarding
0.
The ability to forward packets is only appropriate for routers.
      Is it the case that IP forwarding value is "1" and the system is not router?
      
To set the runtime status of the net.ipv6.conf.all.forwarding kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.forwarding=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.forwarding = 0
            
SLES-12-030364 sysctl_net_ipv6_conf_all_forwarding
V-237623 366 medium The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding by default unless the system is a router. SRG-OS-ID
IP forwarding permits the kernel to forward packets from one network
interface to another. The ability to forward packets between two networks is
only appropriate for systems acting as routers.
The runtime status of the net.ipv6.conf.default.forwarding kernel parameter can be queried
by running the following command:
$ sysctl net.ipv6.conf.default.forwarding
0.
The ability to forward packets is only appropriate for routers.
      Is it the case that IPv6 Forwading is not disabled?
      
To set the runtime status of the net.ipv6.conf.default.forwarding kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.forwarding=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.forwarding = 0
            
SLES-12-030365 sysctl_net_ipv6_conf_default_forwarding
V-217289 366 medium The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default. SRG-OS-ID
Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router,
which can be used to bypass network security measures.

Accepting source-routed packets in the IPv4 protocol has few legitimate
uses. It should be disabled unless it is absolutely required, such as when
IPv4 forwarding is enabled and the system is legitimately functioning as a
router.
The runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.conf.default.accept_source_route
0.

      Is it the case that the correct value is not returned?
      
To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_source_route = 0
            
SLES-12-030370 sysctl_net_ipv4_conf_default_accept_source_route
V-217290 366 medium The SUSE operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. SRG-OS-ID
Responding to broadcast (ICMP) echoes facilitates network mapping
and provides a vector for amplification attacks.

Ignoring ICMP echo requests (pings) sent to broadcast or multicast
addresses makes the system slightly more difficult to enumerate on the network.
The runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.icmp_echo_ignore_broadcasts
1.

      Is it the case that the correct value is not returned?
      
To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.icmp_echo_ignore_broadcasts = 1
            
SLES-12-030380 sysctl_net_ipv4_icmp_echo_ignore_broadcasts
V-217291 366 medium The SUSE operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted. SRG-OS-ID
ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages modify the
host's route table and are unauthenticated. An illicit ICMP redirect
message could result in a man-in-the-middle attack.

This feature of the IPv4 protocol has few legitimate uses. It should be
disabled unless absolutely required."
The runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.conf.all.accept_redirects
0.

      Is it the case that the correct value is not returned?
      
To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.accept_redirects = 0
            
SLES-12-030390 sysctl_net_ipv4_conf_all_accept_redirects
V-217292 366 medium The SUSE operating system must not allow interfaces to accept Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default. SRG-OS-ID
ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages modify the
host's route table and are unauthenticated. An illicit ICMP redirect
message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should
be disabled unless absolutely required.
The runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.conf.default.accept_redirects
0.

      Is it the case that the correct value is not returned?
      
To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_redirects = 0
            
SLES-12-030400 sysctl_net_ipv4_conf_default_accept_redirects
V-217293 366 medium The SUSE operating system must not allow interfaces to accept Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by default. SRG-OS-ID
An illicit ICMP redirect message could result in a man-in-the-middle attack.
The runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter can be queried
by running the following command:
$ sysctl net.ipv6.conf.default.accept_redirects
0.

      Is it the case that the correct value is not returned?
      
To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_redirects = 0
            
SLES-12-030401 sysctl_net_ipv6_conf_default_accept_redirects
V-217294 366 medium The SUSE operating system must not allow interfaces to send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default. SRG-OS-ID
ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages contain information
from the system's route table possibly revealing portions of the network topology.

The ability to send ICMP redirects is only appropriate for systems acting as routers.
The runtime status of the net.ipv4.conf.default.send_redirects kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.conf.default.send_redirects
0.

      Is it the case that the correct value is not returned?
      
To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.send_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.send_redirects = 0
            
SLES-12-030410 sysctl_net_ipv4_conf_default_send_redirects
V-217295 366 medium The SUSE operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects. SRG-OS-ID
ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages contain information
from the system's route table possibly revealing portions of the network topology.

The ability to send ICMP redirects is only appropriate for systems acting as routers.
The runtime status of the net.ipv4.conf.all.send_redirects kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.conf.all.send_redirects
0.

      Is it the case that the correct value is not returned?
      
To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.send_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.send_redirects = 0
            
SLES-12-030420 sysctl_net_ipv4_conf_all_send_redirects
V-217296 366 medium The SUSE operating system must not be performing Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router. SRG-OS-ID
Routing protocol daemons are typically used on routers to exchange
network topology information with other routers. If this capability is used when
not required, system network information may be unnecessarily transmitted across
the network.
The runtime status of the net.ipv4.ip_forward kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.ip_forward
0.
The ability to forward packets is only appropriate for routers.
      Is it the case that the correct value is not returned?
      
