CCE Identifiers in Guide to the Secure Configuration of SUSE Linux Enterprise 15

Mapping	Rule Title	Description	Rationale
CCE-83260-0	The Installed Operating System Is Vendor Supported	The installed operating system must be maintained by a vendor. SUSE Linux Enterprise is supported by SUSE. As the SUSE Linux Enterprise vendor, SUSE is responsible for providing security patches.	An operating system is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve any security issue discovered in the system software.
CCE-83261-8	Ensure Software Patches Installed	If the system is configured for online updates, invoking the following command will list available security updates: $ sudo zypper refresh && sudo zypper list-patches -g security NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy dictates.	Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.
CCE-83262-6	Modify the System Login Banner	To configure the system login banner edit `/etc/issue`. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. OR: `I've read & consent to terms in IS user agreem't.`	Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
CCE-83263-4	Enable SSH Warning Banner	To enable the warning banner and ensure it is consistent across the system, add or correct the following line in `/etc/ssh/sshd_config`: Banner /etc/issue Another section contains information on how to create an appropriate system-wide warning banner.	The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.
CCE-83264-2	Modify the System GUI Login Banner	To configure the GUI system login banner edit `/etc/gdm/banner`. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. OR: `I've read & consent to terms in IS user agreem't.`	Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
CCE-83265-9	Enable GNOME3 Login Warning Banner	In the default graphical environment, displaying a login warning banner in the GNOME Display Manager's login screen can be enabled on the login screen by setting `banner-message-enable` to `true`. To enable, add or edit `banner-message-enable` to `/etc/dconf/db/gdm.d/00-security-settings`. For example: [org/gnome/login-screen] banner-message-enable=true Once the setting has been added, add a lock to `/etc/dconf/db/gdm.d/locks/00-security-settings-lock` to prevent user modification. For example: /org/gnome/login-screen/banner-message-enable After the settings have been set, run `dconf update`. The banner text must also be set.	Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. For U.S. Government systems, system use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
CCE-83266-7	Set the GNOME3 Login Warning Banner Text	In the default graphical environment, configuring the login warning banner text in the GNOME Display Manager's login screen can be configured on the login screen by setting `banner-message-text` to `'APPROVED_BANNER'` where APPROVED_BANNER is the approved banner for your environment. To enable, add or edit `banner-message-text` to `/etc/dconf/db/gdm.d/00-security-settings`. For example: [org/gnome/login-screen] banner-message-text='APPROVED_BANNER' Once the setting has been added, add a lock to `/etc/dconf/db/gdm.d/locks/00-security-settings-lock` to prevent user modification. For example: /org/gnome/login-screen/banner-message-text After the settings have been set, run `dconf update`. When entering a warning banner that spans several lines, remember to begin and end the string with `'` and use `\n` for new lines.	An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.
CCE-83267-5	Configure GNOME3 DConf User Profile	By default, DConf provides a standard user profile. This profile contains a list of DConf configuration databases. The user profile and database always take the highest priority. As such the DConf User profile should always exist and be configured correctly. To make sure that the user profile is configured correctly, the `/etc/dconf/profile/gdm` should be set as follows: user-db:user system-db:gdm	Failure to have a functional DConf profile prevents GNOME3 configuration settings from being enforced for all users and allows various security risks.
CCE-83268-3	Check that vlock is installed to allow session locking	The SUSE Linux Enterprise 15 operating system must have vlock installed to allow for session locking. The `kbd` package can be installed with the following command: $ sudo zypper install kbd	A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Regardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system.
CCE-83269-1	Set Interactive Session Timeout	Setting the `TMOUT` option in `/etc/profile` ensures that all user sessions will terminate based on inactivity. A value of `0` (zero) disables the automatic logout feature and is therefore not a compliant setting. The value of TMOUT should be a positive integer, exported, and read only. The `TMOUT` setting in `/etc/profile.d/autologout.sh` should read as follows: TMOUT=`600` readonly TMOUT export TMOUT	Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended.
CCE-83270-9	Set SSH Daemon LogLevel to VERBOSE	The `VERBOSE` parameter configures the SSH daemon to record login and logout activity. To specify the log level in SSH, add or correct the following line in `/etc/ssh/sshd_config`: LogLevel VERBOSE	SSH provides several logging levels with varying amounts of verbosity. `DEBUG` is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. `INFO` or `VERBOSE` level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field.
CCE-83271-7	Use Only FIPS 140-2 Validated Ciphers	Limit the ciphers to those algorithms which are FIPS-approved. The following line in `/etc/ssh/sshd_config` demonstrates use of FIPS-approved ciphers: Ciphers aes256-ctr,aes192-ctr,aes128-ctr This rule ensures that there are configured ciphers mentioned above (or their subset), keeping the given order of algorithms.	Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and system data may be compromised. Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets industry and government requirements. For government systems, this allows Security Levels 1, 2, 3, or 4 for use on SUSE Linux Enterprise 15.
CCE-83272-5	Configure Smart Card Certificate Authority Validation	Configure the operating system to do certificate status checking for PKI authentication. Modify all of the `cert_policy` lines in `/etc/pam_pkcs11/pam_pkcs11.conf` to include `ca` like so: cert_policy = ca, ocsp_on, signature;	Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards or similar secure authentication devices issued by an organization or identity provider.
CCE-83273-3	Uninstall telnet-server Package	The `telnet-server` package can be removed with the following command: $ sudo zypper remove telnet-server	It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities are often overlooked and therefore may remain insecure. They increase the risk to the platform by providing additional attack vectors. The telnet service provides an unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to login using this service, the privileged user password could be compromised. Removing the `telnet-server` package decreases the risk of the telnet service's accidental (or intentional) activation.
CCE-83274-1	Set Boot Loader Password in grub2	The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. Since plaintext passwords are a security risk, generate a hash for the password by running the following command: # grub2-mkpasswd-pbkdf2 When prompted, enter the password that was selected. Using the hash from the output, modify the `/etc/grub.d/40_custom` file with the following content: set superusers="boot" password_pbkdf2 boot grub.pbkdf2.sha512.VeryLongString NOTE: the bootloader superuser account and password MUST differ from the root account and password. Once the superuser password has been added, update the `grub.cfg` file by running: grub2-mkconfig -o /boot/grub2/grub.cfg	Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.
CCE-83275-8	Set the UEFI Boot Loader Password	The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. Since plaintext passwords are a security risk, generate a hash for the password by running the following command: # grub2-mkpasswd-pbkdf2 When prompted, enter the password that was selected. Using the hash from the output, modify the `/etc/grub.d/40_custom` file with the following content: set superusers="boot" password_pbkdf2 boot grub.pbkdf2.sha512.VeryLongString NOTE: the bootloader superuser account and password MUST differ from the root account and password. Once the superuser password has been added, update the `grub.cfg` file by running: grub2-mkconfig -o /boot/grub2/grub.cfg	Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.
CCE-83277-4	Ensure All Accounts on the System Have Unique User IDs	Change user IDs (UIDs), or delete accounts, so each has a unique name.	To assure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system.
CCE-83278-2	Disable the Automounter	The `autofs` daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as `/misc/cd`. However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS is required, it may be possible to configure filesystem mounts statically by editing `/etc/fstab` rather than relying on the automounter. The `autofs` service can be disabled with the following command: $ sudo systemctl mask --now autofs.service	Disabling the automounter permits the administrator to statically control filesystem mounting through `/etc/fstab`. Additionally, automatically mounting filesystems permits easy introduction of unknown devices, thereby facilitating malicious activity.
CCE-83279-0	Set Password Hashing Algorithm in /etc/login.defs	In `/etc/login.defs`, add or update the following line to ensure the system will use `SHA512` as the hashing algorithm: ENCRYPT_METHOD `SHA512`	Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text. Using a stronger hashing algorithm makes password cracking attacks more difficult.
CCE-83280-8	Use Only FIPS 140-2 Validated MACs	Limit the MACs to those hash algorithms which are FIPS-approved. The following line in `/etc/ssh/sshd_config` demonstrates use of FIPS-approved MACs: MACs hmac-sha2-512,hmac-sha2-256 This rule ensures that there are configured MACs mentioned above (or their subset), keeping the given order of algorithms.	FIPS-approved cryptographic hash functions are required to be used. The only SSHv2 hash algorithms meeting this requirement is SHA2.
CCE-83281-6	Set SSH Client Alive Interval	SSH allows administrators to set a network responsiveness timeout interval. After this interval has passed, the unresponsive client will be automatically logged out. To set this timeout interval, edit the following line in `/etc/ssh/sshd_config` as follows: ClientAliveInterval `300` The timeout interval is given in seconds. For example, have a timeout of 10 minutes, set interval to 600. If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made in `/etc/ssh/sshd_config`. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.	Terminating an idle ssh session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been let unattended.
CCE-83282-4	Verify that All World-Writable Directories Have Sticky Bits Set	When the so-called 'sticky bit' is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may remove any file in the directory. Setting the sticky bit prevents users from removing each other's files. In cases where there is no reason for a directory to be world-writable, a better solution is to remove that permission rather than to set the sticky bit. However, if a directory is used by a particular application, consult that application's documentation instead of blindly changing modes. To set the sticky bit on a world-writable directory DIR, run the following command: $ sudo chmod +t DIR	Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure. The only authorized public directories are those temporary directories supplied with the system, or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system, by users for temporary file storage (such as `/tmp`), and for directories requiring global read/write access.
CCE-83283-2	Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces	To set the runtime status of the `net.ipv4.tcp_syncookies` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_syncookies=1 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.tcp_syncookies = 1	A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests.
CCE-83284-0	Set SSH Client Alive Count Max to zero	The SSH server sends at most `ClientAliveCountMax` messages during a SSH session and waits for a response from the SSH client. The option `ClientAliveInterval` configures timeout after each `ClientAliveCountMax` message. If the SSH server does not receive a response from the client, then the connection is considered unresponsive and terminated. To ensure the SSH timeout occurs precisely when the `ClientAliveInterval` is set, set the `ClientAliveCountMax` to value of `0` in `/etc/ssh/sshd_config`:	This ensures a user login will be terminated as soon as the `ClientAliveInterval` is reached.
CCE-83285-7	Verify that local /var/log/messages is not world-readable	Files containing sensitive information should be protected by restrictive permissions. Most of the time, there is no need that these files need to be read by any non-root user To properly set the permissions of `/var/log/messages`, run the command: $ sudo chmod 0640 /var/log/messages Check that "permissions.local" file contains the correct permissions rules with the following command: # grep -i messages /etc/permissions.local /var/log/messages root:root 640	The `/var/log/messages` file contains system error messages. Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SUSE operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
CCE-83286-5	Deactivate Wireless Network Interfaces	Deactivating wireless network interfaces should prevent normal usage of the wireless capability. Configure the system to disable wireless network interfaces by issuing the following command for every active `<WIFI-INTERFACE>` in the system: $ sudo wicked ifdown <WIFI-INTERFACE> Also remove the configuration files for every wifi adapter from `/etc/wicked/ifconfig/<WIFI-INTERFACE>.xml` to prevent future connections.	The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources.
CCE-83287-3	Configure Time Service Maxpoll Interval	The `maxpoll` should be configured to `10` in `/etc/ntp.conf` or `/etc/chrony.conf` (or `/etc/chrony.d/`) to continuously poll time servers. To configure `maxpoll` in `/etc/ntp.conf` or `/etc/chrony.conf` (or `/etc/chrony.d/`) add the following after each `server`, `pool` or `peer` entry: maxpoll `10` to `server` directives. If using chrony, any `pool` directives should be configured too.	Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints).
CCE-83288-1	Make sure that the dconf databases are up-to-date with regards to respective keyfiles	By default, DConf uses a binary database as a data backend. The system-level database is compiled from keyfiles in the /etc/dconf/db/ directory by the dconf update command. More specifically, content present in the following directories: /etc/dconf/db/gdm.d /etc/dconf/db/local.d	Unlike text-based keyfiles, the binary database is impossible to check by OVAL. Therefore, in order to evaluate dconf configuration, both have to be true at the same time - configuration files have to be compliant, and the database needs to be more recent than those keyfiles, which gives confidence that it reflects them.
CCE-83289-9	Install AIDE	The `aide` package can be installed with the following command: $ sudo zypper install aide	The AIDE package must be installed if it is to be available for integrity checking.
CCE-83290-7	Ensure gpgcheck Enabled In Main zypper Configuration	The `gpgcheck` option controls whether RPM packages' signatures are always checked prior to installation. To configure zypper to check package signatures before installing them, ensure the following line appears in `/etc/zypp/zypp.conf` in the `[main]` section: gpgcheck=1	Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA).
CCE-83291-5	Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate	The sudo `!authenticate` option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the `!authenticate` option does not exist in `/etc/sudoers` configuration file or any sudo configuration snippets in `/etc/sudoers.d/`.	Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.
CCE-83292-3	Install Smart Card Packages For Multifactor Authentication	Configure the operating system to implement multifactor authentication by installing the required package with the following command: The `pam_pkcs11` package can be installed with the following command: $ sudo zypper install pam_pkcs11 The `mozilla-nss` package can be installed with the following command: $ sudo zypper install mozilla-nss The `mozilla-nss-tools` package can be installed with the following command: $ sudo zypper install mozilla-nss-tools The `pcsc-ccid` package can be installed with the following command: $ sudo zypper install pcsc-ccid The `pcsc-lite` package can be installed with the following command: $ sudo zypper install pcsc-lite The `pcsc-tools` package can be installed with the following command: $ sudo zypper install pcsc-tools The `opensc` package can be installed with the following command: $ sudo zypper install opensc	Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards or similar secure authentication devices issued by an organization or identity provider.
CCE-83293-1	Configure Smart Card Certificate Status Checking	Configure the operating system to do certificate status checking for PKI authentication. Modify all of the `cert_policy` lines in `/etc/pam_pkcs11/pam_pkcs11.conf` to include `ocsp_on` like so: cert_policy = ca, ocsp_on, signature;	Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards or similar secure authentication devices issued by an organization or identity provider.
CCE-83294-9	Disable Modprobe Loading of USB Storage Driver	To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the `usb-storage` kernel module from being loaded, add the following line to the file `/etc/modprobe.d/usb-storage.conf`: install usb-storage /bin/false This entry will cause a non-zero return value during a `usb-storage` module installation and additionally convey the meaning of the entry to the user in form of an error message. If you would like to omit a non-zero return value and an error message, you may want to add a different line instead (both `/bin/true` and `/bin/false` are allowed by OVAL and will be accepted by the scan): install usb-storage /bin/true This will prevent the `modprobe` program from loading the `usb-storage` module, but will not prevent an administrator (or another program) from using the `insmod` program to load the module manually.	USB storage devices such as thumb drives can be used to introduce malicious software.
CCE-83295-6	Configure SSSD's Memory Cache to Expire	SSSD's memory cache should be configured to set to expire records after `300` seconds. To configure SSSD to expire memory cache, set `memcache_timeout` to `300` under the `[nss]` section in `/etc/sssd/sssd.conf`. For example: [nss] memcache_timeout = `300`	If cached authentication information is out-of-date, the validity of the authentication information may be questionable.
CCE-83296-4	Configure SSSD to Expire Offline Credentials	SSSD should be configured to expire offline credentials after 1 day. To configure SSSD to expire offline credentials, set `offline_credentials_expiration` to `1` under the `[pam]` section in `/etc/sssd/sssd.conf`. For example: [pam] offline_credentials_expiration = 1	If cached authentication information is out-of-date, the validity of the authentication information may be questionable.
CCE-83297-2	Enable the OpenSSH Service	The SSH server service, sshd, is commonly needed. The `sshd` service can be enabled with the following command: $ sudo systemctl enable sshd.service	Without protection of the transmitted information, confidentiality, and integrity may be compromised because unprotected communications can be intercepted and either read or altered. This checklist item applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, etc). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification.
CCE-83299-8	Restrict Exposed Kernel Pointer Addresses Access	To set the runtime status of the `kernel.kptr_restrict` kernel parameter, run the following command: $ sudo sysctl -w kernel.kptr_restrict=`1` To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: kernel.kptr_restrict = `1`	Exposing kernel pointers (through procfs or `seq_printf()`) exposes kernel writeable structures which may contain functions pointers. If a write vulnerability occurs in the kernel, allowing write access to any of this structure, the kernel can be compromised. This option disallow any program without the CAP_SYSLOG capability to get the addresses of kernel pointers by replacing them with 0.
CCE-83300-4	Enable Randomized Layout of Virtual Address Space	To set the runtime status of the `kernel.randomize_va_space` kernel parameter, run the following command: $ sudo sysctl -w kernel.randomize_va_space=2 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: kernel.randomize_va_space = 2	Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques.
CCE-85551-0	Ensure zypper Removes Previous Package Versions	`zypper` should be configured to remove previous software components after new versions have been installed. To configure `zypper` to remove the previous software components after updating, set the `solver.upgradeRemoveDroppedPackages` to `1` in `/etc/zypp/zypp.conf`.	Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries.
CCE-85552-8	Ensure Logs Sent To Remote Host	To configure rsyslog to send logs to a remote log server, open `/etc/rsyslog.conf` and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting `logcollector` appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments. To use UDP for log message delivery: . @`logcollector` Or in RainerScript: . action(type="omfwd" ... target="`logcollector`" protocol="udp") To use TCP for log message delivery: . @@`logcollector` Or in RainerScript: . action(type="omfwd" ... target="`logcollector`" protocol="tcp") To use RELP for log message delivery: . :omrelp:`logcollector` Or in RainerScript: . action(type="omfwd" ... target="`logcollector`" protocol="relp") There must be a resolvable DNS CNAME or Alias record set to "`logcollector`" for logs to be sent correctly to the centralized logging utility.	A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise.
CCE-85553-6	Assign Expiration Date to Temporary Accounts	Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts. In the event temporary accounts are required, configure the system to terminate them after a documented time period. For every temporary account, run the following command to set an expiration date on it, substituting `USER` and `YYYY-MM-DD` appropriately: $ sudo chage -E YYYY-MM-DD USER `YYYY-MM-DD` indicates the documented expiration date for the account. For U.S. Government systems, the operating system must be configured to automatically terminate these types of accounts after a period of 72 hours.	If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation.
CCE-85554-4	Set Deny For Failed Password Attempts	The SUSE Linux Enterprise 15 operating system must lock an account after - at most - `3` consecutive invalid access attempts.	By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. To configure the operating system to lock an account after three unsuccessful consecutive access attempts using `pam_tally2.so`, modify the content of both `/etc/pam.d/login` and `/etc/pam.d/common-account` as follows: add or modify the `pam_tally2.so` module line in `/etc/pam.d/login` to ensure both `onerr=fail` and `deny=` are present. For example: auth required pam_tally2.so onerr=fail silent audit deny= add or modify the following line in `/etc/pam.d/common-account`: account required pam_tally2.so
CCE-85555-1	Limit the Number of Concurrent Login Sessions Allowed Per User	Limiting the number of allowed users and sessions per user can limit risks related to Denial of Service attacks. This addresses concurrent sessions for a single account and does not address concurrent sessions by a single user via multiple accounts. To set the number of concurrent sessions per user add the following line in `/etc/security/limits.conf` or a file under `/etc/security/limits.d/`: * hard maxlogins `1`	Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions.
CCE-85556-9	Enable Smart Card Logins in PAM	This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). Check that the `pam_pkcs11.so` option is configured in the `etc/pam.d/common-auth` file with the following command: # grep pam_pkcs11.so /etc/pam.d/common-auth auth sufficient pam_pkcs11.so For general information about enabling smart card authentication, consult the documentation at: https://www.suse.com/c/configuring-smart-card-authentication-suse-linux-enterprise/	Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials. Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards or similar secure authentication devices issued by an organization or identity provider.
CCE-85557-7	Disable SSH Root Login	The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following line in `/etc/ssh/sshd_config`: PermitRootLogin no	Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password.
CCE-85558-5	Set Account Expiration Following Inactivity	To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following line in `/etc/default/useradd`: INACTIVE=`35` If a password is currently on the verge of expiration, then `35` day(s) remain(s) until the account is automatically disabled. However, if the password will not expire for another 60 days, then 60 days plus `35` day(s) could elapse until the account would be automatically disabled. See the `useradd` man page for more information.	Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.
CCE-85559-3	Never Automatically Remove or Disable Emergency Administrator Accounts	Emergency accounts are privileged accounts that are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. Check to see if an emergency administrator account password or account expires with the following command: # sudo chage -l [Emergency_Administrator] Password expires:never If `Password expires` or `Account expires` is set to anything other than `never`, this is a finding.	Emergency accounts are different from infrequently used accounts (i.e., local logon accounts used by the organization's system administrators when network or normal logon/access is not available). Infrequently used accounts are not subject to automatic termination dates. Emergency accounts are accounts created in response to crisis situations, usually for use by maintenance personnel. The automatic expiration or disabling time period may be extended as needed until the crisis is resolved; however, it must not be extended indefinitely. A permanent account should be established for privileged users who need long-term maintenance accounts. To address access requirements the SUSE operating system can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.
CCE-85560-1	Ensure PAM Displays Last Logon/Access Notification	To configure the system to notify users of last logon/access using `pam_lastlog`, add or correct the `pam_lastlog` settings in `/etc/pam.d/login` to include `showfailed` option, such as: session optional pam_lastlog.so showfailed And make sure that the `silent` option is not set for this specific line.	Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.
CCE-85561-9	Only Authorized Local User Accounts Exist on Operating System	Enterprise Application tends to use the server or virtual machine exclusively. Besides the default operating system user, there should be only authorized local users required by the installed software groups and applications that exist on the operating system. The authorized user list can be customized in the refine value variable `var_accounts_authorized_local_users_regex`. OVAL regular expression is used for the user list. Configure the system so all accounts on the system are assigned to an active system, application, or user account. Remove accounts that do not support approved system activities or that allow for a normal user to perform administrative-level actions. To remove unauthorized system accounts, use the following command: $ sudo userdel unauthorized_user	Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system.
CCE-85562-7	Ensure Home Directories are Created for New Users	All local interactive user accounts, upon creation, should be assigned a home directory. Configure the operating system to assign home directories to all new local interactive users by setting the `CREATE_HOME` parameter in `/etc/login.defs` to `yes` as follows: CREATE_HOME yes	If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.
CCE-85563-5	Enable SSH Print Last Log	Ensure that SSH will display the date and time of the last successful account logon. The default SSH configuration enables print of the date and time of the last login. The appropriate configuration is used if no value is set for `PrintLastLog`. To explicitly enable LastLog in SSH, add or correct the following line in `/etc/ssh/sshd_config`: PrintLastLog yes	Providing users feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.
CCE-85564-3	Set Password Strength Minimum Digit Characters	The pam_cracklib module's `dcredit` parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_cracklib will grant +1 additional length credit for each digit. Add `dcredit=-1` after pam_cracklib.so to require use of a digit in passwords.	Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.
CCE-85565-0	Set PAM Password Hashing Algorithm - system-auth	The PAM system service can be configured to only store encrypted representations of passwords. In "/etc/pam.d/common-password", the `password` section of the file controls which PAM modules to execute during a password change. Set the `pam_unix.so` module in the `password` section to include the option `sha512` and no other hashing algorithms as shown below: password required pam_unix.so `sha512` other arguments... This will help ensure that new passwords for local users will be stored using the `sha512` algorithm.	Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text. This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the `crypt_style` configuration option in `/etc/libuser.conf` ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.
CCE-85566-8	Verify All Account Password Hashes are Shadowed with SHA512	Verify the operating system requires the shadow password suite configuration be set to encrypt interactive user passwords using a strong cryptographic hash. Check that the interactive user account passwords are using a strong password hash with the following command: $ sudo cut -d: -f2 /etc/shadow $6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/ Password hashes `!` or `*` indicate inactive accounts not available for logon and are not evaluated. If any interactive user password hash does not begin with `$6`, this is a finding.	Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.
CCE-85567-6	Set Password Hashing Rounds in /etc/login.defs	In `/etc/login.defs`, ensure `SHA_CRYPT_MIN_ROUNDS` and `SHA_CRYPT_MAX_ROUNDS` has the minimum value of `5000`. For example: SHA_CRYPT_MIN_ROUNDS `5000` SHA_CRYPT_MAX_ROUNDS `5000` Notice that if neither are set, they already have the default value of 5000. If either is set, they must have the minimum value of `5000`.	Passwords need to be protected at all times, and hashing is the standard method for protecting passwords. If passwords are not hashed, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are hashed with a weak algorithm are no more protected than if they are kept in plain text. Using more hashing rounds makes password cracking attacks more difficult.
CCE-85570-0	Set Password Maximum Age	To specify password maximum age for new accounts, edit the file `/etc/login.defs` and add or correct the following line: PASS_MAX_DAYS `60` The profile requirement is `60`.	Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise.
CCE-85571-8	Set Existing Passwords Maximum Age	Configure non-compliant accounts to enforce a `60`-day maximum password lifetime restriction by running the following command: $ sudo chage -M `60` USER	Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.
CCE-85572-6	Verify Permissions and Ownership of Old Passwords File	To properly set the owner of `/etc/security/opasswd`, run the command: $ sudo chown root /etc/security/opasswd To properly set the group owner of `/etc/security/opasswd`, run the command: $ sudo chgrp root /etc/security/opasswd To properly set the permissions of `/etc/security/opasswd`, run the command: $ sudo chmod 0600 /etc/security/opasswd	The `/etc/security/opasswd` file stores old passwords to prevent password reuse. Protection of this file is critical for system security.
CCE-85573-4	Set Password Minimum Length	The pam_cracklib module's `minlen` parameter controls requirements for minimum characters required in a password. Add `minlen=15` to set minimum password length requirements.	Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.
CCE-85574-2	Set Password Strength Minimum Special Characters	The pam_cracklib module's `ocredit=` parameter controls requirements for usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each special character. Make sure the `ocredit` parameter for the pam_cracklib module is set to less than or equal to `-1`. For example, `ocredit=-1`.	Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space.
CCE-85575-9	Set Password Retry Limit	The pam_cracklib module's `retry` parameter controls the maximum number of times to prompt the user for the password before returning with error. Make sure it is configured with a value that is no more than `3`. For example, `retry=1`.	To reduce opportunities for successful guesses and brute-force attacks.
CCE-85576-7	Prevent Login to Accounts With Empty Password	If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the `nullok` in password authentication configurations in `/etc/pam.d/` to prevent logins with empty passwords.	If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.
CCE-85577-5	Record Events that Modify User/Group Information - /etc/passwd	If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -w /etc/passwd -p wa -k audit_rules_usergroup_modification If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules`: -w /etc/passwd -p wa -k audit_rules_usergroup_modification	In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
CCE-85578-3	Record Events that Modify User/Group Information - /etc/group	If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -w /etc/group -p wa -k audit_rules_usergroup_modification If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules`: -w /etc/group -p wa -k audit_rules_usergroup_modification	In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
CCE-85579-1	Record Events that Modify User/Group Information - /etc/shadow	If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -w /etc/shadow -p wa -k audit_rules_usergroup_modification If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules`: -w /etc/shadow -p wa -k audit_rules_usergroup_modification	In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
CCE-85580-9	Record Events that Modify User/Group Information - /etc/gshadow	If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -w /etc/gshadow -p wa -k audit_rules_usergroup_modification If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules`: -w /etc/gshadow -p wa -k audit_rules_usergroup_modification	In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
CCE-85581-7	Enable auditd Service	The `auditd` service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The `auditd` service can be enabled with the following command: $ sudo systemctl enable auditd.service	Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Ensuring the `auditd` service is active ensures audit records generated by the kernel are appropriately recorded. Additionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
CCE-85582-5	Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/lib/ssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/lib/ssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
CCE-85583-3	Ensure auditd Collects Information on the Use of Privileged Commands - passwd	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
CCE-85584-1	Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
CCE-85585-8	Ensure auditd Collects Information on the Use of Privileged Commands - newgrp	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
CCE-85586-6	Ensure auditd Collects Information on the Use of Privileged Commands - chsh	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
CCE-85587-4	Ensure auditd Collects Information on the Use of Privileged Commands - chage	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
CCE-85588-2	Ensure auditd Collects Information on the Use of Privileged Commands - crontab	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
CCE-85589-0	Ensure auditd Collects Information on the Use of Privileged Commands - chfn	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged	Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
CCE-85590-8	Record Any Attempts to Run ssh-agent	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged	Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
CCE-85591-6	Ensure auditd Collects Information on the Use of Privileged Commands - kmod	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged	Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
CCE-85593-2	Record Any Attempts to Run chmod	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged	Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
CCE-85594-0	Record Any Attempts to Run setfacl	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged	Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
CCE-85595-7	Record Any Attempts to Run chacl	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged	Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
CCE-85596-5	Record Any Attempts to Run rm	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged	Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
CCE-85597-3	Record Attempts to Alter Logon and Logout Events - tallylog	The audit system already collects login information for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -w /var/log/tallylog -p wa -k logins If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules`: -w /var/log/tallylog -p wa -k logins	Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.
CCE-85598-1	Record Attempts to Alter Logon and Logout Events - lastlog	The audit system already collects login information for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -w /var/log/lastlog -p wa -k logins If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules`: -w /var/log/lastlog -p wa -k logins	Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.
CCE-85599-9	Ensure auditd Collects Information on the Use of Privileged Commands - passmass	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/bin/passmass -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/bin/passmass -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
CCE-85600-5	Ensure auditd Collects Information on the Use of Privileged Commands - usermod	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
CCE-85601-3	Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
CCE-85602-1	Ensure auditd Collects Information on the Use of Privileged Commands - su	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
CCE-85603-9	Ensure auditd Collects Information on the Use of Privileged Commands - sudo	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
CCE-85604-7	Configure auditd mail_acct Action on Low Disk Space	The `auditd` service can be configured to send email to a designated account in certain situations. Add or correct the following line in `/etc/audit/auditd.conf` to ensure that administrators are notified via email for those situations: action_mail_acct = `root`	Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action.
CCE-85605-4	Configure System to Forward All Mail For The Root Account	Make sure that mails delivered to root user are forwarded to a monitored email address. Make sure that the address `change_me@localhost` is a valid email address reachable from the system in question. Use the following command to configure the alias: $ sudo echo "root: `change_me@localhost`" >> /etc/aliases $ sudo newaliases	A number of system services utilize email messages sent to the root user to notify system administrators of active or impending issues. These messages must be forwarded to at least one monitored email address.
CCE-85606-2	Configure auditd Disk Full Action when Disk Space Is Full	The `auditd` service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file `/etc/audit/auditd.conf`. Add or modify the following line, substituting ACTION appropriately: disk_full_action = ACTION Set this value to `single` to cause the system to switch to single-user mode for corrective action. Acceptable values also include `syslog`, `single`, and `halt` For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the `auditd.conf` man page.	Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.
CCE-85607-0	Verify that Local Logs of the audit Daemon are not World-Readable	Files containing sensitive information should be protected by restrictive permissions. Most of the time, there is no need that these files need to be read by any non-root user. Check that "permissions.local" file contains the correct permissions rules with the following command: # grep -i audit /etc/permissions.local /var/log/audit/ root:root 600 /var/log/audit/audit.log root:root 600 /etc/audit/audit.rules root:root 640 /etc/audit/rules.d/audit.rules root:root 640	Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
CCE-85608-8	Record Unsuccessful Access Attempts to Files - truncate	At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules` file: -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access	Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
CCE-85609-6	Verify Permissions of Local Logs of audit Tools	The SUSE operating system audit tools must have the proper permissions configured to protect against unauthorized access. Check that "permissions.local" file contains the correct permissions rules with the following command: grep "^/usr/sbin/au" /etc/permissions.local /usr/sbin/audispd root:root 0750 /usr/sbin/auditctl root:root 0750 /usr/sbin/auditd root:root 0750 /usr/sbin/ausearch root:root 0755 /usr/sbin/aureport root:root 0755 /usr/sbin/autrace root:root 0750 /usr/sbin/augenrules root:root 0750 Audit tools include but are not limited to vendor-provided and open-source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.	Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. SUSE operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools.
CCE-85610-4	Configure AIDE to Verify the Audit Tools	The operating system file integrity tool must be configured to protect the integrity of the audit tools.	Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Audit tools include but are not limited to vendor-provided and open-source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. It is not uncommon for attackers to replace the audit tools or inject code into the existing tools to provide the capability to hide or erase system activity from the audit logs. To address this risk, audit tools must be cryptographically signed to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files.
CCE-85611-2	Record Events When Privileged Executables Are Run	Verify the system generates an audit record when privileged functions are executed. If audit is using the "auditctl" tool to load the rules, run the following command: $ sudo grep execve /etc/audit/audit.rules If audit is using the "augenrules" tool to load the rules, run the following command: $ sudo grep -r execve /etc/audit/rules.d -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid If both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding. If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding.	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.
CCE-85612-0	Ensure the audit Subsystem is Installed	The audit package should be installed.	The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.
CCE-85613-8	Ensure the default plugins for the audit dispatcher are Installed	The audit-audispd-plugins package should be installed.	Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
CCE-85614-6	Encrypt Audit Records Sent With audispd Plugin	Configure the operating system to encrypt the transfer of off-loaded audit records onto a different system or media from the system being audited. Set the `transport` option in /etc/audit/audisp-remote.conf to `KRB5`.	Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
CCE-85615-3	Configure audispd Plugin To Send Logs To Remote Server	Configure the audispd plugin to off-load audit records onto a different system or media from the system being audited. Set the `remote_server` option in /etc/audit/audisp-remote.conf with an IP address or hostname of the system that the audispd plugin should send audit records to. For example remote_server = `logcollector`	Information stored in one location is vulnerable to accidental or incidental deletion or alteration.Off-loading is a common process in information systems with limited audit storage capacity.
CCE-85616-1	Configure auditd space_left on Low Disk Space	The `auditd` service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file `/etc/audit/auditd.conf`. Add or modify the following line, substituting SIZE_in_MB appropriately: space_left = SIZE_in_MB Set this value to the appropriate size in Megabytes cause the system to notify the user of an issue.	Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.
CCE-85617-9	Configure audispd's Plugin disk_full_action When Disk Is Full	Configure the action the operating system takes if the disk the audit records are written to becomes full. Edit the file `/etc/audit/audisp-remote.conf`. Add or modify the following line, substituting ACTION appropriately: disk_full_action = ACTION Set this value to `single` to cause the system to switch to single user mode for corrective action. Acceptable values also include `syslog` and `halt`. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined.	Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.
CCE-85618-7	Ensure /var/log/audit Located On Separate Partition	Audit logs are stored in the `/var/log/audit` directory. Ensure that `/var/log/audit` has its own partition or logical volume at installation time, or migrate it using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.	Placing `/var/log/audit` in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space.
CCE-85619-5	Enforce Delay After Failed Logon Attempts	To configure the system to introduce a delay after failed logon attempts, add or correct the `pam_faildelay` settings in `/etc/pam.d/common-auth` to make sure its `delay` parameter is at least `4000000` or greater. For example: auth required pam_faildelay.so delay=`4000000`	Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.
CCE-85621-1	Remove User Host-Based Authentication Files	The `~/.shosts` (in each user's home directory) files list remote hosts and users that are trusted by the local system. To remove these files, run the following command to delete them from any location: $ sudo find / -name '.shosts' -type f -delete	The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.
CCE-85622-9	Remove Host-Based Authentication Files	The `shosts.equiv` file lists remote hosts and users that are trusted by the local system. To remove these files, run the following command to delete them from any location: $ sudo rm /[path]/[to]/[file]/shosts.equiv	The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.
CCE-85623-7	Configure AIDE to Verify Access Control Lists (ACLs)	By default, the `acl` option is added to the `FIPSR` ruleset in AIDE. If using a custom ruleset or the `acl` option is missing, add `acl` to the appropriate ruleset. For example, add `acl` to the following line in `/etc/aide.conf`: FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256 AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. The remediation provided with this rule adds `acl` to all rule sets available in `/etc/aide.conf`	ACLs can provide permissions beyond those permitted through the file mode and must be verified by the file integrity tools.
CCE-85624-5	Configure AIDE to Verify Extended Attributes	By default, the `xattrs` option is added to the `FIPSR` ruleset in AIDE. If using a custom ruleset or the `xattrs` option is missing, add `xattrs` to the appropriate ruleset. For example, add `xattrs` to the following line in `/etc/aide.conf`: FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256 AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. The remediation provided with this rule adds `xattrs` to all rule sets available in `/etc/aide.conf`	Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.
CCE-85625-2	Disable Ctrl-Alt-Del Reboot Activation	By default, `SystemD` will reboot the system if the `Ctrl-Alt-Del` key sequence is pressed. To configure the system to ignore the `Ctrl-Alt-Del` key sequence from the command line instead of rebooting the system, do either of the following: ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target or systemctl mask ctrl-alt-del.target Do not simply delete the `/usr/lib/systemd/system/ctrl-alt-del.service` file, as this file may be restored during future system updates.	A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot.
CCE-85627-8	All Interactive Users Must Have A Home Directory Defined	Assign home directories to all interactive users that currently do not have a home directory assigned. This rule checks if the home directory is properly defined in a folder which has at least one parent folder, like "user" in "/home/user" or "/remote/users/user". Therefore, this rule will report a finding for home directories like `/users`, `/tmp` or `/`.	If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.
CCE-85628-6	All Interactive Users Home Directories Must Exist	Create home directories to all local interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in `/etc/passwd`: $ sudo mkdir /home/USER	If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access.
CCE-85629-4	All Interactive User Home Directories Must Have mode 0750 Or Less Permissive	Change the mode of interactive users home directories to `0750`. To change the mode of interactive users home directory, use the following command: $ sudo chmod 0750 /home/USER	Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.
CCE-85630-2	Ensure All User Initialization Files Have Mode 0740 Or Less Permissive	Set the mode of the user initialization files to `0740` with the following command: $ sudo chmod 0740 /home/USER/.INIT_FILE	Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.
CCE-85631-0	Ensure that Users Path Contains Only Local Directories	Ensure that all interactive user initialization files executable search path statements do not contain statements that will reference a working directory other than the users home directory.	The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the users home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO).
CCE-85632-8	User Initialization Files Must Not Run World-Writable Programs	Set the mode on files being executed by the user initialization files with the following command: $ sudo chmod o-w FILE	If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level.
CCE-85633-6	Add nosuid Option to /home	The `nosuid` mount option can be used to prevent execution of setuid programs in `/home`. The SUID and SGID permissions should not be required in these user data directories. Add the `nosuid` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/home`.	The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from user home directory partitions.
CCE-85634-4	Add nosuid Option to Removable Media Partitions	The `nosuid` mount option prevents set-user-identifier (SUID) and set-group-identifier (SGID) permissions from taking effect. These permissions allow users to execute binaries with the same permissions as the owner and group of the file respectively. Users should not be allowed to introduce SUID and SGID files into the system via partitions mounted from removable media. Add the `nosuid` option to the fourth column of `/etc/fstab` for the line which controls mounting of any removable media partitions.	The presence of SUID and SGID executables should be tightly controlled. Allowing users to introduce SUID or SGID binaries from partitions mounted off of removable media would allow them to introduce their own highly-privileged programs.
CCE-85635-1	Mount Remote Filesystems with nosuid	Add the `nosuid` option to the fourth column of `/etc/fstab` for the line which controls mounting of any NFS mounts.	NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem.
CCE-85636-9	Mount Remote Filesystems with noexec	Add the `noexec` option to the fourth column of `/etc/fstab` for the line which controls mounting of any NFS mounts.	The noexec mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
CCE-85637-7	Ensure All World-Writable Directories Are Group Owned by a System Account	All directories in local partitions which are world-writable should be group owned by root or another system account. If any world-writable directories are not group owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group.	Allowing a user account to group own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users.
CCE-85638-5	Disable KDump Kernel Crash Analyzer (kdump)	The `kdump` service provides a kernel crash dump analyzer. It uses the `kexec` system call to boot a secondary kernel ("capture" kernel) following a system crash, which can load information from the crashed kernel for analysis. The `kdump` service can be disabled with the following command: $ sudo systemctl mask --now kdump.service	Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. Unless the system is used for kernel development or testing, there is little need to run the kdump service.
CCE-85639-3	Ensure /home Located On Separate Partition	If user home directories will be stored locally, create a separate partition for `/home` at installation time (or migrate it later using LVM). If `/home` will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later.	Ensuring that `/home` is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.
CCE-85640-1	Ensure /var Located On Separate Partition	The `/var` directory is used by daemons and other system services to store frequently-changing data. Ensure that `/var` has its own partition or logical volume at installation time, or migrate it using LVM.	Ensuring that `/var` is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the `/var` directory to contain world-writable directories installed by other software packages.
CCE-85641-9	The PAM configuration should not be changed automatically	Verify the SUSE operating system is configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes.	`pam-config` is a command line utility that automatically generates a system PAM configuration as packages are installed, updated or removed from the system. `pam-config` removes configurations for PAM modules and parameters that it does not know about. It may render ineffective PAM configuration by the system administrator and thus impact system security.
CCE-85642-7	Disable SSH Support for User Known Hosts	SSH can allow system users to connect to systems if a cache of the remote systems public keys is available. This should be disabled. To ensure this behavior is disabled, add or correct the following line in `/etc/ssh/sshd_config`: IgnoreUserKnownHosts yes	Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.
CCE-85643-5	Verify Permissions on SSH Server Public *.pub Key Files	To properly set the permissions of `/etc/ssh/.pub`, run the command: $ sudo chmod 0644 /etc/ssh/.pub	If a public host key file is modified by an unauthorized user, the SSH service may be compromised.
CCE-85644-3	Verify Permissions on SSH Server Private *_key Key Files	SSH server private keys - files that match the `/etc/ssh/*_key` glob, have to have restricted permissions. If those files are owned by the `root` user and the `root` group, they have to have the `0640` permission or stricter.	If an unauthorized user obtains the private SSH host key file, the host could be impersonated.
CCE-85645-0	Enable Use of Strict Mode Checking	SSHs `StrictModes` option checks file and ownership permissions in the user's home directory `.ssh` folder before accepting login. If world- writable permissions are found, logon is rejected. The default SSH configuration has `StrictModes` enabled. The appropriate configuration is used if no value is set for `StrictModes`. To explicitly enable `StrictModes` in SSH, add or correct the following line in `/etc/ssh/sshd_config`: StrictModes yes	If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user.
CCE-85646-8	Enable Use of Privilege Separation	When enabled, SSH will create an unprivileged child process that has the privilege of the authenticated user. To enable privilege separation in SSH, add or correct the following line in the `/etc/ssh/sshd_config` file: UsePrivilegeSeparation `sandbox`	SSH daemon privilege separation causes the SSH process to drop root privileges when not needed which would decrease the impact of software vulnerabilities in the unprivileged section.
CCE-85647-6	Disable Compression Or Set Compression to delayed	Compression is useful for slow network connections over long distances but can cause performance issues on local LANs. If use of compression is required, it should be enabled only after a user has authenticated; otherwise, it should be disabled. To disable compression or delay compression until after a user has successfully authenticated, add or correct the following line in the `/etc/ssh/sshd_config` file: Compression `no`	If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.
CCE-85648-4	Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces	To set the runtime status of the `net.ipv4.conf.all.accept_source_route` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.conf.all.accept_source_route = 0	Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
CCE-85649-2	Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces	To set the runtime status of the `net.ipv6.conf.all.accept_source_route` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.all.accept_source_route = 0	Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
CCE-85650-0	Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default	To set the runtime status of the `net.ipv4.conf.default.accept_source_route` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.conf.default.accept_source_route = 0	Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required, such as when IPv4 forwarding is enabled and the system is legitimately functioning as a router.
CCE-85651-8	Disable Accepting ICMP Redirects for All IPv4 Interfaces	To set the runtime status of the `net.ipv4.conf.all.accept_redirects` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.conf.all.accept_redirects = 0	ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required."
CCE-85652-6	Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces	To set the runtime status of the `net.ipv4.conf.default.accept_redirects` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.conf.default.accept_redirects = 0	ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required.
CCE-85653-4	Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default	To set the runtime status of the `net.ipv6.conf.default.accept_source_route` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.default.accept_source_route = 0	Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
CCE-85654-2	Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default	To set the runtime status of the `net.ipv4.conf.default.send_redirects` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.send_redirects=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.conf.default.send_redirects = 0	ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology. The ability to send ICMP redirects is only appropriate for systems acting as routers.
CCE-85655-9	Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces	To set the runtime status of the `net.ipv4.conf.all.send_redirects` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.send_redirects=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.conf.all.send_redirects = 0	ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology. The ability to send ICMP redirects is only appropriate for systems acting as routers.
CCE-85656-7	Ensure System is Not Acting as a Network Sniffer	The system should not be acting as a network sniffer, which can capture all traffic on the network to which it is connected. Run the following to determine if any interface is running in promiscuous mode: $ ip link \| grep PROMISC Promiscuous mode of an interface can be disabled with the following command: $ sudo ip link set dev `device_name` multicast off promisc off	Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow them to collect information such as logon IDs, passwords, and key exchanges between systems. If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information Systems Security Manager (ISSM) and restricted to only authorized personnel.
CCE-85657-5	Ensure All Files Are Owned by a User	If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate user. Locate the mount points related to local devices by the following command: $ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems \| paste -sd,) For all mount points listed by the previous command, it is necessary to search for files which do not belong to a valid user using the following command: $ sudo find MOUNTPOINT -xdev -nouser 2>/dev/null	Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account, or other similar cases. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed.
CCE-85658-3	Ensure All Files Are Owned by a Group	If any file is not group-owned by a valid defined group, the cause of the lack of group-ownership must be investigated. Following this, those files should be deleted or assigned to an appropriate group. The groups need to be defined in `/etc/group` or in `/usr/lib/group` if `nss-altfiles` are configured to be used in `/etc/nsswitch.conf`. Locate the mount points related to local devices by the following command: $ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems \| paste -sd,) For all mount points listed by the previous command, it is necessary to search for files which do not belong to a valid group using the following command: $ sudo find MOUNTPOINT -xdev -nogroup 2>/dev/null	Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account, or other similar cases. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed.
CCE-85659-1	Ensure the Default Umask is Set Correctly in login.defs	To ensure the default umask controlled by `/etc/login.defs` is set properly, add or correct the `UMASK` setting in `/etc/login.defs` to read as follows: UMASK `027`	The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and written to by unauthorized users.
CCE-85663-3	Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD	The sudo `NOPASSWD` tag, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the `NOPASSWD` tag does not exist in `/etc/sudoers` configuration file or any sudo configuration snippets in `/etc/sudoers.d/`.	Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.
CCE-85664-1	Verify Only Root Has UID 0	If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed. If the account is associated with system commands or applications the UID should be changed to one greater than "0" but less than "1000." Otherwise assign a UID greater than "1000" that has not already been assigned.	An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.
CCE-85665-8	Disable Ctrl-Alt-Del Burst Action	By default, `SystemD` will reboot the system if the `Ctrl-Alt-Del` key sequence is pressed Ctrl-Alt-Delete more than 7 times in 2 seconds. To configure the system to ignore the `CtrlAltDelBurstAction` setting, add or modify the following to `/etc/systemd/system.conf`: CtrlAltDelBurstAction=none	A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot.
CCE-85666-6	Do Not Allow SSH Environment Options	Ensure that users are not able to override environment variables of the SSH daemon. The default SSH configuration disables environment processing. The appropriate configuration is used if no value is set for `PermitUserEnvironment`. To explicitly disable Environment options, add or correct the following `/etc/ssh/sshd_config`: PermitUserEnvironment no	SSH environment options potentially allow users to bypass access restriction in some configurations.
CCE-85667-4	Disable SSH Access via Empty Passwords	Disallow SSH login with empty passwords. The default SSH configuration disables logins with empty passwords. The appropriate configuration is used if no value is set for `PermitEmptyPasswords`. To explicitly disallow SSH login from accounts with empty passwords, add or correct the following line in `/etc/ssh/sshd_config`: PermitEmptyPasswords no Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.	Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.
CCE-85668-2	Display the Standard Mandatory DoD Notice and Consent Banner until Explicit Acknowledgement	Display of a standardized and approved use notification before granting access to the SUSE operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The banner must be acknowledged by the user prior to allowing the user access to the SUSE operating system. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD will not be in compliance with system use notifications required by law. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for the SUSE operating system: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. Check the configuration by running the following command: # more /etc/gdm/Xsession The beginning of the file must contain the following text immediately after `#!/bin/sh`: if ! zenity --text-info \ --title "Consent" \ --filename=/etc/gdm/banner \ --no-markup \ --checkbox="Accept." 10 10; then sleep 1; exit 1; fi	Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. For U.S. Government systems, system use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
CCE-85669-0	Set GNOME3 Screensaver Inactivity Timeout	The idle time-out value for inactivity in the GNOME3 desktop is configured via the `idle-delay` setting must be set under an appropriate configuration file(s) in the `/etc/dconf/db/local.d` directory and locked in `/etc/dconf/db/local.d/locks` directory to prevent user modification. For example, to configure the system for a 15 minute delay, add the following to `/etc/dconf/db/local.d/00-security-settings`: [org/gnome/desktop/session] idle-delay=uint32 900	A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME3 can be configured to identify when a user's session has idled and take action to initiate a session lock.
CCE-85670-8	Verify that Shared Library Files Have Restrictive Permissions	System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 Kernel modules, which can be added to the kernel during runtime, are stored in `/lib/modules`. All files in these directories should not be group-writable or world-writable. If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command: $ sudo chmod go-w FILE	Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Restrictive permissions are necessary to protect the integrity of the system.
CCE-85671-6	Configure Periodic Execution of AIDE	At a minimum, AIDE should be configured to run a weekly scan. To implement a daily execution of AIDE at 4:05am using cron, add the following line to `/etc/crontab`: 05 4 * * * root /usr/bin/aide --check To implement a weekly execution of AIDE at 4:05am using cron, add the following line to `/etc/crontab`: 05 4 * * 0 root /usr/bin/aide --check AIDE can be executed periodically through other means; this is merely one example. The usage of cron's special time codes, such as `@daily` and `@weekly` is acceptable.	By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
CCE-85672-4	Ensure that System Accounts Do Not Run a Shell Upon Login	Some accounts are not associated with a human user of the system, and exist to perform some administrative functions. Should an attacker be able to log into these accounts, they should not be granted access to a shell. The login shell for each local account is stored in the last field of each line in `/etc/passwd`. System accounts are those user accounts with a user ID less than `1000`. The user ID is stored in the third field. If any system account other than `root` has a login shell, disable it with the command: $ sudo usermod -s /sbin/nologin account	Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts.
CCE-85673-2	Ensure Users Re-Authenticate for Privilege Escalation - sudo	The sudo `NOPASSWD` and `!authenticate` option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that `NOPASSWD` and/or `!authenticate` do not exist in `/etc/sudoers` configuration file or any sudo configuration snippets in `/etc/sudoers.d/`."	Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.
CCE-85675-7	Set Password Strength Minimum Uppercase Characters	The pam_cracklib module's `ucredit=` parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each uppercase character. Add `ucredit=-1` after pam_cracklib.so to require use of an upper case character in passwords.	Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space.
CCE-85676-5	Set Password Strength Minimum Lowercase Characters	The pam_cracklib module's `lcredit=` parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each lowercase character. Add `lcredit=-1` after pam_cracklib.so to require use of a lowercase character in passwords.	Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space.
CCE-85677-3	Set Password Strength Minimum Different Characters	The pam_cracklib module's `difok` parameter controls requirements for usage of different characters during a password change. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different. Make sure the `difok` parameter for the pam_cracklib module is configured to greater than or equal to `8`.	Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however.
CCE-85678-1	Limit Password Reuse	Do not allow users to reuse recent passwords. This can be accomplished by using the `remember` option for the `pam_unix` or `pam_pwhistory` PAM modules.	Preventing reuse of previous passwords helps ensure that a compromised password is not reused by a user.
CCE-85679-9	Ensure auditd Collects System Administrator Actions	If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -w /etc/sudoers -p wa -k actions If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules`: -w /etc/sudoers -p wa -k actions If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -w /etc/sudoers.d/ -p wa -k actions If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules`: -w /etc/sudoers.d/ -p wa -k actions	The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes.