To set the runtime status of the net.ipv4.ip_forward kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.ip_forward=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.ip_forward = 0
            
SLES-12-030430 sysctl_net_ipv4_ip_forward
V-217297 366 medium The SUSE operating system must not have network interfaces in promiscuous mode unless approved and documented. SRG-OS-ID
Network interfaces in promiscuous mode allow for the capture of all network traffic
visible to the system. If unauthorized individuals can access these applications, it
may allow them to collect information such as logon IDs, passwords, and key exchanges
between systems.

          
If the system is being used to perform a network troubleshooting function, the use of these
tools must be documented with the Information Systems Security Manager (ISSM) and restricted
to only authorized personnel.
Verify that Promiscuous mode of an interface is disabled, run the following command:
$ ip link | grep PROMISC
      Is it the case that any network device is in promiscuous mode?
      
The system should not be acting as a network sniffer, which can
capture all traffic on the network to which it is connected. Run the following
to determine if any interface is running in promiscuous mode:
$ ip link | grep PROMISC
Promiscuous mode of an interface can be disabled with the following command:
$ sudo ip link set dev device_name multicast off promisc off
        
SLES-12-030440 network_sniffer_disabled
V-217298 2418 medium The SUSE operating system wireless network adapters must be disabled unless approved and documented. SRG-OS-ID
The use of wireless networking can introduce many different attack vectors into
the organization's network. Common attack vectors such as malicious association
and ad hoc networks will allow an attacker to spoof a wireless access point
(AP), allowing validated systems to connect to the malicious AP and enabling the
attacker to monitor and record network traffic. These malicious APs can also
serve to create a man-in-the-middle attack or be used to create a denial of
service to valid network resources.
Verify that there are no wireless interfaces configured on the system
with the following command:

# wicked show all
lo up
link: #1, state up
type: loopback
config: compat:suse:/etc/sysconfig/network/ifcfg-lo
leases: ipv4 static granted
leases: ipv6 static granted
addr: ipv4 127.0.0.1/8 [static]
addr: ipv6 ::1/128 [static]

wlan0 up
link: #3, state up, mtu 1500
type: wireless, hwaddr 06:00:00:00:00:02
config: wicked:xml:/etc/wicked/ifconfig/wlan0.xml
leases: ipv4 dhcp granted
addr: ipv4 10.0.0.101/16 [dhcp]
route: ipv4 default via 10.0.0.1 proto dhcp
The output should not contain any interfaces of type wireless in
state up.

If a wireless interface is configured it must be documented and approved by
the local Authorizing Official.
      Is it the case that a wireless interface is configured and has not been documented and approved by the Information System Security Officer (ISSO)?
      
Deactivating wireless network interfaces should prevent normal usage of the wireless
capability.

              

Configure the system to disable wireless network interfaces by issuing the following
command for every active  in the system:
$ sudo wicked ifdown 
Also remove the configuration files for every wifi adapter from
/etc/wicked/ifconfig/.xml to prevent future
connections.
SLES-12-030450 wireless_disable_interfaces
V-217299 1954 medium The SUSE operating system must have the packages required for multifactor authentication to be installed. SRG-OS-ID
Using an authentication device, such as a CAC or token that is separate from
the information system, ensures that even if the information system is
compromised, that compromise will not affect credentials stored on the
authentication device.

                
Multifactor solutions that require devices separate from
information systems gaining access include, for example, hardware tokens
providing time-based or challenge-response authenticators and smart cards such
as the U.S. Government Personal Identity Verification card and the DoD Common
Access Card.
Check that SUSE Linux Enterprise 12 has the packages for smart card support installed.

Run the following command to determine if the pam_pkcs11 package is installed:
$ rpm -q pam_pkcs11

Run the following command to determine if the mozilla-nss package is installed:
$ rpm -q mozilla-nss

Run the following command to determine if the mozilla-nss-tools package is installed:
$ rpm -q mozilla-nss-tools

Run the following command to determine if the pcsc-ccid package is installed:
$ rpm -q pcsc-ccid

Run the following command to determine if the pcsc-lite package is installed:
$ rpm -q pcsc-lite

Run the following command to determine if the pcsc-tools package is installed:
$ rpm -q pcsc-tools

Run the following command to determine if the opensc package is installed:
$ rpm -q opensc

Run the following command to determine if the coolkey package is installed:
$ rpm -q coolkey
      Is it the case that smartcard software is not installed?
      
Configure the operating system to implement multifactor authentication by
installing the required package with the following command:

The pam_pkcs11 package can be installed with the following command:

$ sudo zypper install pam_pkcs11

The mozilla-nss package can be installed with the following command:

$ sudo zypper install mozilla-nss

The mozilla-nss-tools package can be installed with the following command:

$ sudo zypper install mozilla-nss-tools

The pcsc-ccid package can be installed with the following command:

$ sudo zypper install pcsc-ccid

The pcsc-lite package can be installed with the following command:

$ sudo zypper install pcsc-lite

The pcsc-tools package can be installed with the following command:

$ sudo zypper install pcsc-tools

The opensc package can be installed with the following command:

$ sudo zypper install opensc

The coolkey package can be installed with the following command:

$ sudo zypper install coolkey
              
SLES-12-030500 install_smartcard_packages
V-217300 1953 medium The SUSE operating system must implement certificate status checking for multifactor authentication. SRG-OS-ID
Using an authentication device, such as a CAC or token that is separate from
the information system, ensures that even if the information system is
compromised, that compromise will not affect credentials stored on the
authentication device.