CCE-85680-7	Record Unsuccessful Access Attempts to Files - open	At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules` file: -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access	Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
CCE-85681-5	Record Unsuccessful Access Attempts to Files - creat	At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules` file: -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access	Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
CCE-85682-3	Record Unsuccessful Access Attempts to Files - openat	At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules` file: -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access	Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
CCE-85683-1	Record Unsuccessful Access Attempts to Files - open_by_handle_at	At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules` file: -a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access	Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
CCE-85684-9	Record Events that Modify the System's Discretionary Access Controls - removexattr	At a minimum, the audit system should collect file permission changes for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following line to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following line to `/etc/audit/audit.rules` file: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod	The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
CCE-85685-6	Record Events that Modify the System's Discretionary Access Controls - lremovexattr	At a minimum, the audit system should collect file permission changes for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following line to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following line to `/etc/audit/audit.rules` file: -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod	The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
CCE-85686-4	Record Events that Modify the System's Discretionary Access Controls - fremovexattr	At a minimum, the audit system should collect file permission changes for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following line to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following line to `/etc/audit/audit.rules` file: -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod	The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
CCE-85687-2	Record Events that Modify the System's Discretionary Access Controls - setxattr	At a minimum, the audit system should collect file permission changes for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following line to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following line to `/etc/audit/audit.rules` file: -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod	The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
CCE-85688-0	Record Events that Modify the System's Discretionary Access Controls - fsetxattr	At a minimum, the audit system should collect file permission changes for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following line to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following line to `/etc/audit/audit.rules` file: -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod	The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
CCE-85689-8	Record Events that Modify the System's Discretionary Access Controls - lsetxattr	At a minimum, the audit system should collect file permission changes for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following line to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following line to `/etc/audit/audit.rules` file: -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod	The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
CCE-85690-6	Record Events that Modify the System's Discretionary Access Controls - chown	At a minimum, the audit system should collect file permission changes for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following line to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following line to `/etc/audit/audit.rules` file: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod	The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
CCE-85691-4	Record Events that Modify the System's Discretionary Access Controls - lchown	At a minimum, the audit system should collect file permission changes for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following line to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following line to `/etc/audit/audit.rules` file: -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod	The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
CCE-85692-2	Record Events that Modify the System's Discretionary Access Controls - fchownat	At a minimum, the audit system should collect file permission changes for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following line to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following line to `/etc/audit/audit.rules` file: -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod	The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
CCE-85693-0	Record Events that Modify the System's Discretionary Access Controls - chmod	At a minimum, the audit system should collect file permission changes for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following line to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following line to `/etc/audit/audit.rules` file: -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod	The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
CCE-85694-8	Record Events that Modify the System's Discretionary Access Controls - fchmod	At a minimum, the audit system should collect file permission changes for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following line to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following line to `/etc/audit/audit.rules` file: -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod	The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
CCE-85695-5	Record Events that Modify the System's Discretionary Access Controls - fchmodat	At a minimum, the audit system should collect file permission changes for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following line to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following line to `/etc/audit/audit.rules` file: -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod	The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
CCE-85696-3	Record Unsuccessful Access Attempts to Files - ftruncate	At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules` file: -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access	Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
CCE-85697-1	Configure a Sufficiently Large Partition for Audit Logs	The SUSE Linux Enterprise 15 operating system must allocate audit record storage capacity to store at least one weeks worth of audit records when audit records are not immediately sent to a central audit record storage facility. The partition size needed to capture a week's worth of audit records is based on the activity level of the system and the total storage capacity available. In normal circumstances, 10.0 GB of storage space for audit records will be sufficient. Determine which partition the audit records are being written to with the following command: $ sudo grep log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Check the size of the partition that audit records are written to with the following command: $ sudo df -h /var/log/audit/ /dev/sda2 24G 10.4G 13.6G 43% /var/log/audit	Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
CCE-85698-9	Install firewalld Package	The `firewalld` package can be installed with the following command: $ sudo zypper install firewalld	"Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. Remote access is access to nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. SUSE Linux Enterprise 15 functionality (e.g., SSH) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets)."
CCE-85700-3	Uninstall vsftpd Package	The `vsftpd` package can be removed with the following command: $ sudo zypper remove vsftpd	Removing the `vsftpd` package decreases the risk of its accidental activation.
CCE-85701-1	Record Unsuccessful Delete Attempts to Files - rename	The audit system should collect unsuccessful file deletion attempts for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`. If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules` file. -a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete	Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
CCE-85702-9	Record Unsuccessful Delete Attempts to Files - renameat	The operating system must generate audit records for all uses of the `renameat` system call. Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Add or update the following lines to `/etc/audit/rules.d/audit.rules` to configure the operating system to generate an audit record for all uses of the `renameat` system call: -a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=4294967295 -k perm_mod	Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
CCE-85703-7	Record Unsuccessful Delete Attempts to Files - unlink	The operating system must generate audit records for all uses of the `unlink` system call. Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Add or update the following lines to `/etc/audit/rules.d/audit.rules` to configure the operating system to generate an audit record for all uses of the `unlink` system call: -a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=-1 -k perm_mod -a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=-1 -k perm_mod	Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
CCE-85704-5	Record Unsuccessful Delete Attempts to Files - unlinkat	The operating system must generate audit records for all uses of the `unlinkat` system call. Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Add or update the following lines to `/etc/audit/rules.d/audit.rules` to configure the operating system to generate an audit record for all uses of the `unlinkat` system call: -a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=-1 -k perm_mod -a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=-1 -k perm_mod	Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
CCE-85705-2	Configure audispd's Plugin network_failure_action On Network Failure	Configure the action the operating system takes if there is an error sending audit records to a remote system. Edit the file `/etc/audit/audisp-remote.conf`. Add or modify the following line, substituting ACTION appropriately: network_failure_action = ACTION Set this value to `single` to cause the system to switch to single user mode for corrective action. Acceptable values also include `syslog` and `halt`. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. This profile configures the action to be `single`.	Taking appropriate action when there is an error sending audit records to a remote system will minimize the possibility of losing audit records.
CCE-85706-0	Remove Default Configuration to Disable Syscall Auditing	By default, SUSE Linux Enterprise 15 ships an audit rule to disable syscall auditing for performance reasons. To make sure that syscall auditing works, this line must be removed from `/etc/audit/rules.d/audit.rules` and `/etc/audit/audit.rules`: -a task,never	Audit rules for syscalls do not take effect unless this line is removed.
CCE-85707-8	Disable X11 Forwarding	The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections. SSH has the capability to encrypt remote X11 connections when SSH's `X11Forwarding` option is enabled. The default SSH configuration disables X11Forwarding. The appropriate configuration is used if no value is set for `X11Forwarding`. To explicitly disable X11 Forwarding, add or correct the following line in `/etc/ssh/sshd_config`: X11Forwarding no	Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders.
CCE-85708-6	Disable Accepting ICMP Redirects for All IPv6 Interfaces	To set the runtime status of the `net.ipv6.conf.all.accept_redirects` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.all.accept_redirects = 0	An illicit ICMP redirect message could result in a man-in-the-middle attack.
CCE-85709-4	Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces	To set the runtime status of the `net.ipv4.ip_forward` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.ip_forward=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.ip_forward = 0	Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network.
CCE-85710-2	Set Existing Passwords Minimum Age	Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime by running the following command: $ sudo chage -m 1 USER	Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.
CCE-85711-0	All Interactive User Home Directories Must Be Group-Owned By The Primary Group	Change the group owner of interactive users home directory to the group found in `/etc/passwd`. To change the group owner of interactive users home directory, use the following command: $ sudo chgrp USER_GROUP /home/USER This rule ensures every home directory related to an interactive user is group-owned by an interactive user. It also ensures that interactive users are group-owners of one and only one home directory.	If the Group Identifier (GID) of a local interactive users home directory is not the same as the primary GID of the user, this would allow unauthorized access to the users files, and users that share the same group may not be able to access files that they legitimately should.
CCE-85712-8	The operating system must restrict privilege elevation to authorized personnel	The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. Restrict privileged actions by removing the following entries from the sudoers file: `ALL ALL=(ALL) ALL` `ALL ALL=(ALL:ALL) ALL`	If the "sudoers" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system.
CCE-85713-6	Disable Kernel Parameter for IPv6 Forwarding	To set the runtime status of the `net.ipv6.conf.all.forwarding` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.forwarding=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.all.forwarding = 0	IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.
CCE-85714-4	Record Attempts to Alter Process and Session Initiation Information utmp	The audit system already collects process information for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -w /var/run/utmp -p wa -k session If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules`: -w /var/run/utmp -p wa -k session	Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.
CCE-85715-1	Implement Blank Screensaver	On SUSE users should set the screensaver to use publicly viewable images or blank screen by doing the following: Find the Settings menu and then navigate to the Background selection section `- Click "Activities" on the top left.` `- Click "Show Applications" at the bottom of the Activities menu.` `- Click the "Settings" icon.` `- Click "Background" from left hand menu.` `- Select image and set the Lock Screen image to the user's choice.` `- Exit Settings Dialog.` To set the screensaver mode in the GNOME3 desktop to a blank screen, add or set `picture-uri` to `string ''` in `/etc/dconf/db/local.d/00-security-settings`. For example: [org/gnome/desktop/screensaver] picture-uri=string '' Once the settings have been added, add a lock to `/etc/dconf/db/local.d/locks/00-security-settings-lock` to prevent user modification. For example: /org/gnome/desktop/screensaver/picture-uri After the settings have been set, run `dconf update`.	Setting the screensaver mode to blank-only conceals the contents of the display from passersby.
CCE-85716-9	Record Any Attempts to Run chcon	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
CCE-85717-7	Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
CCE-85718-5	Ensure auditd Collects Information on Exporting to Media (successful)	At a minimum, the audit system should collect media exportation events for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following line to a file with suffix `.rules` in the directory `/etc/audit/rules.d`, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following line to `/etc/audit/audit.rules` file, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export	The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss.
CCE-85719-3	Encrypt Partitions	SUSE Linux Enterprise 15 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time. For manual installations, select the `Encrypt` checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots. Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on the SUSE Linux Enterprise 15 Documentation web site: https://documentation.suse.com/sles/15-SP2/html/SLES-all/cha-security-cryptofs.html .	The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost.
CCE-85720-1	Set Password Minimum Age	To specify password minimum age for new accounts, edit the file `/etc/login.defs` and add or correct the following line: PASS_MIN_DAYS `7` A value of 1 day is considered sufficient for many environments. The profile requirement is `7`.	Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement.
CCE-85721-9	Record Events that Modify the System's Discretionary Access Controls - fchown	At a minimum, the audit system should collect file permission changes for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following line to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following line to `/etc/audit/audit.rules` file: -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod	The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
CCE-85722-7	Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces	To set the runtime status of the `net.ipv6.conf.default.accept_redirects` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.default.accept_redirects = 0	An illicit ICMP redirect message could result in a man-in-the-middle attack.
CCE-85723-5	Disable GDM Unattended or Automatic Login	The GNOME Display Manager (GDM) can allow users to automatically login without user interaction or credentials or unattended login. User should always be required to authenticate themselves to the system that they are authorized to use. To disable user ability to automatically login to the system, set the `DISPLAYMANAGER_AUTOLOGIN=""` or `DISPLAYMANAGER_PASSWORD_LESS_LOGIN="no"` in the `/etc/sysconfig/displaymanager`. For example: DISPLAYMANAGER_AUTOLOGIN="" DISPLAYMANAGER_PASSWORD_LESS_LOGIN="no"	Failure to restrict system access to authenticated users negatively impacts operating system security.
CCE-85724-3	Ensure real-time clock is set to UTC	Ensure that the system real-time clock (RTC) is set to Coordinated Universal Time (UTC).	If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. Time stamps generated by the operating system include date and time. Time is commonly expressed in UTC, a modern continuation of GMT, or local time with an offset from UTC.
CCE-85725-0	Disable Kernel Parameter for IPv6 Forwarding by default	To set the runtime status of the `net.ipv6.conf.default.forwarding` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.forwarding=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.default.forwarding = 0	IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.
CCE-85726-8	Record Unsuccessful Delete Attempts to Files - renameat2	The operating system must generate audit records for all uses of the `renameat2` system call. Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Add or update the following lines to `/etc/audit/rules.d/audit.rules` to configure the operating system to generate an audit record for all uses of the `renameat2` system call: -a always,exit -F arch=b32 -S renameat2 -F auid>=1000 -F auid!=-1 -k perm_mod -a always,exit -F arch=b64 -S renameat2 -F auid>=1000 -F auid!=-1 -k perm_mod	Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
CCE-85727-6	Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
CCE-85728-4	Record Events that Modify User/Group Information - /etc/security/opasswd	If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules`: -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification	In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
CCE-85729-2	Verify that System Executables Have Restrictive Permissions	System executables are stored in the following directories by default: /bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sbin All files in these directories should not be group-writable or world-writable. If any file FILE in these directories is found to be group-writable or world-writable, correct its permission with the following command: $ sudo chmod go-w FILE	System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted.
CCE-85730-0	Verify that System Executables Have Root Ownership	System executables are stored in the following directories by default: /bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sbin All files in these directories should be owned by the `root` user. If any file FILE in these directories is found to be owned by a user other than root, correct its ownership with the following command: $ sudo chown root FILE	System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted.
CCE-85731-8	Ensure auditd Collects Information on the Use of Privileged Commands - modprobe	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -w /sbin/modprobe -p x -k modules If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -w /sbin/modprobe -p x -k modules	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
CCE-85732-6	Ensure auditd Collects Information on the Use of Privileged Commands - rmmod	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -w /sbin/rmmod -p x -k modules	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
CCE-85734-2	Record Events that Modify the System's Discretionary Access Controls - umount	At a minimum, the audit system should collect file system umount changes. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following line to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -F key=perm_mod If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following line to `/etc/audit/audit.rules` file: -a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -F key=perm_mod	The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
CCE-85735-9	Verify that Shared Library Directories Have Root Ownership	System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 Kernel modules, which can be added to the kernel during runtime, are also stored in `/lib/modules`. All files in these directories should be owned by the `root` user. If the directories, is found to be owned by a user other than root correct its ownership with the following command: $ sudo chown root DIR	Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership of library directories is necessary to protect the integrity of the system.
CCE-85736-7	Verify the system-wide library files in directories "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root.	System-wide library files are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 All system-wide shared library files should be protected from unauthorised access. If any of these files is not group-owned by root, correct its group-owner with the following command: $ sudo chgrp root FILE	If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
CCE-85737-5	Verify that Shared Library Directories Have Root Group Ownership	System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 Kernel modules, which can be added to the kernel during runtime, are also stored in `/lib/modules`. All files in these directories should be group-owned by the `root` user. If the directories, is found to be owned by a user other than root correct its ownership with the following command: $ sudo chgrp root DIR	Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership of library directories is necessary to protect the integrity of the system.
CCE-85738-3	Verify that system commands are protected from unauthorized access	System commands are stored in the following directories by default: /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin All files in these directories should not be group-writable or world-writable. If any file FILE in these directories is found to be group-writable or world-writable, correct its permission with the following command: $ sudo chmod 755 FILE	System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted.
CCE-85740-9	Disable Core Dumps for All Users	To disable core dumps for all users, add the following line to `/etc/security/limits.conf`, or to a file within the `/etc/security/limits.d/` directory: * hard core 0	A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.
CCE-85741-7	Verify that system commands directories have root ownership	System commands are stored in the following directories by default: /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin All these directories should be owned by the `root` user. If any system command directory is not owned by a user other than root correct its ownership with the following command: $ sudo chown root DIR	If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
CCE-85742-5	Verify that system commands files are group owned by root or a system account	System commands files are stored in the following directories by default: /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin All files in these directories should be owned by the `root` group, or a system account. If the directory, or any file in these directories, is found to be owned by a group other than root or a a system account correct its ownership with the following command: $ sudo chgrp root FILE	If the operating system allows any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
CCE-85743-3	Verify that system commands directories have root as a group owner	System commands are stored in the following directories: by default: /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin All these directories should have `root` user as a group owner. If any system command directory is not group owned by a user other than root correct its ownership with the following command: $ sudo chgrp root DIR	If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
CCE-85744-1	Ensure auditd Collects Information on the Use of Privileged Commands - insmod	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -w /sbin/insmod -p x -k modules	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
CCE-85745-8	Disable core dump backtraces	The `ProcessSizeMax` option in `[Coredump]` section of `/etc/systemd/coredump.conf` or in a drop-in file under `/etc/systemd/coredump.conf.d/` specifies the maximum size in bytes of a core which will be processed. Core dumps exceeding this size may be stored, but the backtrace will not be generated.	A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems. Enabling core dumps on production systems is not recommended, however there may be overriding operational requirements to enable advanced debugging. Permitting temporary enablement of core dumps during such situations should be reviewed through local needs and policy.
CCE-85746-6	Disable storing core dump	The `Storage` option in `[Coredump]` section of `/etc/systemd/coredump.conf` or a drop-in file in `/etc/systemd/coredump.conf.d/*.conf` can be set to `none` to disable storing core dumps permanently.	A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems. Enabling core dumps on production systems is not recommended, however there may be overriding operational requirements to enable advanced debugging. Permitting temporary enablement of core dumps during such situations should be reviewed through local needs and policy.
CCE-85747-4	Ensure invoking users password for privilege escalation when using sudo	The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. The expected output for: sudo cvtsudoers -f sudoers /etc/sudoers \| grep -E '^Defaults !?(rootpw\|targetpw\|runaspw)$' Defaults !targetpw Defaults !rootpw Defaults !runaspw or if cvtsudoers not supported: sudo find /etc/sudoers /etc/sudoers.d $ \! -name '~' -a \! -name '.' $ -exec grep -E --with-filename '^[[:blank:]]Defaults[[:blank:]](.*[[:blank:]])?!?\b(rootpw\|targetpw\|runaspw)' -- {} \; /etc/sudoers:Defaults !targetpw /etc/sudoers:Defaults !rootpw /etc/sudoers:Defaults !runaspw	If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password.
CCE-85748-2	Ensure auditd Collects Information on Kernel Module Unloading - delete_module	To capture kernel module loading and unloading events, use the following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S delete_module -F key=modules Place to add the line depends on a way `auditd` daemon is configured. If it is configured to use the `augenrules` program (the default), add the line to a file with suffix `.rules` in the directory `/etc/audit/rules.d`. If the `auditd` daemon is configured to use the `auditctl` utility, add the line to file `/etc/audit/audit.rules`.	The removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.
CCE-85749-0	Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module	To capture kernel module loading and unloading events, use the following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S finit_module -F key=modules Place to add the line depends on a way `auditd` daemon is configured. If it is configured to use the `augenrules` program (the default), add the line to a file with suffix `.rules` in the directory `/etc/audit/rules.d`. If the `auditd` daemon is configured to use the `auditctl` utility, add the line to file `/etc/audit/audit.rules`.	The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.
CCE-85750-8	Ensure auditd Collects Information on Kernel Module Loading - init_module	To capture kernel module loading and unloading events, use the following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S init_module -F key=modules Place to add the line depends on a way `auditd` daemon is configured. If it is configured to use the `augenrules` program (the default), add the line to a file with suffix `.rules` in the directory `/etc/audit/rules.d`. If the `auditd` daemon is configured to use the `auditctl` utility, add the line to file `/etc/audit/audit.rules`.	The addition of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.
CCE-85751-6	Verify firewalld Enabled	The `firewalld` service can be enabled with the following command: $ sudo systemctl enable firewalld.service	Access control methods provide the ability to enhance system security posture by restricting services and known good IP addresses and address ranges. This prevents connections from unknown hosts and protocols.
CCE-85752-4	Ensure AppArmor is Active and Configured	Verify that the Apparmor tool is configured to control whitelisted applications and user home directory access control. The `apparmor` service can be enabled with the following command: $ sudo systemctl enable apparmor.service	Using a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. The organization must identify authorized software programs and permit execution of authorized software by adding each authorized program to the "pam_apparmor" exception policy. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. Verification of whitelisted software occurs prior to execution or at system startup. Users' home directories/folders may contain information of a sensitive nature. Nonprivileged users should coordinate any sharing of information with a System Administrator (SA) through shared resources. Apparmor can confine users to their home directory, not allowing them to make any changes outside of their own home directories. Confining users to their home directory will minimize the risk of sharing information.
CCE-85753-2	Verify that Shared Library Directories Have Restrictive Permissions	System-wide shared library directories, which contain are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 Kernel modules, which can be added to the kernel during runtime, are stored in `/lib/modules`. All sub-directories in these directories should not be group-writable or world-writable. If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command: $ sudo chmod go-w DIR	If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
CCE-85754-0	Set PAM's Common Authentication Hashing Algorithm	The PAM system service can be configured to only store encrypted representations of passwords. In `/etc/pam.d/common-auth`, the `auth` section of the file controls which PAM modules execute during a password change. Set the `pam_unix.so` module in the `auth` section to include the argument `sha512`, as shown below: auth required pam_unix.so sha512 other arguments... This will help ensure when local users change their authentication method, hashes for the new authentications will be generated using the SHA-512 algorithm. This is the default.	Unapproved mechanisms used for authentication to the cryptographic module are not verified and therefore cannot be relied on to provide confidentiality or integrity, and data may be compromised. This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the `crypt_style` configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.
CCE-85755-7	Verify permissions of log files	Any operating system providing too much information in error messages risks compromising the data and security of the structure, and content of error messages needs to be carefully considered by the organization. Organizations carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers.	The SUSE Linux Enterprise 15 must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
CCE-85756-5	Verify that Shared Library Files Have Root Ownership	System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 Kernel modules, which can be added to the kernel during runtime, are also stored in `/lib/modules`. All files in these directories should be owned by the `root` user. If the directory, or any file in these directories, is found to be owned by a user other than root correct its ownership with the following command: $ sudo chown root FILE	Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system.
CCE-85757-3	Record Attempts to Alter Process and Session Initiation Information wtmp	The audit system already collects process information for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -w /var/log/wtmp -p wa -k session If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules`: -w /var/log/wtmp -p wa -k session	Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.
CCE-85758-1	Record Attempts to Alter Process and Session Initiation Information btmp	The audit system already collects process information for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -w /var/log/btmp -p wa -k session If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules`: -w /var/log/btmp -p wa -k session	Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.
CCE-85759-9	Uninstall DHCP Server Package	If the system does not need to act as a DHCP server, the dhcp package can be uninstalled. The `dhcp-server` package can be removed with the following command: $ sudo zypper remove dhcp-server	Removing the DHCP server ensures that it cannot be easily or accidentally reactivated and disrupt network operation.
CCE-85760-7	Uninstall rsh Package	The `rsh` package contains the client commands for the rsh services	These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the `rsh` package removes the clients for `rsh`,`rcp`, and `rlogin`.
CCE-85761-5	Uninstall Sendmail Package	Sendmail is not the default mail transfer agent and is not installed by default. The `sendmail` package can be removed with the following command: $ sudo zypper remove sendmail	The sendmail software was not developed with security in mind and its design prevents it from being effectively contained by SELinux. Postfix should be used instead.
CCE-85762-3	Ensure auditd Collects Information on the Use of Privileged Commands - unix2_chkpwd	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/sbin/unix2_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/sbin/unix2_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
CCE-85763-1	Verify '/proc/sys/crypto/fips_enabled' exists	On a system where FIPS 140-2 mode is enabled, `/proc/sys/crypto/fips_enabled` must exist. To verify FIPS mode, run the following command: cat /proc/sys/crypto/fips_enabled	Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.
CCE-85764-9	Require Re-Authentication When Using the sudo Command	The sudo `timestamp_timeout` tag sets the amount of time sudo password prompt waits. The default `timestamp_timeout` value is 5 minutes. The timestamp_timeout should be configured by making sure that the `timestamp_timeout` tag exists in `/etc/sudoers` configuration file or any sudo configuration snippets in `/etc/sudoers.d/`. If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated.	Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.
CCE-85765-6	Install the pam_apparmor Package	The `pam_apparmor` package can be installed with the following command: $ sudo zypper install pam_apparmor	Protection of system integrity using AppArmor depends on this package being installed.
CCE-85766-4	Enable GNOME3 Screensaver Lock After Idle Period	To activate locking of the screensaver in the GNOME3 desktop when it is activated, run the following command to configure the SUSE operating system to allow the user to lock the GUI: gsettings set org.gnome.desktop.lockdown disable-lock-screen false Validate that `disable-lock-screen` has been set to `false` with the command: gsettings get org.gnome.desktop.lockdown disable-lock-screen	A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absence.
CCE-85767-2	Ensure auditd Collects File Deletion Events by User	At a minimum the audit system should collect file deletion events for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following line to a file with suffix `.rules` in the directory `/etc/audit/rules.d`, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat,renameat2 -F auid>=1000 -F auid!=unset -F key=delete If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following line to `/etc/audit/audit.rules` file, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat2 -S renameat -F auid>=1000 -F auid!=unset -F key=delete	Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.
CCE-85768-0	Ensure auditd Collects File Deletion Events by User - rename	At a minimum, the audit system should collect file deletion events for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following line to a file with suffix `.rules` in the directory `/etc/audit/rules.d`, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following line to `/etc/audit/audit.rules` file, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete	Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.
CCE-85769-8	Ensure auditd Collects File Deletion Events by User - renameat	At a minimum, the audit system should collect file deletion events for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following line to a file with suffix `.rules` in the directory `/etc/audit/rules.d`, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following line to `/etc/audit/audit.rules` file, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete	Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.
CCE-85770-6	Ensure auditd Collects File Deletion Events by User - rmdir	At a minimum, the audit system should collect file deletion events for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following line to a file with suffix `.rules` in the directory `/etc/audit/rules.d`, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following line to `/etc/audit/audit.rules` file, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete	Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.
CCE-85771-4	Ensure auditd Collects File Deletion Events by User - unlink	At a minimum, the audit system should collect file deletion events for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following line to a file with suffix `.rules` in the directory `/etc/audit/rules.d`, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following line to `/etc/audit/audit.rules` file, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete	Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.
CCE-85772-2	Ensure auditd Collects File Deletion Events by User - unlinkat	At a minimum, the audit system should collect file deletion events for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following line to a file with suffix `.rules` in the directory `/etc/audit/rules.d`, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following line to `/etc/audit/audit.rules` file, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete	Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.
CCE-85773-0	Ensure auditd Collects Information on the Use of Privileged Commands - userhelper	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
CCE-85774-8	Shutdown System When Auditing Failures Occur	If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following line to to the bottom of a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -f `2` If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following line to the bottom of the `/etc/audit/audit.rules` file: -f `2`	It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
CCE-85775-5	Configure auditd flush priority	The `auditd` service can be configured to synchronously write audit event data to disk. Add or correct the following line in `/etc/audit/auditd.conf` to ensure that audit event data is fully synchronized with the log files on the disk: flush = `data`	Audit data should be synchronously written to disk to ensure log integrity. These parameters assure that all audit event data is fully synchronized with the log files on the disk.
CCE-85776-3	Configure System Cryptography Policy	To configure the system cryptography policy to use ciphers only from the `DEFAULT` policy, run the following command: $ sudo update-crypto-policies --set `DEFAULT` The rule checks if settings for selected crypto policy are configured as expected. Configuration files in the `/etc/crypto-policies/back-ends` are either symlinks to correct files provided by Crypto-policies package or they are regular files in case crypto policy customizations are applied. Crypto policies may be customized by crypto policy modules, in which case it is delimited from the base policy using a colon.	Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data.
CCE-85777-1	Require Credential Prompting for Remote Access in GNOME3	By default, `GNOME` does not require credentials when using `Vino` for remote access. To configure the system to require remote credentials, add or set `authentication-methods` to `['vnc']` in `/etc/dconf/db/local.d/00-security-settings`. For example: [org/gnome/Vino] authentication-methods=['vnc'] Once the settings have been added, add a lock to `/etc/dconf/db/local.d/locks/00-security-settings-lock` to prevent user modification. For example: /org/gnome/Vino/authentication-methods After the settings have been set, run `dconf update`.	Username and password prompting is required for remote access. Otherwise, non-authorized and nefarious users can access the system freely.
CCE-85778-9	Configure auditd max_log_file_action Upon Reaching Maximum Log Size	The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action taken by `auditd`, add or correct the line in `/etc/audit/auditd.conf`: max_log_file_action = ACTION Possible values for ACTION are described in the `auditd.conf` man page. These include: `ignore` `syslog` `suspend` `rotate` `keep_logs` Set the `ACTION` to `rotate`. The setting is case-insensitive.	Automatically rotating logs (by setting this to `rotate`) minimizes the chances of the system unexpectedly running out of disk space by being overwhelmed with log data. However, for systems that must never discard log data, or which use external processes to transfer it and reclaim space, `keep_logs` can be employed.
CCE-85779-7	Configure auditd to use audispd's syslog plugin	To configure the `auditd` service to use the `syslog` plug-in of the `audispd` audit event multiplexor, set the `active` line in `/etc/audit/plugins.d/syslog.conf` to `yes`. Restart the `auditd` service: $ sudo service auditd restart	The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server.
CCE-85780-5	Configure auditd Number of Logs Retained	Determine how many log files `auditd` should retain when it rotates logs. Edit the file `/etc/audit/auditd.conf`. Add or modify the following line, substituting NUMLOGS with the correct value of `5`: num_logs = NUMLOGS Set the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation.	The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.
CCE-85782-1	Verify and Correct File Permissions with RPM	The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions of system files and commands match vendor values. Check the file permissions with the following command: $ sudo rpm -Va \| awk '{ if (substr($0,2,1)=="M") print $NF }' Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it: $ rpm -qf FILENAME Next, run the following command to reset its permissions to the correct values: $ sudo rpm --restore PACKAGENAME	Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated.
CCE-85783-9	Enable GNOME3 Screensaver Idle Activation	To activate the screensaver in the GNOME3 desktop after a period of inactivity, add or set `idle-activation-enabled` to `true` in `/etc/dconf/db/local.d/00-security-settings`. For example: [org/gnome/desktop/screensaver] idle-activation-enabled=true Once the setting has been added, add a lock to `/etc/dconf/db/local.d/locks/00-security-settings-lock` to prevent user modification. For example: /org/gnome/desktop/screensaver/idle-activation-enabled After the settings have been set, run `dconf update`.	A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock. Enabling idle activation of the screensaver ensures the screensaver will be activated after the idle delay. Applications requiring continuous, real-time screen display (such as network management products) require the login session does not have administrator rights and the display station is located in a controlled-access area.
CCE-85784-7	Ensure PAM Enforces Password Requirements - Minimum Digit Characters	The pam_pwquality module's `dcredit` parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the `dcredit` setting in `/etc/security/pwquality.conf` to require the use of a digit in passwords.	Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.
CCE-85785-4	Ensure PAM Enforces Password Requirements - Minimum Length	The pam_pwquality module's `minlen` parameter controls requirements for minimum characters required in a password. Add `minlen=15` after pam_pwquality to set minimum password length requirements.	The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.
CCE-85786-2	Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters	The pam_pwquality module's `ucredit=` parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the `ucredit` setting in `/etc/security/pwquality.conf` to require the use of an uppercase character in passwords.	Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
CCE-85787-0	Build and Test AIDE Database	Run the following command to generate a new database: $ sudo /usr/bin/aide --init By default, the database will be written to the file `/var/lib/aide/aide.db.new`. Storing the database, the configuration file `/etc/aide.conf`, and the binary `/usr/bin/aide` (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity. The newly-generated database can be installed as follows: $ sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db To initiate a manual check, run the following command: $ sudo /usr/bin/aide --check If this check produces any unexpected output, investigate.	For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.
CCE-85788-8	Verify File Hashes with RPM	Without cryptographic integrity protections, system executables and files can be altered by unauthorized users without detection. The RPM package management system can check the hashes of installed software packages, including many that are important to system security. To verify that the cryptographic hash of system files and commands matches vendor values, run the following command to list which files on the system have hashes that differ from what is expected by the RPM database: $ rpm -Va --noconfig \| grep '^..5' If the file was not expected to change, investigate the cause of the change using audit logs or other means. The package can then be reinstalled to restore the file. Run the following command to determine which package owns the file: $ rpm -qf FILENAME The package can be reinstalled from a zypper repository using the command: $ sudo zypper reinstall PACKAGENAME Alternatively, the package can be reinstalled from trusted media using the command: $ sudo rpm -Uvh PACKAGENAME	The hashes of important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system.
CCE-85789-6	Install Intrusion Detection Software	The base SUSE Linux Enterprise 15 platform already includes a sophisticated auditing system that can detect intruder activity, as well as SELinux, which provides host-based intrusion prevention capabilities by confining privileged programs and user sessions which may become compromised.	Host-based intrusion detection tools provide a system-level defense when an intruder gains access to a system or network.
CCE-85791-2	Configure Libreswan to use System Crypto Policy	Crypto Policies provide a centralized control over crypto algorithms usage of many packages. Libreswan is supported by system crypto policy, but the Libreswan configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, ensure that the `/etc/ipsec.conf` includes the appropriate configuration file. In `/etc/ipsec.conf`, make sure that the following line is not commented out or superseded by later includes: `include /etc/crypto-policies/back-ends/libreswan.config`	Overriding the system crypto policy makes the behavior of the Libreswan service violate expectations, and makes system configuration more fragmented.
CCE-85794-6	Configure OpenSSL library to use System Crypto Policy	Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSL is supported by crypto policy, but the OpenSSL configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file available under `/etc/ssl/openssl.cnf`. This file has the `ini` format, and it enables crypto policy support if there is a `[ crypto_policy ]` section that contains the `.include /etc/crypto-policies/back-ends/opensslcnf.config` directive.	Overriding the system crypto policy makes the behavior of the Java runtime violates expectations, and makes system configuration more fragmented.
CCE-85795-3	Configure SSH to use System Crypto Policy	Crypto Policies provide a centralized control over crypto algorithms usage of many packages. SSH is supported by crypto policy, but the SSH configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, ensure that the `CRYPTO_POLICY` variable is either commented or not set at all in the `/etc/sysconfig/sshd`.	Overriding the system crypto policy makes the behavior of the SSH service violate expectations, and makes system configuration more fragmented.
CCE-85796-1	Ensure SUSE GPG Key Installed	To ensure the system can cryptographically verify base software packages come from SUSE (and to connect to the SUSE to receive them), the SUSE GPG key must properly be installed. To install the SUSE GPG key, run: $ sudo zypper install suse-build-key If the system is not connected to the Internet or an RHN Satellite, then install the SUSE GPG key from trusted media such as the SUSE installation CD-ROM or DVD. Assuming the disc is mounted in `/media/cdrom`, use the following command as the root user to import it into the keyring: $ sudo rpm --import /media/cdrom/content.key or $ sudo rpm --import /media/cdrom/repodata/repomd.xml.key Alternatively, the key may be pre-loaded during the SUSE installation. In such cases, one can use the repository cache files to install the key, for example by running the following command: sudo rpm --import /var/cache/zypp/raw/Basesystem_Module_15_SP2_x86_64:SLE-Module-Basesystem15-SP2-Pool/repodata/repomd.xml.key	Changes to software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. The SUSE GPG key is necessary to cryptographically verify packages are from SUSE.
CCE-85797-9	Ensure gpgcheck Enabled for All zypper Package Repositories	To ensure signature checking is not disabled for any repos, remove any lines from files in `/etc/zypp/repos.d` of the form: gpgcheck=0	Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA)."
CCE-85798-7	Set Password Hashing Algorithm in /etc/libuser.conf	In `/etc/libuser.conf`, add or correct the following line in its `[defaults]` section to ensure the system will use the `sha512` algorithm for password hashing: crypt_style = `sha512`	Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text. This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the `crypt_style` configuration option in `/etc/libuser.conf` ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.
CCE-85799-5	Install libreswan Package	The libreswan package provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. The `libreswan` package can be installed with the following command: $ sudo zypper install libreswan	Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network.
CCE-85801-9	Verify Group Who Owns group File	To properly set the group owner of `/etc/group`, run the command: $ sudo chgrp root /etc/group	The `/etc/group` file contains information regarding groups that are configured on the system. Protection of this file is important for system security.
CCE-85802-7	Verify User Who Owns group File	To properly set the owner of `/etc/group`, run the command: $ sudo chown root /etc/group	The `/etc/group` file contains information regarding groups that are configured on the system. Protection of this file is important for system security.
CCE-85803-5	Verify Permissions on group File	To properly set the permissions of `/etc/group`, run the command: $ sudo chmod 0644 /etc/group	The `/etc/group` file contains information regarding groups that are configured on the system. Protection of this file is important for system security.
CCE-85804-3	Verify Permissions on shadow File	To properly set the permissions of `/etc/shadow`, run the command: $ sudo chmod 0640 /etc/shadow	The `/etc/shadow` file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.
CCE-85805-0	Verify Permissions on passwd File	To properly set the permissions of `/etc/passwd`, run the command: $ sudo chmod 0644 /etc/passwd	If the `/etc/passwd` file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security.
CCE-85806-8	Verify User Who Owns passwd File	To properly set the owner of `/etc/passwd`, run the command: $ sudo chown root /etc/passwd	The `/etc/passwd` file contains information about the users that are configured on the system. Protection of this file is critical for system security.
CCE-85807-6	Verify User Who Owns shadow File	To properly set the owner of `/etc/shadow`, run the command: $ sudo chown root /etc/shadow	The `/etc/shadow` file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.
CCE-85808-4	Verify Group Who Owns shadow File	To properly set the group owner of `/etc/shadow`, run the command: $ sudo chgrp shadow /etc/shadow	The `/etc/shadow` file stores password hashes. Protection of this file is critical for system security.
CCE-85809-2	Verify Group Who Owns passwd File	To properly set the group owner of `/etc/passwd`, run the command: $ sudo chgrp root /etc/passwd	The `/etc/passwd` file contains information about the users that are configured on the system. Protection of this file is critical for system security.
CCE-85810-0	System Audit Logs Must Be Owned By Root	All audit logs must be owned by root user and group. By default, the path for audit log is /var/log/audit/ . To properly set the owner of `/var/log/audit`, run the command: $ sudo chown root /var/log/audit To properly set the owner of `/var/log/audit/`, run the command: $ sudo chown root /var/log/audit/	Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
CCE-85811-8	System Audit Logs Must Have Mode 0640 or Less Permissive	If `log_group` in `/etc/audit/auditd.conf` is set to a group other than the `root` group account, change the mode of the audit log files with the following command: $ sudo chmod 0640 audit_file Otherwise, change the mode of the audit log files with the following command: $ sudo chmod 0600 audit_file	If users can write to audit logs, audit trails can be modified or destroyed.
CCE-85812-6	Record Attempts to Alter the localtime File	If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -w /etc/localtime -p wa -k audit_time_rules If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules`: -w /etc/localtime -p wa -k audit_time_rules	Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
CCE-85813-4	Record attempts to alter time through settimeofday	If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following line to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following line to `/etc/audit/audit.rules` file: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules	Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
CCE-85814-2	Record attempts to alter time through adjtimex	If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following line to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following line to `/etc/audit/audit.rules` file: -a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules	Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
CCE-85815-9	Record Attempts to Alter Time Through stime	If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following line to a file with suffix `.rules` in the directory `/etc/audit/rules.d` for both 32 bit and 64 bit systems: -a always,exit -F arch=b32 -S stime -F key=audit_time_rules Since the 64 bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32 bit and 64 bit systems). If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following line to `/etc/audit/audit.rules` file for both 32 bit and 64 bit systems: -a always,exit -F arch=b32 -S stime -F key=audit_time_rules Since the 64 bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32 bit and 64 bit systems). The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined system calls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules	Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
CCE-85816-7	Record Attempts to Alter Time Through clock_settime	If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following line to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following line to `/etc/audit/audit.rules` file: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules	Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
CCE-85817-5	Record Any Attempts to Run restorecon	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
CCE-85818-3	Record Any Attempts to Run setsebool	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
CCE-85819-1	Record Any Attempts to Run semanage	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
CCE-85820-9	Ensure auditd Collects Information on the Use of Privileged Commands - postdrop	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
CCE-85821-7	Ensure auditd Collects Information on the Use of Privileged Commands - postqueue	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
CCE-85822-5	Require Encryption for Remote Access in GNOME3	By default, `GNOME` requires encryption when using `Vino` for remote access. To prevent remote access encryption from being disabled, add or set `require-encryption` to `true` in `/etc/dconf/db/local.d/00-security-settings`. For example: [org/gnome/Vino] require-encryption=true Once the settings have been added, add a lock to `/etc/dconf/db/local.d/locks/00-security-settings-lock` to prevent user modification. For example: /org/gnome/Vino/require-encryption After the settings have been set, run `dconf update`.	Open X displays allow an attacker to capture keystrokes and to execute commands remotely.
CCE-85823-3	Configure auditd space_left Action on Low Disk Space	The `auditd` service can be configured to take an action when disk space starts to run low. Edit the file `/etc/audit/auditd.conf`. Modify the following line, substituting ACTION appropriately: space_left_action = ACTION Possible values for ACTION are described in the `auditd.conf` man page. These include: `syslog` `email` `exec` `suspend` `single` `halt` Set this to `email` (instead of the default, which is `suspend`) as it is more likely to get prompt attention. Acceptable values also include `suspend`, `single`, and `halt`.	Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.
CCE-85824-1	Configure auditd admin_space_left Action on Low Disk Space	The `auditd` service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file `/etc/audit/auditd.conf`. Add or modify the following line, substituting ACTION appropriately: admin_space_left_action = ACTION Set this value to `single` to cause the system to switch to single user mode for corrective action. Acceptable values also include `suspend` and `halt`. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the `auditd.conf` man page.	Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur.
CCE-85825-8	Configure auditd Max Log File Size	Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file `/etc/audit/auditd.conf`. Add or modify the following line, substituting the correct value of `6` for STOREMB: max_log_file = STOREMB Set the value to `6` (MB) or higher for general-purpose systems. Larger values, of course, support retention of even more audit data.	The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.
CCE-85826-6	Enable Smartcards in SSSD	SSSD should be configured to authenticate access to the system using smart cards. To enable smart cards in SSSD, set `pam_cert_auth` to `True` under the `[pam]` section in `/etc/sssd/sssd.conf`. For example: [pam] pam_cert_auth = True	Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multi-Factor Authentication (MFA) solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards or similar secure authentication devices issued by an organization or identity provider.
CCE-85827-4	Force opensc To Use Defined Smart Card Driver	The OpenSC smart card middleware can auto-detect smart card drivers; however by forcing the smart card driver in use by your organization, opensc will no longer autodetect or use other drivers unless specified. This helps to prevent users from using unauthorized smart cards. The default smart card driver for this profile is `default`. To force the OpenSC driver, edit the `/etc/opensc.conf`. Look for a line similar to: # force_card_driver = customcos; and change it to: force_card_driver = `default`;	Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials. Forcing the smart card driver in use by your organization helps to prevent users from using unauthorized smart cards.
CCE-85828-2	Record Events that Modify the System's Network Environment	If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules` file, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification	The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited.
CCE-85829-0	Record Attempts to Alter Process and Session Initiation Information	The audit system already collects process information for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d` in order to watch for attempted manual edits of files involved in storing such process information: -w /var/run/utmp -p wa -k session -w /var/log/btmp -p wa -k session -w /var/log/wtmp -p wa -k session If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules` file in order to watch for attempted manual edits of files involved in storing such process information: -w /var/run/utmp -p wa -k session -w /var/log/btmp -p wa -k session -w /var/log/wtmp -p wa -k session	Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.
CCE-85830-8	Record Events that Modify the System's Mandatory Access Controls	If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following line to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -w /etc/selinux/ -p wa -k MAC-policy If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following line to `/etc/audit/audit.rules` file: -w /etc/selinux/ -p wa -k MAC-policy	The system's mandatory access policy (SELinux or Apparmor) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited.
CCE-85831-6	Make the auditd Configuration Immutable	If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following line to a file with suffix `.rules` in the directory `/etc/audit/rules.d` in order to make the auditd configuration immutable: -e 2 If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following line to `/etc/audit/audit.rules` file in order to make the auditd configuration immutable: -e 2 With this setting, a reboot will be required to change any audit rules.	Making the audit configuration immutable prevents accidental as well as malicious modification of the audit rules, although it may be problematic if legitimate changes are needed during system operation.
CCE-85832-4	Enable Auditing for Processes Which Start Prior to the Audit Daemon	To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument `audit=1` to the default GRUB 2 command line for the Linux operating system. Configure the default Grub2 kernel command line to contain audit=1 as follows: # grub2-editenv - set "$(grub2-editenv - list \| grep kernelopts) audit=1"	Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although `auditd` takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot.
CCE-85833-2	A remote time server for Chrony is configured	`Chrony` is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on `chrony` can be found at https://chrony-project.org/. `Chrony` can be configured to be a client and/or a server. Add or edit server or pool lines to `/etc/chrony.conf` as appropriate: server <remote-server> Alternatively, server or pool directives can be specified in files included via `sourcedir` or `confdir` directives in `/etc/chrony.conf`. When using `sourcedir`, create `.sources` files in the specified directory: # In /etc/chrony.conf: sourcedir /etc/chrony/sources.d # In /etc/chrony/sources.d/ntp.sources: server 0.pool.ntp.org When using `confdir`, create `.conf` files in the specified directory: # In /etc/chrony.conf: confdir /etc/chrony/conf.d # In /etc/chrony/conf.d/ntp-servers.conf: pool 1.pool.ntp.org Multiple servers may be configured.	If `chrony` is in use on the system proper configuration is vital to ensuring time synchronization is working properly.
CCE-85834-0	Specify Additional Remote NTP Servers	Depending on specific functional requirements of a concrete production environment, the SUSE Linux Enterprise 15 system can be configured to utilize the services of the `chronyd` NTP daemon (the default), or services of the `ntpd` NTP daemon. Refer to for more detailed comparison of the features of both of the choices, and for further guidance how to choose between the two NTP daemons. Additional NTP servers can be specified for time synchronization. To do so, perform the following: if the system is configured to use the `chronyd` as the NTP daemon (the default), edit the file `/etc/chrony.conf` as follows, if the system is configured to use the `ntpd` as the NTP daemon, edit the file `/etc/ntp.conf` as documented below. Add additional lines of the following form, substituting the IP address or hostname of a remote NTP server for ntpserver: server ntpserver	Specifying additional NTP servers increases the availability of accurate time data, in the event that one of the specified servers becomes unavailable. This is typical for a system acting as an NTP server for other systems.
CCE-85835-7	Enable the NTP Daemon	Run the following command to determine the current status of the `chronyd` service: $ sudo systemctl is-active chronyd If the service is running, it should return the following: active Note: The `chronyd` daemon is enabled by default. Run the following command to determine the current status of the `ntpd` service: $ sudo systemctl is-active ntpd If the service is running, it should return the following: active Note: The `ntpd` daemon is not enabled by default. Though as mentioned in the previous sections in certain environments the `ntpd` daemon might be preferred to be used rather than the `chronyd` one. Refer to: https://documentation.suse.com/sles/15-SP1/html/SLES-all/cha-ntp.html for guidance which NTP daemon to choose depending on the environment used.	Enabling some of `chronyd` or `ntpd` services ensures that the NTP daemon will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client (and synchronize only its own clock) or it is also acting as an NTP server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches. The `chronyd` and `ntpd` NTP daemons offer all of the functionality of `ntpdate`, which is now deprecated.
CCE-85836-5	Install strongswan Package	The Strongswan package provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. The `strongswan` package can be installed with the following command: $ sudo zypper install strongswan	Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network.
CCE-85837-3	Ensure System Log Files Have Correct Permissions	The file permissions for all log files written by `rsyslog` should be set to 640, or more restrictive. These log files are determined by the second part of each Rule line in `/etc/rsyslog.conf` and typically all appear in `/var/log`. For each log file LOGFILE referenced in `/etc/rsyslog.conf`, run the following command to inspect the file's permissions: $ ls -l LOGFILE If the permissions are not 640 or more restrictive, run the following command to correct this: $ sudo chmod 640 LOGFILE "	Log files can contain valuable information regarding system configuration. If the system log files are not protected unauthorized users could change the logged data, eliminating their forensic value.
CCE-85838-1	Ensure Log Files Are Owned By Appropriate Group	The group-owner of all log files written by `rsyslog` should be `root`. These log files are determined by the second part of each Rule line in `/etc/rsyslog.conf` and typically all appear in `/var/log`. For each log file LOGFILE referenced in `/etc/rsyslog.conf`, run the following command to inspect the file's group owner: $ ls -l LOGFILE If the owner is not `root`, run the following command to correct this: $ sudo chgrp root LOGFILE	The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.
CCE-85839-9	Ensure Log Files Are Owned By Appropriate User	The owner of all log files written by `rsyslog` should be `root`. These log files are determined by the second part of each Rule line in `/etc/rsyslog.conf` and typically all appear in `/var/log`. For each log file LOGFILE referenced in `/etc/rsyslog.conf`, run the following command to inspect the file's owner: $ ls -l LOGFILE If the owner is not `root`, run the following command to correct this: $ sudo chown root LOGFILE	The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.
CCE-85840-7	Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters	The pam_pwquality module's `lcredit` parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the `lcredit` setting in `/etc/security/pwquality.conf` to require the use of a lowercase character in passwords.	Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space.
CCE-85841-5	Set Lockout Time for Failed Password Attempts	This rule configures the system to lock out accounts during a specified time period after a number of incorrect login attempts using `pam_faillock.so`. Ensure that the file `/etc/security/faillock.conf` contains the following entry: `unlock_time=<interval-in-seconds>` where `interval-in-seconds` is `0` or greater. pam_faillock.so module requires multiple entries in pam files. These entries must be carefully defined to work as expected. In order to avoid any errors when manually editing these files, it is recommended to use the appropriate tools, such as `authselect` or `authconfig`, depending on the OS version. If `unlock_time` is set to `0`, manual intervention by an administrator is required to unlock a user. This should be done using the `faillock` tool.	By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
CCE-85842-3	Lock Accounts After Failed Password Attempts	This rule configures the system to lock out accounts after a number of incorrect login attempts using `pam_faillock.so`. pam_faillock.so module requires multiple entries in pam files. These entries must be carefully defined to work as expected. Ensure that the file `/etc/security/faillock.conf` contains the following entry: `deny = <count>` Where count should be less than or equal to `3` and greater than 0. In order to avoid errors when manually editing these files, it is recommended to use the appropriate tools, such as `authselect` or `authconfig`, depending on the OS version.	By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking the account.
CCE-85843-1	Configure opensc Smart Card Drivers	The OpenSC smart card tool can auto-detect smart card drivers; however, setting the smart card drivers in use by your organization helps to prevent users from using unauthorized smart cards. The default smart card driver for this profile is `default`. To configure the OpenSC driver, edit the `/etc/opensc.conf` and add the following line into the file in the `app default` block, so it will look like: app default { ... card_drivers = `default`; }	Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials. Configuring the smart card driver in use by your organization helps to prevent users from using unauthorized smart cards.
CCE-85844-9	Enable the pcscd Service	The `pcscd` service can be enabled with the following command: $ sudo systemctl enable pcscd.service	Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards or similar secure authentication devices issued by an organization or identity provider.
CCE-85845-6	Ensure All Accounts on the System Have Unique Names	Ensure accounts on the system have unique names. To ensure all accounts have unique names, run the following command: $ sudo getent passwd \| awk -F: '{ print $1}' \| uniq -d If a username is returned, change or delete the username.	Unique usernames allow for accountability on the system.
CCE-85846-4	Verify All Account Password Hashes are Shadowed	If any password hashes are stored in `/etc/passwd` (in the second field, instead of an `x` or `*`), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account should be deleted entirely.	The hashes for all user account passwords should be stored in the file `/etc/shadow` and never in `/etc/passwd`, which is readable by all users.
CCE-85847-2	All GIDs referenced in /etc/passwd must be defined in /etc/group	Add a group to the system for each GID referenced without a corresponding group.	If a user is assigned the Group Identifier (GID) of a group not existing on the system, and a group with the Group Identifier (GID) is subsequently created, the user may have unintended rights to any files associated with the group.