                
Multifactor solutions that require devices separate from
information systems gaining access include, for example, hardware tokens
providing time-based or challenge-response authenticators and smart cards such
as the U.S. Government Personal Identity Verification card and the DoD Common
Access Card.
To verify the operating system implements certificate status checking for PKI
authentication, run the following command:
$ sudo grep -i cert_policy /etc/pam_pkcs11/pam_pkcs11.conf
The output should return multiple lines similiar to the following:
cert_policy = ca, ocsp_on, signature;
cert_policy = ca, ocsp_on, signature;
cert_policy = ca, ocsp_on, signature;
      Is it the case that ocsp_on is not configured?
      
Configure the operating system to do certificate status checking for PKI
authentication. Modify all of the cert_policy lines in
/etc/pam_pkcs11/pam_pkcs11.conf to include ocsp_on like so:
cert_policy = ca, ocsp_on, signature;
              
SLES-12-030510 smartcard_configure_cert_checking
V-217301 1954 medium The SUSE operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM). SRG-OS-ID
Smart card login provides two-factor authentication stronger than
that provided by a username and password combination. Smart cards leverage PKI
(public key infrastructure) in order to provide and verify credentials.

Using an authentication device, such as a CAC or token that is separate
from the information system, ensures that even if the information system is
compromised, that compromise will not affect credentials stored on the
authentication device.

Multifactor solutions that require devices separate from information
systems gaining access include, for example, hardware tokens providing
time-based or challenge-response authenticators and smart cards such as the
U.S. Government Personal Identity Verification card and the DoD Common
Access Card.
Remote access is access to DoD nonpublic information systems by an
authorized user (or an information system) communicating through an
external, non-organization-controlled network. Remote access methods
include, for example, dial-up, broadband, and wireless.

This requirement only applies to components where this is specific to the
function of the device or has the concept of an organizational user (e.g.,
VPN, proxy capability). This does not apply to authentication for the
purpose of configuring the device itself (management).

Check that the pam_pkcs11.so option is configured in the
etc/pam.d/common-auth file with the following command:

# grep pam_pkcs11.so /etc/pam.d/common-auth


auth sufficient pam_pkcs11.so


If pam_pkcs11.so is not set in etc/pam.d/common-auth this
is a finding.
      Is it the case that non-exempt accounts are not using CAC authentication?
      
This requirement only applies to components where this is specific to the
function of the device or has the concept of an organizational user (e.g.,
VPN, proxy capability). This does not apply to authentication for the
purpose of configuring the device itself (management).


Check that the pam_pkcs11.so option is configured in the
etc/pam.d/common-auth file with the following command:

# grep pam_pkcs11.so /etc/pam.d/common-auth

auth sufficient pam_pkcs11.so


For general information about enabling smart card authentication, consult
the documentation at:


                  
                    
                      https://www.suse.com/c/configuring-smart-card-authentication-suse-linux-enterprise/
                    
                  
                
              
SLES-12-030520 smartcard_pam_enabled
V-217302 1991 medium The SUSE operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. SRG-OS-ID
Using an authentication device, such as a CAC or token that is separate from
the information system, ensures that even if the information system is
compromised, that compromise will not affect credentials stored on the
authentication device.

                
Multifactor solutions that require devices separate from
information systems gaining access include, for example, hardware tokens
providing time-based or challenge-response authenticators and smart cards such
as the U.S. Government Personal Identity Verification card and the DoD Common
Access Card.
To verify the operating system implements certificate status checking for PKI
authentication, run the following command:
$ sudo grep -i cert_policy /etc/pam_pkcs11/pam_pkcs11.conf
The output should return multiple lines similiar to the following:
cert_policy = ca, ocsp_on, signature;
cert_policy = ca, ocsp_on, signature;
cert_policy = ca, ocsp_on, signature;
      Is it the case that ca is not configured?
      
Configure the operating system to do certificate status checking for PKI
authentication. Modify all of the cert_policy lines in
/etc/pam_pkcs11/pam_pkcs11.conf to include ca like so:
cert_policy = ca, ocsp_on, signature;
              
SLES-12-030530 smartcard_configure_ca
V-222386 1668 high The SUSE operating system must use a virus scan program. SRG-OS-ID
Virus scanning software can be used to detect if a system has been compromised by
computer viruses, as well as to limit their spread to other systems.
To verify that McAfee VirusScan Enterprise for Linux is installed
and running, run the following command(s):
$ sudo systemctl status nails
$ rpm -q McAfeeVSEForLinux
      Is it the case that virus scanning software is not installed or running?
      
Install McAfee VirusScan Enterprise for Linux antivirus software
which is provided for DoD systems and uses signatures to search for the
presence of viruses on the filesystem.
SLES-12-030611 install_mcafee_antivirus