CCE-85848-0	Verify /boot/grub2/grub.cfg User Ownership	The file `/boot/grub2/grub.cfg` should be owned by the `root` user to prevent destruction or modification of the file. To properly set the owner of `/boot/grub2/grub.cfg`, run the command: $ sudo chown root /boot/grub2/grub.cfg	Only root should be able to modify important boot parameters.
CCE-85849-8	Verify /boot/grub2/grub.cfg Group Ownership	The file `/boot/grub2/grub.cfg` should be group-owned by the `root` group to prevent destruction or modification of the file. To properly set the group owner of `/boot/grub2/grub.cfg`, run the command: $ sudo chgrp root /boot/grub2/grub.cfg	The `root` group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway.
CCE-85850-6	Ensure Logrotate Runs Periodically	The `logrotate` utility allows for the automatic rotation of log files. The frequency of rotation is specified in `/etc/logrotate.conf`, which triggers a cron task or a timer. To configure logrotate to run daily, add or correct the following line in `/etc/logrotate.conf`: # rotate log files frequency daily	Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full.
CCE-91151-1	Ensure sudo only includes the default configuration directory	Administrators can configure authorized `sudo` users via drop-in files, and it is possible to include other directories and configuration files from the file currently being parsed. Make sure that `/etc/sudoers` only includes drop-in configuration files from `/etc/sudoers.d`, or that no drop-in file is included. Either the `/etc/sudoers` should contain only one `#includedir` directive pointing to `/etc/sudoers.d`, and no file in `/etc/sudoers.d/` should include other files or directories; Or the `/etc/sudoers` should not contain any `#include`, `@include`, `#includedir` or `@includedir` directives. Note that the '#' character doesn't denote a comment in the configuration file.	Some `sudo` configuration options allow users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts.
CCE-91152-9	Verify that Interactive Boot is Disabled	SUSE Linux Enterprise 15 systems support an "interactive boot" option that can be used to prevent services from being started. On a SUSE Linux Enterprise 15 system, interactive boot can be enabled by providing a `1`, `yes`, `true`, or `on` value to the `systemd.confirm_spawn` kernel argument in `/etc/default/grub`. Remove any instance of systemd.confirm_spawn=(1\|yes\|true\|on) from the kernel arguments in that file to disable interactive boot. Recovery booting must also be disabled. Confirm that `GRUB_DISABLE_RECOVERY=true` is set in `/etc/default/grub`. It is also required to change the runtime configuration, run: /usr/bin/grub2-editenv - unset systemd.confirm_spawn> grub2-mkconfig -o /boot/grub2/grub.cfg	Using interactive or recovery boot, the console user could disable auditing, firewalls, or other services, weakening system security.
CCE-91153-7	Verify Any Configured IPSec Tunnel Connections	Libreswan provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. As such, IPsec can be used to circumvent certain network requirements such as filtering. Verify that if any IPsec connection (`conn`) configured in `/etc/ipsec.conf` and `/etc/ipsec.d` exists is an approved organizational connection.	IP tunneling mechanisms can be used to bypass network filtering.
CCE-91155-2	Ensure There Are No Accounts With Blank or Null Passwords	Check the "/etc/shadow" file for blank passwords with the following command: $ sudo awk -F: '!$2 {print $1}' /etc/shadow If the command returns any results, this is a finding. Configure all accounts on the system to have a password or lock the account with the following commands: Perform a password reset: $ sudo passwd [username] Lock an account: $ sudo passwd -l [username]	If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.
CCE-91156-0	Disallow Configuration to Bypass Password Requirements for Privilege Escalation	Verify the operating system is not configured to bypass password requirements for privilege escalation. Check the configuration of the "/etc/pam.d/sudo" file with the following command: $ sudo grep pam_succeed_if /etc/pam.d/sudo If any occurrences of "pam_succeed_if" is returned from the command, this is a finding.	Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate.
CCE-91157-8	Ensure PAM Enforces Password Requirements - Minimum Special Characters	The pam_pwquality module's `ocredit=` parameter controls requirements for usage of special (or "other") characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each special character. Modify the `ocredit` setting in `/etc/security/pwquality.conf` to equal `-1` to require use of a special character in passwords.	Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space.
CCE-91158-6	Remove tftp Daemon	Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot files between systems. TFTP does not support authentication and can be easily hacked. The package `tftp` is a client program that allows for connections to a `tftp` server.	It is recommended that TFTP be removed, unless there is a specific need for TFTP (such as a boot server). In that case, use extreme caution when configuring the services.
CCE-91159-4	Remove NIS Client	The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client (`ypbind`) was used to bind a system to an NIS server and receive the distributed configuration files.	The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed.
CCE-91160-2	Uninstall ypserv Package	The `ypserv` package can be removed with the following command: $ sudo zypper remove ypserv	The NIS service provides an unencrypted authentication service which does not provide for the confidentiality and integrity of user passwords or the remote session. Removing the `ypserv` package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.
CCE-91161-0	Ensure rsyslog is Installed	Rsyslog is installed by default. The `rsyslog` package can be installed with the following command: $ sudo zypper install rsyslog	The rsyslog package provides the rsyslog daemon, which provides system logging services.
CCE-91162-8	Enable rsyslog Service	The `rsyslog` service provides syslog-style logging by default on SUSE Linux Enterprise 15. The `rsyslog` service can be enabled with the following command: $ sudo systemctl enable rsyslog.service	The `rsyslog` service must be running in order to provide logging services, which are essential to system administration.
CCE-91163-6	Install dnf-automatic Package	The `dnf-automatic` package can be installed with the following command: $ sudo zypper install dnf-automatic	`dnf-automatic` is an alternative command line interface (CLI) to `dnf upgrade` suitable for automatic, regular execution.
CCE-91164-4	Enable dnf-automatic Timer	The `dnf-automatic` timer can be enabled with the following command: $ sudo systemctl enable dnf-automatic.timer	The `dnf-automatic` is an alternative command line interface (CLI) to `dnf upgrade` with specific facilities to make it suitable to be executed automatically and regularly from systemd timers, cron jobs and similar. The tool is controlled by `dnf-automatic.timer` SystemD timer.
CCE-91165-1	Configure dnf-automatic to Install Available Updates Automatically	To ensure that the packages comprising the available updates will be automatically installed by `dnf-automatic`, set `apply_updates` to `yes` under `[commands]` section in `/etc/dnf/automatic.conf`.	Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. The automated installation of updates ensures that recent security patches are applied in a timely manner.
CCE-91166-9	Configure dnf-automatic to Install Only Security Updates	To configure `dnf-automatic` to install only security updates automatically, set `upgrade_type` to `security` under `[commands]` section in `/etc/dnf/automatic.conf`.	By default, `dnf-automatic` installs all available updates. Reducing the amount of updated packages only to updates that were issued as a part of a security advisory increases the system stability.
CCE-91167-7	Ensure gpgcheck Enabled for Local Packages	`zypper` should be configured to verify the signature(s) of local packages prior to installation. To configure `zypper` to verify signatures of local packages, set the `localpkg_gpgcheck` to `1` in `/etc/zypp/zypp.conf`.	Changes to any software components can have significant effects to the overall security of the operating system. This requirement ensures the software has not been tampered and has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.
CCE-91168-5	Set Password Minimum Length in login.defs	To specify password length requirements for new accounts, edit the file `/etc/login.defs` and add or correct the following line: PASS_MIN_LEN `15` The profile requirement is `15`. If a program consults `/etc/login.defs` and also another PAM module (such as `pam_pwquality`) during a password change operation, then the most restrictive must be satisfied. See PAM section for more information about enforcing password quality requirements.	Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result.
CCE-91169-3	Set Interval For Counting Failed Password Attempts	Utilizing `pam_faillock.so`, the `fail_interval` directive configures the system to lock out an account after a number of incorrect login attempts within a specified time period. Ensure that the file `/etc/security/faillock.conf` contains the following entry: `fail_interval = <interval-in-seconds>` where `interval-in-seconds` is `900` or greater. In order to avoid errors when manually editing these files, it is recommended to use the appropriate tools, such as `authselect` or `authconfig`, depending on the OS version.	By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
CCE-91171-9	Configure the root Account for Failed Password Attempts	This rule configures the system to lock out the `root` account after a number of incorrect login attempts using `pam_faillock.so`. pam_faillock.so module requires multiple entries in pam files. These entries must be carefully defined to work as expected. In order to avoid errors when manually editing these files, it is recommended to use the appropriate tools, such as `authselect` or `authconfig`, depending on the OS version.	By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking the account.
CCE-91172-7	Set number of Password Hashing Rounds - system-auth	Configure the number or rounds for the password hashing algorithm. This can be accomplished by using the `rounds` option for the `pam_unix` PAM module. In file `/etc/pam.d/system-auth` append `rounds=5000` to the `pam_unix.so` entry, as shown below: password sufficient pam_unix.so ...existing_options... rounds=`5000` The system's default number of rounds is 5000.	Using a higher number of rounds makes password cracking attacks more difficult.
CCE-91173-5	Set number of Password Hashing Rounds - password-auth	Configure the number or rounds for the password hashing algorithm. This can be accomplished by using the `rounds` option for the `pam_unix` PAM module. In file `/etc/pam.d/common-password` append `rounds=5000` to the `pam_unix.so` entry, as shown below: password sufficient pam_unix.so ...existing_options... rounds=`5000` The system's default number of rounds is 5000.	Using a higher number of rounds makes password cracking attacks more difficult.
CCE-91174-3	Ensure All SUID Executables Are Authorized	The SUID (set user id) bit should be set only on files that were installed via authorized means. A straightforward means of identifying unauthorized SUID files is determine if any were not installed as part of an RPM package, which is cryptographically verified. Investigate the origin of any unpackaged SUID files. This configuration check considers authorized SUID files those which were installed via RPM. It is assumed that when an individual has sudo access to install an RPM and all packages are signed with an organizationally-recognized GPG key, the software should be considered an approved package on the system. Any SUID file not deployed through an RPM will be flagged for further review.	Executable files with the SUID permission run with the privileges of the owner of the file. SUID files of uncertain provenance could allow for unprivileged users to elevate privileges. The presence of these files should be strictly controlled on the system.
CCE-91175-0	Ensure All SGID Executables Are Authorized	The SGID (set group id) bit should be set only on files that were installed via authorized means. A straightforward means of identifying unauthorized SGID files is determine if any were not installed as part of an RPM package, which is cryptographically verified. Investigate the origin of any unpackaged SGID files. This configuration check considers authorized SGID files those which were installed via RPM. It is assumed that when an individual has sudo access to install an RPM and all packages are signed with an organizationally-recognized GPG key, the software should be considered an approved package on the system. Any SGID file not deployed through an RPM will be flagged for further review.	Executable files with the SGID permission run with the privileges of the owner of the file. SGID files of uncertain provenance could allow for unprivileged users to elevate privileges. The presence of these files should be strictly controlled on the system.
CCE-91176-8	Ensure /boot Located On Separate Partition	It is recommended that the `/boot` directory resides on a separate partition. This makes it easier to apply restrictions e.g. through the `noexec` mount option. Eventually, the `/boot` partition can be configured not to be mounted automatically with the `noauto` mount option.	The `/boot` partition contains the kernel and bootloader files. Access to this partition should be restricted.
CCE-91177-6	Ensure /opt Located On Separate Partition	It is recommended that the `/opt` directory resides on a separate partition.	The `/opt` partition contains additional software, usually installed outside the packaging system. Putting this directory on a separate partition makes it easier to apply restrictions e.g. through the `nosuid` mount option.
CCE-91178-4	Ensure /srv Located On Separate Partition	If a file server (FTP, TFTP...) is hosted locally, create a separate partition for `/srv` at installation time (or migrate it later using LVM). If `/srv` will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later.	Srv deserves files for local network file server such as FTP. Ensuring that `/srv` is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.
CCE-91179-2	Ensure /tmp Located On Separate Partition	The `/tmp` directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.	The `/tmp` partition is used as temporary storage by many programs. Placing `/tmp` in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.
CCE-91180-0	Ensure /usr Located On Separate Partition	It is recommended that the `/usr` directory resides on a separate partition.	The `/usr` partition contains system software, utilities and files. Putting it on a separate partition allows limiting its size and applying restrictions through mount options.
CCE-91181-8	Ensure /var/log Located On Separate Partition	System logs are stored in the `/var/log` directory. Ensure that `/var/log` has its own partition or logical volume at installation time, or migrate it using LVM.	Placing `/var/log` in its own partition enables better separation between log files and other files in `/var/`.
CCE-91182-6	Ensure /var/tmp Located On Separate Partition	The `/var/tmp` directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.	The `/var/tmp` partition is used as temporary storage by many programs. Placing `/var/tmp` in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.
CCE-91183-4	Install sudo Package	The `sudo` package can be installed with the following command: $ sudo zypper install sudo	`sudo` is a program designed to allow a system administrator to give limited root privileges to users and log root activity. The basic philosophy is to give as few privileges as possible but still allow system users to get their work done.
CCE-91184-2	Ensure sudo Runs In A Minimal Environment - sudo env_reset	The sudo `env_reset` tag, when specified, will run the command in a minimal environment, containing the TERM, PATH, HOME, MAIL, SHELL, LOGNAME, USER and SUDO_* variables. This should be enabled by making sure that the `env_reset` tag exists in `/etc/sudoers` configuration file or any sudo configuration snippets in `/etc/sudoers.d/`.	Forcing sudo to reset the environment ensures that environment variables are not passed on to the command accidentally, preventing leak of potentially sensitive information.
CCE-91185-9	Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot	The sudo `ignore_dot` tag, when specified, will ignore the current directory in the PATH environment variable. This should be enabled by making sure that the `ignore_dot` tag exists in `/etc/sudoers` configuration file or any sudo configuration snippets in `/etc/sudoers.d/`.	Ignoring the commands in the user's current directory prevents an attacker from executing commands downloaded locally.
CCE-91186-7	Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC	The sudo `NOEXEC` tag, when specified, prevents user executed commands from executing other commands, like a shell for example. This should be enabled by making sure that the `NOEXEC` tag exists in `/etc/sudoers` configuration file or any sudo configuration snippets in `/etc/sudoers.d/`.	Restricting the capability of sudo allowed commands to execute sub-commands prevents users from running programs with privileges they wouldn't have otherwise.
CCE-91187-5	Ensure sudo passwd_timeout is appropriate - sudo passwd_timeout	The sudo `passwd_timeout` tag sets the amount of time sudo password prompt waits. The passwd_timeout should be configured by making sure that the `passwd_timeout=5` tag exists in `/etc/sudoers` configuration file or any sudo configuration snippets in `/etc/sudoers.d/`.	Reducing the time `sudo` waits for a a password reduces the time the process is exposed.
CCE-91188-3	Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty	The sudo `requiretty` tag, when specified, will only execute sudo commands from users logged in to a real tty. This should be enabled by making sure that the `requiretty` tag exists in `/etc/sudoers` configuration file or any sudo configuration snippets in `/etc/sudoers.d/`.	Restricting the use cases in which a user is allowed to execute sudo commands reduces the attack surface.
CCE-91189-1	Ensure sudo umask is appropriate - sudo umask	The sudo `umask` tag, when specified, will be added the to the user's umask in the command environment. The umask should be configured by making sure that the `umask=0022` tag exists in `/etc/sudoers` configuration file or any sudo configuration snippets in `/etc/sudoers.d/`.	The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users.
CCE-91190-9	Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty	The sudo `use_pty` tag, when specified, will only execute sudo commands from users logged in to a real tty. This should be enabled by making sure that the `use_pty` tag exists in `/etc/sudoers` configuration file or any sudo configuration snippets in `/etc/sudoers.d/`.	Requiring that sudo commands be run in a pseudo-terminal can prevent an attacker from retaining access to the user's terminal after the main program has finished executing.
CCE-91191-7	Ensure a dedicated group owns sudo	Restrict the execution of privilege escalated commands to a dedicated group of users. Ensure the group owner of /usr/bin/sudo is `root`.	Restricting the set of users able to execute commands as privileged user reduces the attack surface.
CCE-91192-5	Explicit arguments in sudo specifications	All commands in the sudoers file must strictly specify the arguments allowed to be used for a given user. If the command is supposed to be executed only without arguments, pass "" as an argument in the corresponding user specification.	Any argument can modify quite significantly the behavior of a program, whether regarding the realized operation (read, write, delete, etc.) or accessed resources (path in a file system tree). To avoid any possibility of misuse of a command by a user, the ambiguities must be removed at the level of its specification. For example, on some systems, the kernel messages are only accessible by root. If a user nevertheless must have the privileges to read them, the argument of the dmesg command has to be restricted in order to prevent the user from flushing the buffer through the -c option: user ALL = dmesg ""
CCE-91193-3	Don't define allowed commands in sudoers by means of exclusion	Policies applied by sudo through the sudoers file should not involve negation. Each user specification in the `sudoers` file contains a comma-delimited list of command specifications. The definition can make use glob patterns, as well as of negations. Indirect definition of those commands by means of exclusion of a set of commands is trivial to bypass, so it is not allowed to use such constructs.	Specifying access right using negation is inefficient and can be easily circumvented. For example, it is expected that a specification like # To avoid absolutely , this rule can be easily circumvented! user ALL = ALL ,!/ bin/sh prevents the execution of the shell but that’s not the case: just copy the binary `/bin/sh` to a different name to make it executable again through the rule keyword `ALL`.
CCE-91194-1	Don't target root user in the sudoers file	The targeted users of a user specification should be, as much as possible, non privileged users (i.e.: non-root). User specifications have to explicitly list the runas spec (i.e. the list of target users that can be impersonated), and `ALL` or `root` should not be used.	It is common that the command to be executed does not require superuser rights (editing a file whose the owner is not root, sending a signal to an unprivileged process,etc.). In order to limit any attempt of privilege escalation through a command, it is better to apply normal user rights.
CCE-91195-8	Prefer to use a 64-bit Operating System when supported	Prefer installation of 64-bit operating systems when the CPU supports it.	Use of a 64-bit operating system offers a few advantages, like a larger address space range for Address Space Layout Randomization (ASLR) and systematic presence of No eXecute and Execute Disable (NX/XD) protection bits.
CCE-91196-6	Set Up a Private Namespace in PAM Configuration	To setup a private namespace add the following line to `/etc/pam.d/login`: session required pam_namespace.so	The pam_namespace PAM module sets up a private namespace for a session with polyinstantiated directories. A polyinstantiated directory provides a different instance of itself based on user name, or when using SELinux, user name, security context or both. The polyinstatied directories can be used to dedicate separate temporary directories to each account.
CCE-91197-4	Configure Polyinstantiation of /tmp Directories	To configure polyinstantiated /tmp directories, first create the parent directories which will hold the polyinstantiation child directories. Use the following command: $ sudo mkdir --mode 000 /tmp/tmp-inst Then, add the following entry to `/etc/security/namespace.conf`: /tmp /tmp/tmp-inst/ level root,adm	Polyinstantiation of temporary directories is a proactive security measure which reduces chances of attacks that are made possible by /tmp directories being world-writable.
CCE-91198-2	Configure Polyinstantiation of /var/tmp Directories	To configure polyinstantiated /tmp directories, first create the parent directories which will hold the polyinstantiation child directories. Use the following command: $ sudo mkdir --mode 000 /var/tmp/tmp-inst Then, add the following entry to `/etc/security/namespace.conf`: /var/tmp /var/tmp/tmp-inst/ level root,adm	Polyinstantiation of temporary directories is a proactive security measure which reduces chances of attacks that are made possible by /var/tmp directories being world-writable.
CCE-91199-0	Ensure rsyslog-gnutls is installed	TLS protocol support for rsyslog is installed. The `rsyslog-module-gtls` package can be installed with the following command: $ sudo zypper install rsyslog-module-gtls	The rsyslog-gnutls package provides Transport Layer Security (TLS) support for the rsyslog daemon, which enables secure remote logging.
CCE-91200-6	Configure TLS for rsyslog remote logging	Configure `rsyslog` to use Transport Layer Security (TLS) support for logging to remote server for the Forwarding Output Module in `/etc/rsyslog.conf` using action. You can use the following command: echo 'action(type="omfwd" protocol="tcp" Target="<remote system>" port="6514" StreamDriver="gtls" StreamDriverMode="1" StreamDriverAuthMode="x509/name" streamdriver.CheckExtendedKeyPurpose="on")' >> /etc/rsyslog.conf Replace the `<remote system>` in the above command with an IP address or a host name of the remote logging server.	For protection of data being logged, the connection to the remote logging server needs to be authenticated and encrypted.
CCE-91201-4	Configure CA certificate for rsyslog remote logging	Configure CA certificate for `rsyslog` logging to remote server using Transport Layer Security (TLS) using correct path for the `DefaultNetstreamDriverCAFile` global option in `/etc/rsyslog.conf`, for example with the following command: echo 'global(DefaultNetstreamDriverCAFile="/etc/pki/tls/cert.pem")' >> /etc/rsyslog.conf Replace the `/etc/pki/tls/cert.pem` in the above command with the path to the file with CA certificate generated for the purpose of remote logging.	The CA certificate needs to be set or `rsyslog.service` fails to start with error: ca certificate is not set, cannot continue
CCE-91202-2	Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces	To set the runtime status of the `net.ipv6.conf.all.accept_ra_defrtr` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_ra_defrtr=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.all.accept_ra_defrtr = 0	An illicit router advertisement message could result in a man-in-the-middle attack.
CCE-91203-0	Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces	To set the runtime status of the `net.ipv6.conf.all.accept_ra_pinfo` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_ra_pinfo=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.all.accept_ra_pinfo = 0	An illicit router advertisement message could result in a man-in-the-middle attack.
CCE-91204-8	Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces	To set the runtime status of the `net.ipv6.conf.all.accept_ra_rtr_pref` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_ra_rtr_pref=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.all.accept_ra_rtr_pref = 0	An illicit router advertisement message could result in a man-in-the-middle attack.
CCE-91205-5	Configure Auto Configuration on All IPv6 Interfaces	To set the runtime status of the `net.ipv6.conf.all.autoconf` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.autoconf=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.all.autoconf = 0	An illicit router advertisement message could result in a man-in-the-middle attack.
CCE-91206-3	Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces	To set the runtime status of the `net.ipv6.conf.all.max_addresses` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.max_addresses=1 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.all.max_addresses = 1	The number of global unicast IPv6 addresses for each interface should be limited exactly to the number of statically configured addresses.
CCE-91207-1	Configure Denying Router Solicitations on All IPv6 Interfaces	To set the runtime status of the `net.ipv6.conf.all.router_solicitations` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.router_solicitations=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.all.router_solicitations = 0	To prevent discovery of the system by other systems, router solicitation requests should be denied.
CCE-91208-9	Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces By Default	To set the runtime status of the `net.ipv6.conf.default.accept_ra_defrtr` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_ra_defrtr=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.default.accept_ra_defrtr = 0	An illicit router advertisement message could result in a man-in-the-middle attack.
CCE-91209-7	Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default	To set the runtime status of the `net.ipv6.conf.default.accept_ra_pinfo` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_ra_pinfo=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.default.accept_ra_pinfo = 0	An illicit router advertisement message could result in a man-in-the-middle attack.
CCE-91210-5	Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces By Default	To set the runtime status of the `net.ipv6.conf.default.accept_ra_rtr_pref` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_ra_rtr_pref=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.default.accept_ra_rtr_pref = 0	An illicit router advertisement message could result in a man-in-the-middle attack.
CCE-91211-3	Configure Auto Configuration on All IPv6 Interfaces By Default	To set the runtime status of the `net.ipv6.conf.default.autoconf` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.autoconf=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.default.autoconf = 0	An illicit router advertisement message could result in a man-in-the-middle attack.
CCE-91212-1	Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default	To set the runtime status of the `net.ipv6.conf.default.max_addresses` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.max_addresses=1 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.default.max_addresses = 1	The number of global unicast IPv6 addresses for each interface should be limited exactly to the number of statically configured addresses.
CCE-91213-9	Configure Denying Router Solicitations on All IPv6 Interfaces By Default	To set the runtime status of the `net.ipv6.conf.default.router_solicitations` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.router_solicitations=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.default.router_solicitations = 0	To prevent discovery of the system by other systems, router solicitation requests should be denied.
CCE-91214-7	Configure Notification of Post-AIDE Scan Details	AIDE should notify appropriate personnel of the details of a scan after the scan has been run. If AIDE has already been configured for periodic execution in `/etc/crontab`, append the following line to the existing AIDE line: \| /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost Otherwise, add the following line to `/etc/crontab`: 05 4 * * * root /usr/bin/aide --check \| /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost AIDE can be executed periodically through other means; this is merely one example.	Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
CCE-91215-4	Ensure the Default Bash Umask is Set Correctly	To ensure the default umask for users of the Bash shell is set properly, add or correct the `umask` setting in `/etc/bash.bashrc` to read as follows: umask `027`	The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users.
CCE-91216-2	Ensure the Default Umask is Set Correctly in /etc/profile	To ensure the default umask controlled by `/etc/profile` is set properly, add or correct the `umask` setting in `/etc/profile` to read as follows: umask `027` Note that `/etc/profile` also reads scripts within `/etc/profile.d` directory. These scripts are also valid files to set umask value. Therefore, they should also be considered during the check and properly remediated, if necessary.	The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users.
CCE-91217-0	IOMMU configuration directive	On x86 architecture supporting VT-d, the IOMMU manages the access control policy between the hardware devices and some of the system critical units such as the memory. Configure the default Grub2 kernel command line to contain iommu=force as follows: # grub2-editenv - set "$(grub2-editenv - list \| grep kernelopts) iommu=force"	On x86 architectures, activating the I/OMMU prevents the system from arbitrary accesses potentially made by hardware devices.
CCE-91218-8	Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces	To set the runtime status of the `net.ipv4.conf.all.rp_filter` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.rp_filter=1 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.conf.all.rp_filter = 1	Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.
CCE-91219-6	Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default	To set the runtime status of the `net.ipv4.conf.default.rp_filter` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.rp_filter=1 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.conf.default.rp_filter = 1	Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.
CCE-91220-4	Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces	To set the runtime status of the `net.ipv4.conf.all.secure_redirects` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.conf.all.secure_redirects = 0	Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.
CCE-91221-2	Configure Kernel Parameter for Accepting Secure Redirects By Default	To set the runtime status of the `net.ipv4.conf.default.secure_redirects` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.secure_redirects=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.conf.default.secure_redirects = 0	Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.
CCE-91222-0	Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces	To set the runtime status of the `net.ipv4.conf.all.log_martians` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.log_martians=1 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.conf.all.log_martians = 1	The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.
CCE-91223-8	Enable Kernel Parameter to Use TCP RFC 1337 on IPv4 Interfaces	To set the runtime status of the `net.ipv4.tcp_rfc1337` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_rfc1337=1 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.tcp_rfc1337 = 1	Enable TCP behavior conformant with RFC 1337. When disabled, if a RST is received in TIME_WAIT state, we close the socket immediately without waiting for the end of the TIME_WAIT period.
CCE-91224-6	Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces	To set the runtime status of the `net.ipv4.icmp_ignore_bogus_error_responses` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.icmp_ignore_bogus_error_responses = 1	Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.
CCE-91225-3	Set Kernel Parameter to Increase Local Port Range	To set the runtime status of the `net.ipv4.ip_local_port_range` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.ip_local_port_range=32768 65535 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.ip_local_port_range = 32768 65535	This setting defines the local port range that is used by TCP and UDP to choose the local port. The first number is the first, the second the last local port number.
CCE-91227-9	Uninstall tftp-server Package	The `tftp-server` package can be removed with the following command: $ sudo zypper remove tftp-server	Removing the `tftp-server` package decreases the risk of the accidental (or intentional) activation of tftp services. If TFTP is required for operational support (such as transmission of router configurations), its use must be documented with the Information Systems Security Manager (ISSM), restricted to only authorized personnel, and have access control rules established.
CCE-91228-7	Set SSH Client Alive Count Max	The SSH server sends at most `ClientAliveCountMax` messages during a SSH session and waits for a response from the SSH client. The option `ClientAliveInterval` configures timeout after each `ClientAliveCountMax` message. If the SSH server does not receive a response from the client, then the connection is considered unresponsive and terminated. For SSH earlier than v8.2, a `ClientAliveCountMax` value of `0` causes a timeout precisely when the `ClientAliveInterval` is set. Starting with v8.2, a value of `0` disables the timeout functionality completely. If the option is set to a number greater than `0`, then the session will be disconnected after `ClientAliveInterval * ClientAliveCountMax` seconds without receiving a keep alive message.	This ensures a user login will be terminated as soon as the `ClientAliveInterval` is reached.
CCE-91229-5	The Chrony package is installed	System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them. The `chrony` package can be installed with the following command: $ sudo zypper install chrony	Time synchronization is important to support time sensitive security mechanisms like Kerberos and also ensures log files have consistent time records across the enterprise, which aids in forensic investigations.
CCE-91230-3	Verify User Who Owns gshadow File	To properly set the owner of `/etc/gshadow`, run the command: $ sudo chown root /etc/gshadow	The `/etc/gshadow` file contains group password hashes. Protection of this file is critical for system security.
CCE-91231-1	Verify Permissions on gshadow File	To properly set the permissions of `/etc/gshadow`, run the command: $ sudo chmod 0000 /etc/gshadow	The `/etc/gshadow` file contains group password hashes. Protection of this file is critical for system security.
CCE-91233-7	Ensure No World-Writable Files Exist	It is generally a good idea to remove global (other) write access to a file when it is discovered. However, check with documentation for specific applications before making changes. Also, monitor for recurring world-writable files, as these may be symptoms of a misconfigured application or user account. Finally, this applies to real files and not virtual files that are a part of pseudo file systems such as `sysfs` or `procfs`.	Data in world-writable files can be modified by any user on the system. In almost all circumstances, files can be configured using a combination of user and group permissions to support whatever legitimate access is needed without the risk caused by world-writable files.
CCE-91234-5	Add noexec Option to /boot	The `noexec` mount option can be used to prevent binaries from being executed out of `/boot`. Add the `noexec` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/boot`.	The `/boot` partition contains the kernel and the bootloader. No binaries should be executed from this partition after the booting process finishes.
CCE-91235-2	Add nosuid Option to /boot	The `nosuid` mount option can be used to prevent execution of setuid programs in `/boot`. The SUID and SGID permissions should not be required on the boot partition. Add the `nosuid` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/boot`.	The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from boot partitions.
CCE-91236-0	Add noexec Option to /home	The `noexec` mount option can be used to prevent binaries from being executed out of `/home`. Add the `noexec` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/home`.	The `/home` directory contains data of individual users. Binaries in this directory should not be considered as trusted and users should not be able to execute them.
CCE-91237-8	Add nodev Option to Non-Root Local Partitions	The `nodev` mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices should exist only in the `/dev` directory on the root partition or within chroot jails built for system services. Add the `nodev` option to the fourth column of `/etc/fstab` for the line which controls mounting of any non-root local partitions.	The `nodev` mount option prevents files from being interpreted as character or block devices. The only legitimate location for device files is the `/dev` directory located on the root partition. The only exception to this is chroot jails, for which it is not advised to set `nodev` on these filesystems.
CCE-91238-6	Configure the polyinstantiation_enabled SELinux Boolean	By default, the SELinux boolean `polyinstantiation_enabled` is disabled. This setting should be configured to `false`. To set the `polyinstantiation_enabled` SELinux boolean, run the following command: $ sudo setsebool -P polyinstantiation_enabled `false`
CCE-91239-4	Ensure All World-Writable Directories Are Owned by root User	All directories in local partitions which are world-writable should be owned by root. If any world-writable directories are not owned by root, this should be investigated. Following this, the files should be deleted or assigned to root user.	Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users.
CCE-91240-2	Ensure IPv6 is disabled through kernel boot parameter	To disable IPv6 protocol support in the Linux kernel, add the argument `ipv6.disable=1` to the default GRUB2 command line for the Linux operating system. Configure the default Grub2 kernel command line to contain ipv6.disable=1 as follows: # grub2-editenv - set "$(grub2-editenv - list \| grep kernelopts) ipv6.disable=1"	Any unnecessary network stacks, including IPv6, should be disabled to reduce the vulnerability to exploitation.
CCE-91241-0	Disable DCCP Support	The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. To configure the system to prevent the `dccp` kernel module from being loaded, add the following line to the file `/etc/modprobe.d/dccp.conf`: install dccp /bin/false This entry will cause a non-zero return value during a `dccp` module installation and additionally convey the meaning of the entry to the user in form of an error message. If you would like to omit a non-zero return value and an error message, you may want to add a different line instead (both `/bin/true` and `/bin/false` are allowed by OVAL and will be accepted by the scan): install dccp /bin/true	Disabling DCCP protects the system against exploitation of any flaws in its implementation.
CCE-91242-8	Disable SCTP Support	The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. To configure the system to prevent the `sctp` kernel module from being loaded, add the following line to the file `/etc/modprobe.d/sctp.conf`: install sctp /bin/false This entry will cause a non-zero return value during a `sctp` module installation and additionally convey the meaning of the entry to the user in form of an error message. If you would like to omit a non-zero return value and an error message, you may want to add a different line instead (both `/bin/true` and `/bin/false` are allowed by OVAL and will be accepted by the scan): install sctp /bin/true	Disabling SCTP protects the system against exploitation of any flaws in its implementation.
CCE-91243-6	Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces	To set the runtime status of the `net.ipv4.icmp_echo_ignore_broadcasts` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.icmp_echo_ignore_broadcasts = 1	Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks. Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.
CCE-91244-4	Install iptables Package	The `iptables` package can be installed with the following command: $ sudo zypper install iptables	`iptables` controls the Linux kernel network packet filtering code. `iptables` allows system operators to set up firewalls and IP masquerading, etc.
CCE-91245-1	Ensure Users Cannot Change GNOME3 Session Idle Settings	If not already configured, ensure that users cannot change GNOME3 session idle settings by adding `/org/gnome/desktop/session/idle-delay` to `/etc/dconf/db/local.d/locks/00-security-settings-lock` to prevent user modification. For example: /org/gnome/desktop/session/idle-delay After the settings have been set, run `dconf update`.	A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings.
CCE-91246-9	Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)	At a minimum the audit system should collect unauthorized file accesses for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules` file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access	Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
CCE-91247-7	Ensure auditd Collects Information on Kernel Module Loading and Unloading	To capture kernel module loading and unloading events, use following lines, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S init_module,finit_module,delete_module -F key=modules The place to add the lines depends on a way `auditd` daemon is configured. If it is configured to use the `augenrules` program (the default), add the lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`. If the `auditd` daemon is configured to use the `auditctl` utility, add the lines to file `/etc/audit/audit.rules`.	The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.
CCE-91248-5	Record Attempts to Alter Logon and Logout Events	The audit system already collects login information for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d` in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w `/var/log/faillock` -p wa -k logins -w /var/log/lastlog -p wa -k logins If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules` file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins -w `/var/log/faillock` -p wa -k logins -w /var/log/lastlog -p wa -k logins	Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.
CCE-91249-3	Configure auditd max_log_file_action Upon Reaching Maximum Log Size	The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action taken by `auditd`, add or correct the line in `/etc/audit/auditd.conf`: max_log_file_action = ACTION Possible values for ACTION are described in the `auditd.conf` man page. These include: `ignore` `syslog` `suspend` `rotate` `keep_logs` Set the `ACTION` to `rotate` to ensure log rotation occurs. This is the default. The setting is case-insensitive.	Automatically rotating logs (by setting this to `rotate`) minimizes the chances of the system unexpectedly running out of disk space by being overwhelmed with log data. However, for systems that must never discard log data, or which use external processes to transfer it and reclaim space, `keep_logs` can be employed.
CCE-91250-1	Record Events that Modify the System's Discretionary Access Controls - umount2	At a minimum, the audit system should collect file system umount2 changes. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following line to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following line to `/etc/audit/audit.rules` file: -a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod	The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
CCE-91251-9	Ensure auditd Collects Information on the Use of Privileged Commands	The audit system should collect information about usage of privileged commands for all users. These are commands with suid or sgid bits on and they are specially risky in local block device partitions not mounted with noexec and nosuid options. Therefore, these partitions should be first identified by the following command: findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems \| paste -sd,) \| grep -Pv "noexec\|nosuid" For all partitions listed by the previous command, it is necessary to search for setuid / setgid programs using the following command: $ sudo find PARTITION -xdev -perm /6000 -type f 2>/dev/null For each setuid / setgid program identified by the previous command, an audit rule must be present in the appropriate place using the following line structure, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -F path=PROG_PATH -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup, add the line to a file with suffix `.rules` in the `/etc/audit/rules.d` directory, replacing the PROG_PATH part with the full path of that setuid / setgid identified program. If the `auditd` daemon is configured to use the `auditctl` utility instead, add the line to the `/etc/audit/audit.rules` file, also replacing the PROG_PATH part with the full path of that setuid / setgid identified program.	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern that can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
CCE-91252-7	Enable Kernel Parameter to Enforce DAC on Hardlinks	To set the runtime status of the `fs.protected_hardlinks` kernel parameter, run the following command: $ sudo sysctl -w fs.protected_hardlinks=1 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: fs.protected_hardlinks = 1	By enabling this kernel parameter, users can no longer create soft or hard links to files which they do not own. Disallowing such hardlinks mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of `open()` or `creat()`.
CCE-91253-5	Enable Kernel Parameter to Enforce DAC on Symlinks	To set the runtime status of the `fs.protected_symlinks` kernel parameter, run the following command: $ sudo sysctl -w fs.protected_symlinks=1 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: fs.protected_symlinks = 1	By enabling this kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the UID of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of `open()` or `creat()`.
CCE-91254-3	Enable NX or XD Support in the BIOS	Reboot the system and enter the BIOS or Setup configuration menu. Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located under a Security section. Look for Execute Disable (XD) on Intel-based systems and No Execute (NX) on AMD-based systems.	Computers with the ability to prevent this type of code execution frequently put an option in the BIOS that will allow users to turn the feature on or off at will.
CCE-91255-0	Install PAE Kernel on Supported 32-bit x86 Systems	Systems that are using the 64-bit x86 kernel package do not need to install the kernel-PAE package because the 64-bit x86 kernel already includes this support. However, if the system is 32-bit and also supports the PAE and NX features as determined in the previous section, the kernel-PAE package should be installed to enable XD or NX support. The `kernel-PAE` package can be installed with the following command: $ sudo zypper install kernel-PAE The installation process should also have configured the bootloader to load the new kernel at boot. Verify this after reboot and modify `/etc/default/grub` if necessary.	On 32-bit systems that support the XD or NX bit, the vendor-supplied PAE kernel is required to enable either Execute Disable (XD) or No Execute (NX) support.
CCE-91256-8	Disable loading and unloading of kernel modules	To set the runtime status of the `kernel.modules_disabled` kernel parameter, run the following command: $ sudo sysctl -w kernel.modules_disabled=1 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: kernel.modules_disabled = 1	Malicious kernel modules can have a significant impact on system security and availability. Disabling loading of kernel modules prevents this threat. Note that once this option has been set, it cannot be reverted without doing a system reboot. Make sure that all needed kernel modules are loaded before setting this option.
CCE-91257-6	Limit CPU consumption of the Perf system	To set the runtime status of the `kernel.perf_cpu_time_max_percent` kernel parameter, run the following command: $ sudo sysctl -w kernel.perf_cpu_time_max_percent=1 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: kernel.perf_cpu_time_max_percent = 1	The `kernel.perf_cpu_time_max_percent` configures a threshold of maximum percentile of CPU that can be used by Perf system. Restricting usage of `Perf` system decreases risk of potential availability problems.
CCE-91258-4	Disallow kernel profiling by unprivileged users	To set the runtime status of the `kernel.perf_event_paranoid` kernel parameter, run the following command: $ sudo sysctl -w kernel.perf_event_paranoid=2 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: kernel.perf_event_paranoid = 2	Kernel profiling can reveal sensitive information about kernel behaviour.
CCE-91259-2	Limit sampling frequency of the Perf system	To set the runtime status of the `kernel.perf_event_max_sample_rate` kernel parameter, run the following command: $ sudo sysctl -w kernel.perf_event_max_sample_rate=1 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: kernel.perf_event_max_sample_rate = 1	The `kernel.perf_event_max_sample_rate` parameter configures maximum frequency of collecting of samples for the Perf system. It is expressed in samples per second. Restricting usage of `Perf` system decreases risk of potential availability problems.
CCE-91260-0	Configure maximum number of process identifiers	To set the runtime status of the `kernel.pid_max` kernel parameter, run the following command: $ sudo sysctl -w kernel.pid_max=65536 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: kernel.pid_max = 65536	The `kernel.pid_max` parameter configures upper limit on process identifiers (PID). If this number is not high enough, it might happen that forking of new processes is not possible, because all available PIDs are exhausted. Increasing this number enhances availability.
CCE-91261-8	Disallow magic SysRq key	To set the runtime status of the `kernel.sysrq` kernel parameter, run the following command: $ sudo sysctl -w kernel.sysrq=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: kernel.sysrq = 0	The Magic SysRq key allows sending certain commands directly to the running kernel. It can dump various system and process information, potentially revealing sensitive information. It can also reboot or shutdown the machine, disturbing its availability.
CCE-91262-6	Restrict usage of ptrace to descendant processes	To set the runtime status of the `kernel.yama.ptrace_scope` kernel parameter, run the following command: $ sudo sysctl -w kernel.yama.ptrace_scope=1 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: kernel.yama.ptrace_scope = 1	Unrestricted usage of ptrace allows compromised binaries to run ptrace on another processes of the user. Like this, the attacker can steal sensitive information from the target processes (e.g. SSH sessions, web browser, ...) without any additional assistance from the user (i.e. without resorting to phishing).
CCE-91263-4	Prevent applications from mapping low portion of virtual memory	To set the runtime status of the `vm.mmap_min_addr` kernel parameter, run the following command: $ sudo sysctl -w vm.mmap_min_addr=65536 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: vm.mmap_min_addr = 65536	The `vm.mmap_min_addr` parameter specifies the minimum virtual address that a process is allowed to mmap. Allowing a process to mmap low portion of virtual memory can have security implications such as such as heightened risk of kernel null pointer dereference defects.
CCE-91264-2	Disable the ssh_sysadm_login SELinux Boolean	By default, the SELinux boolean `ssh_sysadm_login` is disabled. If this setting is enabled, it should be disabled. To disable the `ssh_sysadm_login` SELinux boolean, run the following command: $ sudo setsebool -P ssh_sysadm_login off	Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.
CCE-91265-9	Configure the deny_execmem SELinux Boolean	By default, the SELinux boolean `deny_execmem` is disabled. This setting should be configured to `false`. To set the `deny_execmem` SELinux boolean, run the following command: $ sudo setsebool -P deny_execmem `false`	Allowing user domain applications to map a memory region as both writable and executable makes them more susceptible to data execution attacks.
CCE-91266-7	Configure the secure_mode_insmod SELinux Boolean	By default, the SELinux boolean `secure_mode_insmod` is disabled. This setting should be configured to `false`. To set the `secure_mode_insmod` SELinux boolean, run the following command: $ sudo setsebool -P secure_mode_insmod `false`
CCE-91267-5	Uninstall setroubleshoot-server Package	The SETroubleshoot service notifies desktop users of SELinux denials. The service provides information around configuration errors, unauthorized intrusions, and other potential errors. The `setroubleshoot-server` package can be removed with the following command: $ sudo zypper remove setroubleshoot-server	The SETroubleshoot service is an unnecessary daemon to have running on a server.
CCE-91268-3	Uninstall setroubleshoot Package	The SETroubleshoot service notifies desktop users of SELinux denials. The service provides information around configuration errors, unauthorized intrusions, and other potential errors. The `setroubleshoot` package can be removed with the following command: $ sudo zypper remove setroubleshoot	The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is removed or disabled.
CCE-91269-1	Uninstall setroubleshoot-plugins Package	The SETroubleshoot plugins are used to analyze SELinux AVC data. The service provides information around configuration errors, unauthorized intrusions, and other potential errors. The `setroubleshoot-plugins` package can be removed with the following command: $ sudo zypper remove setroubleshoot-plugins	The SETroubleshoot service is an unnecessary daemon to have running on a server.
CCE-91270-9	Add nosuid Option to /opt	The `nosuid` mount option can be used to prevent execution of setuid programs in `/opt`. The SUID and SGID permissions should not be required in this directory. Add the `nosuid` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/opt`.	The presence of SUID and SGID executables should be tightly controlled. The `/opt` directory contains additional software packages. Users should not be able to execute SUID or SGID binaries from this directory.
CCE-91271-7	Add nosuid Option to /srv	The `nosuid` mount option can be used to prevent execution of setuid programs in `/srv`. The SUID and SGID permissions should not be required in this directory. Add the `nosuid` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/srv`.	The presence of SUID and SGID executables should be tightly controlled. The `/srv` directory contains files served by various network services such as FTP. Users should not be able to execute SUID or SGID binaries from this directory.
CCE-91272-5	Add noexec Option to /tmp	The `noexec` mount option can be used to prevent binaries from being executed out of `/tmp`. Add the `noexec` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/tmp`.	Allowing users to execute binaries from world-writable directories such as `/tmp` should never be necessary in normal operation and can expose the system to potential compromise.
CCE-91273-3	Add nosuid Option to /tmp	The `nosuid` mount option can be used to prevent execution of setuid programs in `/tmp`. The SUID and SGID permissions should not be required in these world-writable directories. Add the `nosuid` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/tmp`.	The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions.
CCE-91274-1	Add noexec Option to /var/log	The `noexec` mount option can be used to prevent binaries from being executed out of `/var/log`. Add the `noexec` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/var/log`.	Allowing users to execute binaries from directories containing log files such as `/var/log` should never be necessary in normal operation and can expose the system to potential compromise.
CCE-91275-8	Add nosuid Option to /var/log	The `nosuid` mount option can be used to prevent execution of setuid programs in `/var/log`. The SUID and SGID permissions should not be required in directories containing log files. Add the `nosuid` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/var/log`.	The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from partitions designated for log files.
CCE-91276-6	Add noexec Option to /var	The `noexec` mount option can be used to prevent binaries from being executed out of `/var`. Add the `noexec` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/var`.	The `/var` directory contains variable system data such as logs, mails and caches. No binaries should be executed from this directory.
CCE-91277-4	Add nosuid Option to /var	The `nosuid` mount option can be used to prevent execution of setuid programs in `/var`. The SUID and SGID permissions should not be required for this directory. Add the `nosuid` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/var`.	The presence of SUID and SGID executables should be tightly controlled.
CCE-91278-2	Add noexec Option to /var/tmp	The `noexec` mount option can be used to prevent binaries from being executed out of `/var/tmp`. Add the `noexec` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/var/tmp`.	Allowing users to execute binaries from world-writable directories such as `/var/tmp` should never be necessary in normal operation and can expose the system to potential compromise.
CCE-91279-0	Add nosuid Option to /var/tmp	The `nosuid` mount option can be used to prevent execution of setuid programs in `/var/tmp`. The SUID and SGID permissions should not be required in these world-writable directories. Add the `nosuid` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/var/tmp`.	The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions.
CCE-91280-8	Disable Postfix Network Listening	Edit the file `/etc/postfix/main.cf` to ensure that only the following `inet_interfaces` line appears: inet_interfaces = `loopback-only`	This ensures `postfix` accepts mail messages (such as cron job reports) from the local system only, and not from the network, which protects it from network attack.
CCE-91281-6	Configure the root Account lock for Failed Password Attempts via pam_tally2	This rule configures the system to lock out the `root` account after a number of incorrect login attempts using `pam_tally2.so`.	By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking the account.
CCE-91282-4	Set Lockout Time for Failed Password Attempts using pam_tally2	This rule configures the system to lock out accounts during a specified time period after a number of incorrect login attempts using `pam_tally2.so`.	By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking the account.
CCE-91283-2	Uninstall openldap-servers Package	The openldap2 package is not installed by default on a SUSE Linux Enterprise 15 system. It is needed only by the OpenLDAP server, not by the clients which use LDAP for authentication. If the system is not intended for use as an LDAP Server it should be removed.	Unnecessary packages should not be installed to decrease the attack surface of the system. While this software is clearly essential on an LDAP server, it is not necessary on typical desktop or workstation systems.
CCE-91284-0	Uninstall nfs-utils Package	The `nfs-utils` package can be removed with the following command: $ sudo zypper remove nfs-utils	`nfs-utils` provides a daemon for the kernel NFS server and related tools. This package also contains the `showmount` program. `showmount` queries the mount daemon on a remote host for information about the Network File System (NFS) server on the remote host. For example, `showmount` can display the clients which are mounted on that host.
CCE-91285-7	Uninstall bind Package	The `named` service is provided by the `bind` package. The `bind` package can be removed with the following command: $ sudo zypper remove bind	If there is no need to make DNS server software available, removing it provides a safeguard against its activation.
CCE-91286-5	Uninstall httpd Package	The `httpd` package can be removed with the following command: $ sudo zypper remove httpd	If there is no need to make the web server software available, removing it provides a safeguard against its activation.
CCE-91287-3	Uninstall Samba Package	The `samba` package can be removed with the following command: $ sudo zypper remove samba	If there is no need to make the Samba software available, removing it provides a safeguard against its activation.
CCE-91288-1	Uninstall net-snmp Package	The `net-snmp` package provides the snmpd service. The `net-snmp` package can be removed with the following command: $ sudo zypper remove net-snmp	If there is no need to run SNMP server software, removing the package provides a safeguard against its activation.
CCE-91289-9	Verify Root Has A Primary GID 0	The `root` user should have a primary group of 0.	To help ensure that root-owned files are not inadvertently exposed to other users.
CCE-91290-7	Verify and Correct Ownership with RPM	The RPM package management system can check file ownership permissions of installed software packages, including many that are important to system security. After locating a file with incorrect permissions, which can be found with: rpm -Va \| awk '{ if (substr($0,6,1)=="U" \|\| substr($0,7,1)=="G") print $NF }' run the following command to determine which package owns it: $ rpm -qf FILENAME Next, run the following command to reset its permissions to the correct values: $ sudo rpm --restore PACKAGENAME	Ownership of binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated.
CCE-91291-5	Install the Host Intrusion Prevention System (HIPS) Module	Install the McAfee Host Intrusion Prevention System (HIPS) Module if it is absolutely necessary. If SELinux is enabled, do not install or enable this module.	Without a host-based intrusion detection tool, there is no system-level defense when an intruder gains access to a system or network. Additionally, a host-based intrusion prevention tool can provide methods to immediately lock out detected intrusion attempts.
CCE-91292-3	Record Events that Modify User/Group Information	If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules` file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification	In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
CCE-91293-1	Install the ntp service	The ntpd service should be installed.	Time synchronization (using NTP) is required by almost all network and administrative tasks (syslog, cryptographic based services (authentication, etc.), etc.). Ntpd is regularly maintained and updated, supporting security features such as RFC 5906.
CCE-91294-9	Enable the NTP Daemon	The `ntp` service can be enabled with the following command: $ sudo systemctl enable ntp.service	Enabling the `ntp` service ensures that the `ntp` service will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client (and synchronize only its own clock) or it is also acting as an NTP server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches. The NTP daemon offers all of the functionality of `ntpdate`, which is now deprecated.
CCE-91295-6	Enable the NTP Daemon	The `ntpd` service can be enabled with the following command: $ sudo systemctl enable ntpd.service	Enabling the `ntpd` service ensures that the `ntpd` service will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client (and synchronize only its own clock) or it is also acting as an NTP server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches. The NTP daemon offers all of the functionality of `ntpdate`, which is now deprecated.
CCE-91296-4	Enable systemd_timesyncd Service	The `systemd_timesyncd` service can be enabled with the following command: $ sudo systemctl enable systemd_timesyncd.service	Enabling the `systemd_timesyncd` service ensures that this host uses the ntp protocol to fetch time data from a ntp server. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches. Additional information on Ubuntu network time protocol is available at https://help.ubuntu.com/lts/serverguide/NTP.html.en.
CCE-91297-2	Specify Additional Remote NTP Servers	Additional NTP servers can be specified for time synchronization in the file `/etc/ntp.conf`. To do so, add additional lines of the following form, substituting the IP address or hostname of a remote NTP server for ntpserver: server ntpserver	Specifying additional NTP servers increases the availability of accurate time data, in the event that one of the specified servers becomes unavailable. This is typical for a system acting as an NTP server for other systems.
CCE-91298-0	Specify a Remote NTP Server	To specify a remote NTP server for time synchronization, edit the file `/etc/ntp.conf`. Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver: server ntpserver This instructs the NTP software to contact that remote server to obtain time data.	Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events.
CCE-91299-8	Verify Permissions on crontab	To properly set the permissions of `/etc/crontab`, run the command: $ sudo chmod 0600 /etc/crontab	Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.
CCE-91300-4	Verify Permissions on cron.hourly	To properly set the permissions of `/etc/cron.hourly`, run the command: $ sudo chmod 0700 /etc/cron.hourly	Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.
CCE-91301-2	Verify Permissions on cron.daily	To properly set the permissions of `/etc/cron.daily`, run the command: $ sudo chmod 0700 /etc/cron.daily	Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.
CCE-91302-0	Verify Permissions on cron.weekly	To properly set the permissions of `/etc/cron.weekly`, run the command: $ sudo chmod 0700 /etc/cron.weekly	Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.
CCE-91303-8	Verify Permissions on cron.monthly	To properly set the permissions of `/etc/cron.monthly`, run the command: $ sudo chmod 0700 /etc/cron.monthly	Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.
CCE-91304-6	Verify Permissions on cron.d	To properly set the permissions of `/etc/cron.d`, run the command: $ sudo chmod 0700 /etc/cron.d	Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.
CCE-91305-3	Ensure rsyncd service is disabled	The `rsyncd` service can be disabled with the following command: $ sudo systemctl mask --now rsyncd.service	The rsyncd service presents a security risk as it uses unencrypted protocols for communication.
CCE-91306-1	Verify Permissions on SSH Server config file	To properly set the permissions of `/etc/ssh/sshd_config`, run the command: $ sudo chmod 0600 /etc/ssh/sshd_config	Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
CCE-91307-9	Disable SSH Support for .rhosts Files	SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via `.rhosts` files. The default SSH configuration disables support for `.rhosts`. The appropriate configuration is used if no value is set for `IgnoreRhosts`. To explicitly disable support for .rhosts files, add or correct the following line in `/etc/ssh/sshd_config`: IgnoreRhosts yes	SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.
CCE-91308-7	Ensure SSH MaxStartups is configured	The MaxStartups parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. Additional connections will be dropped until authentication succeeds or the LoginGraceTime expires for a connection. To configure MaxStartups, you should add or edit the following line in the `/etc/ssh/sshd_config` file: MaxStartups `10:30:100`	To protect a system from denial of service due to a large number of pending authentication connection attempts, use the rate limiting function of MaxStartups to protect availability of sshd logins and prevent overwhelming the daemon.
CCE-91309-5	Set SSH MaxSessions limit	The `MaxSessions` parameter specifies the maximum number of open sessions permitted from a given connection. To set MaxSessions edit `/etc/ssh/sshd_config` as follows: MaxSessions `10`	To protect a system from denial of service due to a large number of concurrent sessions, use the rate limiting function of MaxSessions to protect availability of sshd logins and prevent overwhelming the daemon.
CCE-91310-3	Ensure LDAP client is not installed	The Lightweight Directory Access Protocol (LDAP) is a service that provides a method for looking up information from a central database. The `openldap2-client` package can be removed with the following command: $ sudo zypper remove openldap2-client	If the system does not need to act as an LDAP client, it is recommended that the software is removed to reduce the potential attack surface.
CCE-91311-1	Ensure Sudo Logfile Exists - sudo logfile	A custom log sudo file can be configured with the 'logfile' tag. This rule configures a sudo custom logfile at the default location suggested by CIS, which uses /var/log/sudo.log.	A sudo log file simplifies auditing of sudo commands.
CCE-91312-9	Disable rpcbind Service	The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they are listening on and the RPC program numbers they expect to serve. The rpcbind service redirects the client to the proper port number so it can communicate with the requested service. If the system does not require RPC (such as for NFS servers) then this service should be disabled. The `rpcbind` service can be disabled with the following command: $ sudo systemctl mask --now rpcbind.service	If the system does not require rpc based services, it is recommended that rpcbind be disabled to reduce the attack surface.
CCE-91313-7	Ensure that /etc/at.deny does not exist	The file `/etc/at.deny` should not exist. Use `/etc/at.allow` instead.	Access to `at` should be restricted. It is easier to manage an allow list than a deny list.
CCE-91314-5	Ensure that /etc/cron.deny does not exist	The file `/etc/cron.deny` should not exist. Use `/etc/cron.allow` instead.	Access to `cron` should be restricted. It is easier to manage an allow list than a deny list.
CCE-91315-2	Verify Group Who Owns /etc/at.allow file	If `/etc/at.allow` exists, it must be group-owned by `root`. To properly set the group owner of `/etc/at.allow`, run the command: $ sudo chgrp root /etc/at.allow	If the owner of the at.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information.
CCE-91316-0	Verify Group Who Owns /etc/cron.allow file	If `/etc/cron.allow` exists, it must be group-owned by `root`. To properly set the group owner of `/etc/cron.allow`, run the command: $ sudo chgrp root /etc/cron.allow	If the owner of the cron.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information.
CCE-91317-8	Verify User Who Owns /etc/at.allow file	If `/etc/at.allow` exists, it must be owned by `root`. To properly set the owner of `/etc/at.allow`, run the command: $ sudo chown root /etc/at.allow	If the owner of the at.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information.
CCE-91318-6	Verify User Who Owns /etc/cron.allow file	If `/etc/cron.allow` exists, it must be owned by `root`. To properly set the owner of `/etc/cron.allow`, run the command: $ sudo chown root /etc/cron.allow	If the owner of the cron.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information.
CCE-91319-4	Verify Permissions on /etc/at.allow file	If `/etc/at.allow` exists, it must have permissions `0640` or more restrictive. To properly set the permissions of `/etc/at.allow`, run the command: $ sudo chmod 0640 /etc/at.allow	If the permissions of the at.allow file are not set to 0640 or more restrictive, the possibility exists for an unauthorized user to view or edit sensitive information.
CCE-91320-2	Verify Permissions on /etc/cron.allow file	If `/etc/cron.allow` exists, it must have permissions `0640` or more restrictive. To properly set the permissions of `/etc/cron.allow`, run the command: $ sudo chmod 0640 /etc/cron.allow	If the permissions of the cron.allow file are not set to 0640 or more restrictive, the possibility exists for an unauthorized user to view or edit sensitive information.
CCE-91321-0	Disable Avahi Server Software	The `avahi-daemon` service can be disabled with the following command: $ sudo systemctl mask --now avahi-daemon.service	Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Its functionality is convenient but is only appropriate if the local network can be trusted.
CCE-91322-8	Disable the CUPS Service	The `cups` service can be disabled with the following command: $ sudo systemctl mask --now cups.service	Turn off unneeded services to reduce attack surface.
CCE-91323-6	Verify Group Who Owns Backup passwd File	To properly set the group owner of `/etc/passwd-`, run the command: $ sudo chgrp root /etc/passwd-	The `/etc/passwd-` file is a backup file of `/etc/passwd`, and as such, it contains information about the users that are configured on the system. Protection of this file is critical for system security.
CCE-91324-4	Verify User Who Owns Backup passwd File	To properly set the owner of `/etc/passwd-`, run the command: $ sudo chown root /etc/passwd-	The `/etc/passwd-` file is a backup file of `/etc/passwd`, and as such, it contains information about the users that are configured on the system. Protection of this file is critical for system security.
CCE-91325-1	Verify Permissions on Backup passwd File	To properly set the permissions of `/etc/passwd-`, run the command: $ sudo chmod 0644 /etc/passwd-	The `/etc/passwd-` file is a backup file of `/etc/passwd`, and as such, it contains information about the users that are configured on the system. Protection of this file is critical for system security.
CCE-91326-9	Verify Group Who Owns Backup shadow File	To properly set the owner of `/etc/shadow-`, run the command: $ sudo chown root /etc/shadow-	The `/etc/shadow-` file is a backup file of `/etc/shadow`, and as such, it contains the list of local system accounts and password hashes. Protection of this file is critical for system security.
CCE-91327-7	Verify User Who Owns Backup shadow File	To properly set the group owner of `/etc/shadow-`, run the command: $ sudo chgrp shadow /etc/shadow-	The `/etc/shadow-` file is a backup file of `/etc/shadow`, and as such, it contains the list of local system accounts and password hashes. Protection of this file is critical for system security.
CCE-91328-5	Verify Permissions on Backup shadow File	To properly set the permissions of `/etc/shadow-`, run the command: $ sudo chmod 0640 /etc/shadow-	The `/etc/shadow-` file is a backup file of `/etc/shadow`, and as such, it contains the list of local system accounts and password hashes. Protection of this file is critical for system security.
CCE-91329-3	Verify Group Who Owns Backup group File	To properly set the group owner of `/etc/group-`, run the command: $ sudo chgrp root /etc/group-	The `/etc/group-` file is a backup file of `/etc/group`, and as such, it contains information regarding groups that are configured on the system. Protection of this file is important for system security.
CCE-91330-1	Verify User Who Owns Backup group File	To properly set the owner of `/etc/group-`, run the command: $ sudo chown root /etc/group-	The `/etc/group-` file is a backup file of `/etc/group`, and as such, it contains information regarding groups that are configured on the system. Protection of this file is important for system security.
CCE-91331-9	Verify Permissions on Backup group File	To properly set the permissions of `/etc/group-`, run the command: $ sudo chmod 0644 /etc/group-	The `/etc/group-` file is a backup file of `/etc/group`, and as such, it contains information regarding groups that are configured on the system. Protection of this file is important for system security.
CCE-91332-7	Set SSH authentication attempt limit	The `MaxAuthTries` parameter specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. to set MaxAUthTries edit `/etc/ssh/sshd_config` as follows: MaxAuthTries `4`	Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server.
CCE-91333-5	Enable PAM	UsePAM Enables the Pluggable Authentication Module interface. If set to “yes” this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authentication types. To enable PAM authentication, add or correct the following line in `/etc/ssh/sshd_config`: UsePAM yes	When UsePAM is set to yes, PAM runs through account and session types properly. This is important if you want to restrict access to services based off of IP, time or other factors of the account. Additionally, you can make sure users inherit certain environment variables on login or disallow access to the server.
CCE-91334-3	Disable SSH TCP Forwarding	The `AllowTcpForwarding` parameter specifies whether TCP forwarding is permitted. To disable TCP forwarding, add or correct the following line in `/etc/ssh/sshd_config`: AllowTcpForwarding no	Leaving port forwarding enabled can expose the organization to security risks and back-doors.
CCE-91335-0	Set Password Warning Age	To specify how many days prior to password expiration that a warning will be issued to users, edit the file `/etc/login.defs` and add or correct the following line: PASS_WARN_AGE `7` The profile requirement is `7`.	Setting the password warning age enables users to make the change at a practical time.
CCE-91336-8	Enforce usage of pam_wheel for su authentication	To ensure that only users who are members of the `wheel` group can run commands with altered privileges through the `su` command, make sure that the following line exists in the file `/etc/pam.d/su`: auth required pam_wheel.so use_uid	The `su` program allows to run commands with a substitute user and group ID. It is commonly used to run commands as the root user. Limiting access to such command is considered a good security practice.
CCE-91337-6	Use Only FIPS 140-2 Validated Ciphers	Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in `/etc/ssh/sshd_config` demonstrates use of FIPS-approved ciphers: Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc The man page `sshd_config(5)` contains a list of supported ciphers. The rule is parametrized to use the following ciphers: `aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se`.	Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and system data may be compromised. Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets industry and government requirements. For government systems, this allows Security Levels 1, 2, 3, or 4 for use on SUSE Linux Enterprise 15.
CCE-91338-4	Use Only FIPS 140-2 Validated MACs	Limit the MACs to those hash algorithms which are FIPS-approved. The following line in `/etc/ssh/sshd_config` demonstrates use of FIPS-approved MACs: MACs hmac-sha2-512,hmac-sha2-256 The man page `sshd_config(5)` contains a list of supported MACs. The rule is parametrized to use the following MACs: `hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com`.	FIPS-approved cryptographic hash functions are required to be used. The only SSHv2 hash algorithms meeting this requirement is SHA2.
CCE-91339-2	Ensure All Groups on the System Have Unique Group ID	Change the group name or delete groups, so each has a unique id.	To assure accountability and prevent unauthenticated access, groups must be identified uniquely to prevent potential misuse and compromise of the system.
CCE-91340-0	Ensure All Groups on the System Have Unique Group Names	Change the group name or delete groups, so each has a unique name.	To assure accountability and prevent unauthenticated access, groups must be identified uniquely to prevent potential misuse and compromise of the system.
CCE-91341-8	Disable Prelinking	The prelinking feature changes binaries in an attempt to decrease their startup time. In order to disable it, change or add the following line inside the file `/etc/sysconfig/prelink`: PRELINKING=no Next, run the following command to return binaries to a normal, non-prelinked state: $ sudo /usr/sbin/prelink -ua	Because the prelinking feature changes binaries, it can interfere with the operation of certain software and/or modes such as AIDE, FIPS, etc.
CCE-91342-6	Set Default ip6tables Policy for Incoming Packets	To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in `/etc/sysconfig/ip6tables`: :INPUT DROP [0:0] If changes were required, reload the ip6tables rules: $ sudo service ip6tables reload	In `ip6tables`, the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to `DROP` implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted.
CCE-91343-4	Limit Users' SSH Access	By default, the SSH configuration allows any user with an account to access the system. There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: - AllowUsers variable gives the system administrator the option of allowing specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by specifically allowing a user's access only from a particular host, the entry can be specified in the form of user@host. - AllowGroups variable gives the system administrator the option of allowing specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable. - DenyUsers variable gives the system administrator the option of denying specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by specifically denying a user's access from a particular host, the entry can be specified in the form of user@host. - DenyGroups variable gives the system administrator the option of denying specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable.	Specifying which accounts are allowed SSH access into the system reduces the possibility of unauthorized access to the system.
CCE-91344-2	Ensure shadow Group is Empty	The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group.	Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts.
CCE-91345-9	Set configuration for loopback traffic	Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network.	Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure.
CCE-91346-7	Set configuration for IPv6 loopback traffic	Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network.	Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure.
CCE-91347-5	Require Authentication for Emergency Systemd Target	Emergency mode is intended as a system recovery method, providing a single user root access to the system during a failed boot sequence. By default, Emergency mode is protected by requiring a password and is set in `/usr/lib/systemd/system/emergency.service`.	This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.
CCE-91348-3	Verify Group Who Owns gshadow File	To properly set the group owner of `/etc/gshadow`, run the command: $ sudo chgrp root /etc/gshadow	The `/etc/gshadow` file contains group password hashes. Protection of this file is critical for system security.
CCE-91349-1	Modify the System Message of the Day Banner	To configure the system message banner edit `/etc/motd`. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. OR: `I've read & consent to terms in IS user agreem't.`	Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
CCE-91350-9	Modify the System Login Banner for Remote Connections	To configure the system login banner edit `/etc/issue.net`. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. OR: `I've read & consent to terms in IS user agreem't.`	Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
CCE-91351-7	Verify permissions on Message of the Day Banner	To properly set the permissions of `/etc/motd`, run the command: $ sudo chmod 0644 /etc/motd	Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper permissions will ensure that only root user can modify the banner.
CCE-91352-5	Verify Group Ownership of Message of the Day Banner	To properly set the group owner of `/etc/motd`, run the command: $ sudo chgrp root /etc/motd	Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper group ownership will ensure that only root user can modify the banner.
CCE-91353-3	Verify ownership of Message of the Day Banner	To properly set the owner of `/etc/motd`, run the command: $ sudo chown root /etc/motd	Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper ownership will ensure that only root user can modify the banner.
CCE-91354-1	Verify permissions on System Login Banner	To properly set the permissions of `/etc/issue`, run the command: $ sudo chmod 0644 /etc/issue	Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper permissions will ensure that only root user can modify the banner.
CCE-91355-8	Verify Group Ownership of System Login Banner	To properly set the group owner of `/etc/issue`, run the command: $ sudo chgrp root /etc/issue	Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper group ownership will ensure that only root user can modify the banner.
CCE-91356-6	Verify ownership of System Login Banner	To properly set the owner of `/etc/issue`, run the command: $ sudo chown root /etc/issue	Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper ownership will ensure that only root user can modify the banner.
CCE-91357-4	Verify permissions on System Login Banner for Remote Connections	To properly set the permissions of `/etc/issue.net`, run the command: $ sudo chmod 0644 /etc/issue.net	Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper permissions will ensure that only root user can modify the banner.
CCE-91358-2	Verify Group Ownership of System Login Banner for Remote Connections	To properly set the group owner of `/etc/issue.net`, run the command: $ sudo chgrp root /etc/issue.net	Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper group ownership will ensure that only root user can modify the banner.
CCE-91359-0	Verify ownership of System Login Banner for Remote Connections	To properly set the owner of `/etc/issue.net`, run the command: $ sudo chown root /etc/issue.net	Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper ownership will ensure that only root user can modify the banner.
CCE-91360-8	Ensure that chronyd is running under chrony user account	chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at https://chrony-project.org/. Chrony can be configured to be a client and/or a server. To ensure that chronyd is running under chrony user account, add or edit the `OPTIONS` variable in `/etc/sysconfig/chronyd` to include `-u chrony`: OPTIONS="-u chrony" This recommendation only applies if chrony is in use on the system.	If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly.
CCE-91361-6	Remove the X Windows Package Group	By removing the xorg-x11-server-common package, the system no longer has X Windows installed. If X Windows is not installed then the system cannot boot into graphical user mode. This prevents the system from being accidentally or maliciously booted into a `graphical.target` mode. To do so, run the following command: $ sudo zypper groupremove "X Window System" $ sudo zypper remove xorg-x11-server-common	Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security vulnerabilities and should not be installed unless approved and documented.
CCE-91362-4	Disable graphical user interface	By removing the following packages, the system no longer has X Windows installed. `xorg-x11-server` `xorg-x11-server-extra` `xorg-x11-server-Xvfb` `xwayland` If X Windows is not installed then the system cannot boot into graphical user mode. This prevents the system from being accidentally or maliciously booted into a `graphical.target` mode. To do so, run the following command: sudo zypper remove xorg-x11-server xorg-x11-server-extra xorg-x11-server-Xvfb xwayland	Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security vulnerabilities and should not be installed unless approved and documented.
CCE-91363-2	Disable DHCP Service	The `dhcpd` service should be disabled on any system that does not need to act as a DHCP server. The `dhcpd` service can be disabled with the following command: $ sudo systemctl mask --now dhcpd.service	Unmanaged or unintentionally activated DHCP servers may provide faulty information to clients, interfering with the operation of a legitimate site DHCP server if there is one.
CCE-91364-0	Disable Network File System (nfs)	The Network File System (NFS) service allows remote hosts to mount and interact with shared filesystems on the local system. If the local system is not designated as a NFS server then this service should be disabled. The `nfs-server` service can be disabled with the following command: $ sudo systemctl mask --now nfs-server.service	Unnecessary services should be disabled to decrease the attack surface of the system.
CCE-91365-7	Disable named Service	The `named` service can be disabled with the following command: $ sudo systemctl mask --now named.service	All network services involve some risk of compromise due to implementation flaws and should be disabled if possible.
CCE-91366-5	Disable vsftpd Service	The `vsftpd` service can be disabled with the following command: $ sudo systemctl mask --now vsftpd.service	Running FTP server software provides a network-based avenue of attack, and should be disabled if not needed. Furthermore, the FTP protocol is unencrypted and creates a risk of compromising sensitive information.
CCE-91367-3	Disable httpd Service	The `httpd` service can be disabled with the following command: $ sudo systemctl mask --now httpd.service	Running web server software provides a network-based avenue of attack, and should be disabled if not needed.
CCE-91368-1	Disable Dovecot Service	The `dovecot` service can be disabled with the following command: $ sudo systemctl mask --now dovecot.service	Running an IMAP or POP3 server provides a network-based avenue of attack, and should be disabled if not needed.
CCE-91369-9	Uninstall dovecot Package	The `dovecot` package can be removed with the following command: $ sudo zypper remove dovecot	If there is no need to make the Dovecot software available, removing it provides a safeguard against its activation.
CCE-91370-7	Disable Samba	The `smb` service can be disabled with the following command: $ sudo systemctl mask --now smb.service	Running a Samba server provides a network-based avenue of attack, and should be disabled if not needed.
CCE-91371-5	Disable Squid	The `squid` service can be disabled with the following command: $ sudo systemctl mask --now squid.service	Running proxy server software provides a network-based avenue of attack, and should be removed if not needed.
CCE-91372-3	Uninstall squid Package	The `squid` package can be removed with the following command: $ sudo zypper remove squid	If there is no need to make the proxy server software available, removing it provides a safeguard against its activation.
CCE-91373-1	Disable snmpd Service	The `snmpd` service can be disabled with the following command: $ sudo systemctl mask --now snmpd.service	Running SNMP software provides a network-based avenue of attack, and should be disabled if not needed.
CCE-91374-9	Extend Audit Backlog Limit for the Audit Daemon	To improve the kernel capacity to queue all log events, even those which occurred prior to the audit daemon, add the argument `audit_backlog_limit=8192` to the default GRUB 2 command line for the Linux operating system. Configure the default Grub2 kernel command line to contain audit_backlog_limit=`8192` as follows: # grub2-editenv - set "$(grub2-editenv - list \| grep kernelopts) audit_backlog_limit=`8192`"	audit_backlog_limit sets the queue length for audit events awaiting transfer to the audit daemon. Until the audit daemon is up and running, all log messages are stored in this queue. If the queue is overrun during boot process, the action defined by audit failure flag is taken.
CCE-91375-6	Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server	The `rsyslog` daemon should not accept remote messages unless the system acts as a log server. To ensure that it is not listening on the network, ensure any of the following lines are not found in `rsyslog` configuration files. If using legacy syntax: $ModLoad imtcp $InputTCPServerRun port $ModLoad imudp $UDPServerRun port $ModLoad imrelp $InputRELPServerRun port If using RainerScript syntax: module(load="imtcp") module(load="imudp") input(type="imtcp" port="514") input(type="imudp" port="514")	Any process which receives messages from the network incurs some risk of receiving malicious messages. This risk can be eliminated for rsyslog by configuring it not to listen on the network.
CCE-91376-4	Ensure journald is configured to send logs to rsyslog	Data from journald may be stored in volatile memory or persisted locally. Utilities exist to accept remote export of journald logs.	Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system.
CCE-91377-2	Ensure journald is configured to compress large log files	The journald system can compress large log files to avoid fill the system disk.	Log files that are not properly compressed run the risk of growing so large that they fill up the log partition. Valuable logging information could be lost if the log partition becomes full.
CCE-91378-0	Ensure journald is configured to write log files to persistent disk	The journald system may store log files in volatile memory or locally on disk. If the logs are only stored in volatile memory they will be lost upon reboot.	Log files contain valuable data and need to be persistent to aid in possible investigations.
CCE-91379-8	Install the cron service	The Cron service should be installed.	The cron service allow periodic job execution, needed for almost all administrative tasks and services (software update, log rotating, etc.). Access to cron service should be restricted to administrative accounts only.
CCE-91380-6	Verify Group Who Owns Crontab	To properly set the group owner of `/etc/crontab`, run the command: $ sudo chgrp root /etc/crontab	Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
CCE-91381-4	Verify Owner on crontab	To properly set the owner of `/etc/crontab`, run the command: $ sudo chown root /etc/crontab	Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.
CCE-91382-2	Verify Group Who Owns cron.hourly	To properly set the group owner of `/etc/cron.hourly`, run the command: $ sudo chgrp root /etc/cron.hourly	Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
CCE-91383-0	Verify Owner on cron.hourly	To properly set the owner of `/etc/cron.hourly`, run the command: $ sudo chown root /etc/cron.hourly	Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.
CCE-91384-8	Verify Owner on cron.daily	To properly set the owner of `/etc/cron.daily`, run the command: $ sudo chown root /etc/cron.daily	Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.
CCE-91385-5	Verify Group Who Owns cron.daily	To properly set the group owner of `/etc/cron.daily`, run the command: $ sudo chgrp root /etc/cron.daily	Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
CCE-91386-3	Verify Group Who Owns cron.weekly	To properly set the group owner of `/etc/cron.weekly`, run the command: $ sudo chgrp root /etc/cron.weekly	Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
CCE-91387-1	Verify Owner on cron.weekly	To properly set the owner of `/etc/cron.weekly`, run the command: $ sudo chown root /etc/cron.weekly	Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.
CCE-91388-9	Verify Group Who Owns cron.monthly	To properly set the group owner of `/etc/cron.monthly`, run the command: $ sudo chgrp root /etc/cron.monthly	Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
CCE-91389-7	Verify Owner on cron.monthly	To properly set the owner of `/etc/cron.monthly`, run the command: $ sudo chown root /etc/cron.monthly	Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.
CCE-91390-5	Verify Owner on cron.d	To properly set the owner of `/etc/cron.d`, run the command: $ sudo chown root /etc/cron.d	Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.
CCE-91391-3	Verify Group Who Owns cron.d	To properly set the group owner of `/etc/cron.d`, run the command: $ sudo chgrp root /etc/cron.d	Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
CCE-91392-1	Verify Group Who Owns SSH Server config file	To properly set the group owner of `/etc/ssh/sshd_config`, run the command: $ sudo chgrp root /etc/ssh/sshd_config	Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
CCE-91393-9	Verify Owner on SSH Server config file	To properly set the owner of `/etc/ssh/sshd_config`, run the command: $ sudo chown root /etc/ssh/sshd_config	Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
CCE-91394-7	Set LogLevel to INFO	The INFO parameter specifies that record login and logout activity will be logged. The default SSH configuration sets the log level to INFO. The appropriate configuration is used if no value is set for `LogLevel`. To explicitly specify the log level in SSH, add or correct the following line in `/etc/ssh/sshd_config`: LogLevel INFO	SSH provides several logging levels with varying amounts of verbosity. `DEBUG` is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. `INFO` level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field.
CCE-91395-4	Use Only Strong Ciphers	Limit the ciphers to strong algorithms. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in `/etc/ssh/sshd_config` demonstrates use of those ciphers: Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr The man page `sshd_config(5)` contains a list of supported ciphers.	Based on research conducted at various institutions, it was determined that the symmetric portion of the SSH Transport Protocol (as described in RFC 4253) has security weaknesses that allowed recovery of up to 32 bits of plaintext from a block of ciphertext that was encrypted with the Cipher Block Chaining (CBD) method. From that research, new Counter mode algorithms (as described in RFC4344) were designed that are not vulnerable to these types of attacks and these algorithms are now recommended for standard use.
CCE-91396-2	Use Only Strong MACs	Limit the MACs to strong hash algorithms. The following line in `/etc/ssh/sshd_config` demonstrates use of those MACs: MACs `hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160`	MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase exploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal of attention as a weak spot that can be exploited with expanded computing power. An attacker that breaks the algorithm could take advantage of a MiTM position to decrypt the SSH tunnel and capture credentials and information
CCE-91397-0	Ensure SSH LoginGraceTime is configured	The `LoginGraceTime` parameter to the SSH server specifies the time allowed for successful authentication to the SSH server. The longer the Grace period is the more open unauthenticated connections can exist. Like other session controls in this session the Grace Period should be limited to appropriate limits to ensure the service is available for needed access.	Setting the `LoginGraceTime` parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. It will also limit the number of concurrent unauthenticated connections.
CCE-91398-8	Limit Password Reuse	Do not allow users to reuse recent passwords. This can be accomplished by using the `remember` option for the `pam_pwhistory` PAM modules. In the file `/etc/pam.d/common-password`, make sure the parameters `remember` and `use_authtok` are present, and that the value for the `remember` parameter is `5` or greater. For example: password requisite pam_pwhistory.so ...existing_options... remember=`5` use_authtok The profile requirement is `5` passwords.	Preventing reuse of previous passwords helps ensure that a compromised password is not reused by a user.
CCE-91399-6	Ensure there are no legacy + NIS entries in /etc/passwd	The `+` character in `/etc/passwd` file marks a place where entries from a network information service (NIS) should be directly inserted.	Using this method to include entries into `/etc/passwd` is considered legacy and should be avoided. These entries may provide a way for an attacker to gain access to the system.
CCE-91400-2	Ensure that Root's Path Does Not Include Relative Paths or Null Directories	Ensure that none of the directories in root's path is equal to a single `.` character, or that it contains any instances that lead to relative path traversal, such as `..` or beginning a path without the slash (`/`) character. Also ensure that there are no "empty" elements in the path, such as in these examples: PATH=:/bin PATH=/bin: PATH=/bin::/sbin These empty elements have the same effect as a single `.` character.	Including these entries increases the risk that root could execute code from an untrusted location.
CCE-91401-0	Ensure that Root's Path Does Not Include World or Group-Writable Directories	For each element in root's path, run: # ls -ld DIR and ensure that write permissions are disabled for group and other.	Such entries increase the risk that root could execute code provided by unprivileged users, and potentially malicious code.
CCE-91402-8	Ensure there are no legacy + NIS entries in /etc/shadow	The `+` character in `/etc/shadow` file marks a place where entries from a network information service (NIS) should be directly inserted.	Using this method to include entries into `/etc/shadow` is considered legacy and should be avoided. These entries may provide a way for an attacker to gain access to the system.
CCE-91403-6	All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive	Set the mode on files and directories in the local interactive user home directory with the following command: $ sudo chmod 0750 /home/USER/FILE_DIR Files that begin with a "." are excluded from this requirement.	If a local interactive user files have excessive permissions, unintended users may be able to access or modify them.
CCE-91404-4	All Interactive User Home Directories Must Be Owned By The Primary User	Change the owner of interactive users home directories to that correct owner. To change the owner of a interactive users home directory, use the following command: $ sudo chown USER /home/USER This rule ensures every home directory related to an interactive user is owned by an interactive user. It also ensures that interactive users are owners of one and only one home directory.	If a local interactive user does not own their home directory, unauthorized users could access or modify the user's files, and the users may not be able to access their own files.
CCE-91405-1	All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary Group	Change the group of a local interactive users files and directories to a group that the interactive user is a member of. To change the group owner of a local interactive users files and directories, use the following command: $ sudo chgrp USER_GROUP /home/USER/FILE_DIR This rule ensures every file or directory under the home directory related to an interactive user is group-owned by an interactive user.	If a local interactive users files are group-owned by a group of which the user is not a member, unintended users may be able to access them.
CCE-91406-9	All User Files and Directories In The Home Directory Must Have a Valid Owner	Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories. To assign a valid owner to a local interactive user's files and directories, use the following command: $ sudo chown -R USER /home/USER This rule ensures every file or directory under the home directory related to an interactive user is owned by an interactive user.	If local interactive users do not own the files in their directories, unauthorized users may be able to access them. Additionally, if files are not owned by the user, this could be an indication of system compromise.
CCE-91407-7	Ensure users own their home directories	The user home directory is space defined for the particular user to set local environment variables and to store personal files. Since the user is accountable for files stored in the user home directory, the user must be the owner of the directory.	Since the user is accountable for files stored in the user home directory, the user must be the owner of the directory.
CCE-91408-5	User Initialization Files Must Be Group-Owned By The Primary Group	Change the group owner of interactive users files to the group found in /etc/passwd for the user. To change the group owner of a local interactive user home directory, use the following command: $ sudo chgrp USER_GROUP /home/USER/.INIT_FILE This rule ensures every initialization file related to an interactive user is group-owned by an interactive user.	Local initialization files for interactive users are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.
CCE-91409-3	User Initialization Files Must Be Owned By the Primary User	Set the owner of the user initialization files for interactive users to the primary owner with the following command: $ sudo chown USER /home/USER/.* This rule ensures every initialization file related to an interactive user is owned by an interactive user.	Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.
CCE-91410-1	Set Default firewalld Zone for Incoming Packets	To set the default zone to `drop` for the built-in default zone which processes incoming IPv4 and IPv6 packets, modify the following line in `/etc/firewalld/firewalld.conf` to be: DefaultZone=drop	In `firewalld` the default zone is applied only after all the applicable rules in the table are examined for a match. Setting the default zone to `drop` implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted.
CCE-91411-9	Ensure firewall rules exist for all open ports	Any ports that have been opened on non-loopback addresses need firewall rules to govern traffic.	Without a firewall rule configured for open ports default firewall policy will drop all packets to these ports.
CCE-91416-8	Use Kerberos Security on All Exports	Using Kerberos on all exported mounts prevents a malicious client or user from impersonating a system user. To cryptography authenticate users to the NFS server, add `sec=krb5:krb5i:krb5p` to each export in `/etc/exports`.	When an NFS server is configured to use AUTH_SYS a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The AUTH_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request.
CCE-91417-6	Enable ExecShield via sysctl	By default on SUSE Linux Enterprise 15 64-bit systems, ExecShield is enabled and can only be disabled if the hardware does not support ExecShield or is disabled in `/etc/default/grub`. For SUSE Linux Enterprise 15 32-bit systems, `sysctl` can be used to enable ExecShield.	ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis. When the kernel places a process's memory regions such as the stack and heap higher than this address, the hardware prevents execution in that address range. This is enabled by default on the latest Red Hat and Fedora systems if supported by the hardware.
CCE-91418-4	Disable Quagga Service	The `zebra` service can be disabled with the following command: $ sudo systemctl mask --now zebra.service	Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If routing daemons are used when not required, system network information may be unnecessarily transmitted across the network.
CCE-91419-2	Disable rlogin Service	The `rlogin` service, which is available with the `rsh-server` package and runs as a service through xinetd or separately as a systemd socket, should be disabled. If using xinetd, set `disable` to `yes` in `/etc/xinetd.d/rlogin`. The `rlogin` socket can be disabled with the following command: $ sudo systemctl mask --now rlogin.socket	The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.
CCE-91420-0	Disable rexec Service	The `rexec` service, which is available with the `rsh-server` package and runs as a service through xinetd or separately as a systemd socket, should be disabled. If using xinetd, set `disable` to `yes` in `/etc/xinetd.d/rexec`. The `rexec` socket can be disabled with the following command: $ sudo systemctl mask --now rexec.socket	The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.
CCE-91421-8	Disable debug-shell SystemD Service	SystemD's `debug-shell` service is intended to diagnose SystemD related boot issues with various `systemctl` commands. Once enabled and following a system reboot, the root shell will be available on `tty9` which is access by pressing `CTRL-ALT-F9`. The `debug-shell` service should only be used for SystemD related issues and should otherwise be disabled. By default, the `debug-shell` SystemD service is already disabled. The `debug-shell` service can be disabled with the following command: $ sudo systemctl mask --now debug-shell.service	This prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted.
CCE-91422-6	Disable the selinuxuser_execstack SELinux Boolean	By default, the SELinux boolean `selinuxuser_execstack` is enabled. This setting should be disabled as unconfined executables should not be able to make their stack executable. To disable the `selinuxuser_execstack` SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_execstack off	Disabling code execution from the stack blocks buffer overflow attacks.
CCE-91423-4	Enable the selinuxuser_execmod SELinux Boolean	By default, the SELinux boolean `selinuxuser_execmod` is enabled. If this setting is disabled, it should be enabled. To enable the `selinuxuser_execmod` SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_execmod on
CCE-91424-2	Disable the selinuxuser_execheap SELinux Boolean	By default, the SELinux boolean `selinuxuser_execheap` is disabled. When enabled this boolean is enabled it allows selinuxusers to execute code from the heap. If this setting is enabled, it should be disabled. To disable the `selinuxuser_execheap` SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_execheap off	Disabling code execution from the heap blocks buffer overflow attacks.
CCE-91425-9	Uninstall rsh-server Package	The `rsh-server` package can be removed with the following command: $ sudo zypper remove rsh-server	The `rsh-server` service provides unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication. If a privileged user were to login using this service, the privileged user password could be compromised. The `rsh-server` package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) activation.
CCE-91426-7	Verify /boot/grub2/grub.cfg Permissions	File permissions for `/boot/grub2/grub.cfg` should be set to 600. To properly set the permissions of `/boot/grub2/grub.cfg`, run the command: $ sudo chmod 600 /boot/grub2/grub.cfg	Proper permissions ensure that only the root user can modify important boot parameters.
CCE-91427-5	Direct root Logins Not Allowed	To further limit access to the `root` account, administrators can disable root logins at the console by editing the `/etc/securetty` file. This file lists all devices the root user is allowed to login to. If the file does not exist at all, the root user can login through any communication device on the system, whether via the console or via a raw network interface. This is dangerous as user can login to the system as root via Telnet, which sends the password in plain text over the network. By default, SUSE Linux Enterprise 15's `/etc/securetty` file only allows the root user to login at the console physically attached to the system. To prevent root from logging in, remove the contents of this file. To prevent direct root logins, remove the contents of this file by typing the following command: $ sudo echo > /etc/securetty	Disabling direct root logins ensures proper accountability and multifactor authentication to privileged accounts. Users will first login, then escalate to privileged (root) access via su / sudo. This is required for FISMA Low and FISMA Moderate systems.
CCE-91428-3	Require Authentication for Single User Mode	Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. By default, single-user mode is protected by requiring a password and is set in `/usr/lib/systemd/system/rescue.service`.	This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.
CCE-91429-1	Restrict Serial Port Root Logins	To restrict root logins on serial ports, ensure lines of this form do not appear in `/etc/securetty`: ttyS0 ttyS1	Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account.
CCE-91430-9	Restrict Virtual Console Root Logins	To restrict root logins through the (deprecated) virtual console devices, ensure lines of this form do not appear in `/etc/securetty`: vc/1 vc/2 vc/3 vc/4	Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account.
CCE-91431-7	Remove Rsh Trust Files	The files `/etc/hosts.equiv` and `~/.rhosts` (in each user's home directory) list remote hosts and users that are trusted by the local system when using the rshd daemon. To remove these files, run the following command to delete them from any location: $ sudo rm /etc/hosts.equiv $ rm ~/.rhosts	This action is only meaningful if `.rhosts` support is permitted through PAM. Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system.
CCE-91432-5	Uninstall talk Package	The `talk` package contains the client program for the Internet talk protocol, which allows the user to chat with other users on different systems. Talk is a communication program which copies lines from one terminal to the terminal of another user. The `talk` package can be removed with the following command: $ sudo zypper remove talk	The talk software presents a security risk as it uses unencrypted protocols for communications. Removing the `talk` package decreases the risk of the accidental (or intentional) activation of talk client program.
CCE-91433-3	Uninstall talk-server Package	The `talk-server` package can be removed with the following command: $ sudo zypper remove talk-server	The talk software presents a security risk as it uses unencrypted protocols for communications. Removing the `talk-server` package decreases the risk of the accidental (or intentional) activation of talk services.
CCE-91434-1	Remove telnet Clients	The telnet client allows users to start connections to other systems via the telnet protocol.	The `telnet` protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The `ssh` package provides an encrypted session and stronger security and is included in SUSE Linux Enterprise 15.
CCE-91435-8	Disable telnet Service	Make sure that the activation of the `telnet` service on system boot is disabled. The `telnet` socket can be disabled with the following command: $ sudo systemctl mask --now telnet.socket	The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. The telnet protocol is also subject to man-in-the-middle attacks.
CCE-91436-6	Uninstall xinetd Package	The `xinetd` package can be removed with the following command: $ sudo zypper remove xinetd	Removing the `xinetd` package decreases the risk of the xinetd service's accidental (or intentional) activation.
CCE-91437-4	Enable cron Service	The `crond` service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. The `cron` service can be enabled with the following command: $ sudo systemctl enable cron.service	Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential.
CCE-91438-2	Disable xinetd Service	The `xinetd` service can be disabled with the following command: $ sudo systemctl mask --now xinetd.service	The xinetd service provides a dedicated listener service for some programs, which is no longer necessary for commonly-used network services. Disabling it ensures that these uncommon services are not running, and also prevents attacks against xinetd itself.
CCE-91439-0	Disable Host-Based Authentication	SSH's cryptographic host-based authentication is more secure than `.rhosts` authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization. The default SSH configuration disables host-based authentication. The appropriate configuration is used if no value is set for `HostbasedAuthentication`. To explicitly disable host-based authentication, add or correct the following line in `/etc/ssh/sshd_config`: HostbasedAuthentication no	SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.
CCE-91440-8	Allow Only SSH Protocol 2	Only SSH protocol version 2 connections should be permitted. The default setting in `/etc/ssh/sshd_config` is correct, and can be verified by ensuring that the following line appears: Protocol 2	SSH protocol version 1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system.
CCE-91441-6	Disable GSSAPI Authentication	Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like GSSAPI. The default SSH configuration disallows authentications based on GSSAPI. The appropriate configuration is used if no value is set for `GSSAPIAuthentication`. To explicitly disable GSSAPI authentication, add or correct the following line in `/etc/ssh/sshd_config`: GSSAPIAuthentication no	GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system.
CCE-91442-4	Disable Kerberos Authentication	Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like Kerberos. The default SSH configuration disallows authentication validation through Kerberos. The appropriate configuration is used if no value is set for `KerberosAuthentication`. To explicitly disable Kerberos authentication, add or correct the following line in `/etc/ssh/sshd_config`: KerberosAuthentication no	Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Configuring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused methods of authentication, even in the event of misconfiguration elsewhere.
CCE-91443-2	Ensure SELinux Not Disabled in /etc/default/grub	SELinux can be disabled at boot time by an argument in `/etc/default/grub`. Remove any instances of `selinux=0` from the kernel arguments in that file to prevent SELinux from being disabled at boot.	Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation.
CCE-91444-0	Ensure No Daemons are Unconfined by SELinux	Daemons for which the SELinux policy does not contain rules will inherit the context of the parent process. Because daemons are launched during startup and descend from the `init` process, they inherit the `unconfined_service_t` context. To check for unconfined daemons, run the following command: $ sudo ps -eZ \| grep "unconfined_service_t" It should produce no output in a well-configured system.	Daemons which run with the `unconfined_service_t` context may cause AVC denials, or allow privileges that the daemon does not require.
CCE-91445-7	Configure SELinux Policy	The SELinux `targeted` policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in `/etc/selinux/config`: SELINUXTYPE=`targeted` Other policies, such as `mls`, provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases.	Setting the SELinux policy to `targeted` or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services. Note: During the development or debugging of SELinux modules, it is common to temporarily place non-production systems in `permissive` mode. In such temporary cases, SELinux policies should be developed, and once work is completed, the system should be reconfigured to .
CCE-91446-5	Ensure SELinux State is Enforcing	The SELinux state should be set to `enforcing` at system boot time. In the file `/etc/selinux/config`, add or correct the following line to configure the system to boot into enforcing mode: SELINUX=`enforcing` Ensure that all files have correct SELinux labels by running: fixfiles onboot Then reboot the system.	Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges.
CCE-91447-3	Disable Core Dumps for SUID programs	To set the runtime status of the `fs.suid_dumpable` kernel parameter, run the following command: $ sudo sysctl -w fs.suid_dumpable=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: fs.suid_dumpable = 0	The core dump of a setuid program is more likely to contain sensitive data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data.
CCE-91448-1	Restrict Access to Kernel Message Buffer	To set the runtime status of the `kernel.dmesg_restrict` kernel parameter, run the following command: $ sudo sysctl -w kernel.dmesg_restrict=1 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: kernel.dmesg_restrict = 1	Unprivileged access to the kernel syslog can expose sensitive kernel address information.
CCE-91449-9	Record Attempts to Alter Logon and Logout Events - faillock	The audit system already collects login information for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -w `/var/log/faillock` -p wa -k logins If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules`: -w `/var/log/faillock` -p wa -k logins	Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.
CCE-91450-7	Ensure auditd Collects Information on the Use of Privileged Commands - umount	At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add a line of the following form to `/etc/audit/audit.rules`: -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged	Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
CCE-92451-4	Disable Mounting of cramfs	To configure the system to prevent the `cramfs` kernel module from being loaded, add the following line to the file `/etc/modprobe.d/cramfs.conf`: install cramfs /bin/false This entry will cause a non-zero return value during a `cramfs` module installation and additionally convey the meaning of the entry to the user in form of an error message. If you would like to omit a non-zero return value and an error message, you may want to add a different line instead (both `/bin/true` and `/bin/false` are allowed by OVAL and will be accepted by the scan): install cramfs /bin/true This effectively prevents usage of this uncommon filesystem. The `cramfs` filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A `cramfs` image can be used without having to first decompress the image.	Removing support for unneeded filesystem types reduces the local attack surface of the server.
CCE-92452-2	Disable Mounting of squashfs	To configure the system to prevent the `squashfs` kernel module from being loaded, add the following line to the file `/etc/modprobe.d/squashfs.conf`: install squashfs /bin/false This entry will cause a non-zero return value during a `squashfs` module installation and additionally convey the meaning of the entry to the user in form of an error message. If you would like to omit a non-zero return value and an error message, you may want to add a different line instead (both `/bin/true` and `/bin/false` are allowed by OVAL and will be accepted by the scan): install squashfs /bin/true This effectively prevents usage of this uncommon filesystem. The `squashfs` filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems (similar to `cramfs`). A `squashfs` image can be used without having to first decompress the image.	Removing support for unneeded filesystem types reduces the local attack surface of the system.
CCE-92453-0	Disable Mounting of udf	To configure the system to prevent the `udf` kernel module from being loaded, add the following line to the file `/etc/modprobe.d/udf.conf`: install udf /bin/false This entry will cause a non-zero return value during a `udf` module installation and additionally convey the meaning of the entry to the user in form of an error message. If you would like to omit a non-zero return value and an error message, you may want to add a different line instead (both `/bin/true` and `/bin/false` are allowed by OVAL and will be accepted by the scan): install udf /bin/true This effectively prevents usage of this uncommon filesystem. The `udf` filesystem type is the universal disk format used to implement the ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats.	Removing support for unneeded filesystem types reduces the local attack surface of the system.
CCE-92454-8	Disable Mounting of vFAT filesystems	To configure the system to prevent the `vfat` kernel module from being loaded, add the following line to the file `/etc/modprobe.d/vfat.conf`: install vfat /bin/false This entry will cause a non-zero return value during a `vfat` module installation and additionally convey the meaning of the entry to the user in form of an error message. If you would like to omit a non-zero return value and an error message, you may want to add a different line instead (both `/bin/true` and `/bin/false` are allowed by OVAL and will be accepted by the scan): install vfat /bin/true This effectively prevents usage of this uncommon filesystem. The `vFAT` filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types `FAT12`, `FAT16`, and `FAT32` all of which are supported by the `vfat` kernel module.	Removing support for unneeded filesystems reduces the local attack surface of the system.
CCE-92455-5	Add nodev Option to /tmp	The `nodev` mount option can be used to prevent device files from being created in `/tmp`. Legitimate character and block devices should not exist within temporary directories like `/tmp`. Add the `nodev` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/tmp`.	The only legitimate location for device files is the `/dev` directory located on the root partition. The only exception to this is chroot jails.
CCE-92456-3	Add noexec Option to /dev/shm	The `noexec` mount option can be used to prevent binaries from being executed out of `/dev/shm`. It can be dangerous to allow the execution of binaries from world-writable temporary storage directories such as `/dev/shm`. Add the `noexec` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/dev/shm`.	Allowing users to execute binaries from world-writable directories such as `/dev/shm` can expose the system to potential compromise.
CCE-92457-1	Add nodev Option to /dev/shm	The `nodev` mount option can be used to prevent creation of device files in `/dev/shm`. Legitimate character and block devices should not exist within temporary directories like `/dev/shm`. Add the `nodev` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/dev/shm`.	The only legitimate location for device files is the `/dev` directory located on the root partition. The only exception to this is chroot jails.
CCE-92458-9	Add nosuid Option to /dev/shm	The `nosuid` mount option can be used to prevent execution of setuid programs in `/dev/shm`. The SUID and SGID permissions should not be required in these world-writable directories. Add the `nosuid` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/dev/shm`.	The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions.
CCE-92459-7	Add nodev Option to /var/tmp	The `nodev` mount option can be used to prevent device files from being created in `/var/tmp`. Legitimate character and block devices should not exist within temporary directories like `/var/tmp`. Add the `nodev` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/var/tmp`.	The only legitimate location for device files is the `/dev` directory located on the root partition. The only exception to this is chroot jails.
CCE-92460-5	Add nodev Option to /home	The `nodev` mount option can be used to prevent device files from being created in `/home`. Legitimate character and block devices should exist only in the `/dev` directory on the root partition or within chroot jails built for system services. Add the `nodev` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/home`.	The only legitimate location for device files is the `/dev` directory located on the root partition. The only exception to this is chroot jails.
CCE-92461-3	Add noexec Option to Removable Media Partitions	The `noexec` mount option prevents the direct execution of binaries on the mounted filesystem. Preventing the direct execution of binaries from removable media (such as a USB key) provides a defense against malicious software that may be present on such untrusted media. Add the `noexec` option to the fourth column of `/etc/fstab` for the line which controls mounting of any removable media partitions.	Allowing users to execute binaries from removable media such as USB keys exposes the system to potential compromise.
CCE-92462-1	Add nodev Option to Removable Media Partitions	The `nodev` mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices should exist only in the `/dev` directory on the root partition or within chroot jails built for system services. Add the `nodev` option to the fourth column of `/etc/fstab` for the line which controls mounting of any removable media partitions.	The only legitimate location for device files is the `/dev` directory located on the root partition. An exception to this is chroot jails, and it is not advised to set `nodev` on partitions which contain their root filesystems.
CCE-92463-9	Ensure nonessential services are removed or masked	A network port is identified by its number, the associated IP address, and the type of the communication protocol such as TCP or UDP. A listening port is a network port on which an application or process listens on, acting as a communication endpoint. Each listening port can be open or closed (filtered) using a firewall. In general terms, an open port is a network port that accepts incoming packets from remote locations.	Services listening on the system pose a potential risk as an attack vector. These services should be reviewed, and if not required, the service should be stopped, and the package containing the service should be removed. If required packages have a dependency, the service should be stopped and masked to reduce the attack surface of the system.
CCE-92464-7	Uninstall avahi Server Package	If the system does not need to have an Avahi server which implements the DNS Service Discovery and Multicast DNS protocols, the avahi-autoipd and avahi packages can be uninstalled.	Automatic discovery of network services is not normally required for system functionality. It is recommended to remove this package to reduce the potential attack surface.
CCE-92465-4	Uninstall avahi-autoipd Server Package	If the system does not need to have an Avahi server which implements the DNS Service Discovery and Multicast DNS protocols, the avahi-autoipd and avahi packages can be uninstalled.	Automatic discovery of network services is not normally required for system functionality. It is recommended to remove this package to reduce the potential attack surface.
CCE-92466-2	Uninstall CUPS Package	The `cups` package can be removed with the following command: $ sudo zypper remove cups	If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be removed to reduce the potential attack surface.
CCE-92467-0	Uninstall rpcbind Package	The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they are listening on and the RPC program numbers they expect to serve. The rpcbind service redirects the client to the proper port number so it can communicate with the requested service. If the system does not require RPC (such as for NFS servers) then this service should be disabled. The `rpcbind` package can be removed with the following command: $ sudo zypper remove rpcbind	If the system does not require rpc based services, it is recommended that rpcbind be disabled to reduce the attack surface.
CCE-92468-8	Uninstall rsync Package	The rsyncd service can be used to synchronize files between systems over network links. The `rsync` package can be removed with the following command: $ sudo zypper remove rsync	The rsyncd service presents a security risk as it uses unencrypted protocols for communication.
CCE-92469-6	Install nftables Package	nftables provides a new in-kernel packet classification framework that is based on a network-specific Virtual Machine (VM) and a new nft userspace command line tool. nftables reuses the existing Netfilter subsystems such as the existing hook infrastructure, the connection tracking system, NAT, userspace queuing and logging subsystem. The `nftables` package can be installed with the following command: $ sudo zypper install nftables	`nftables` is a subsystem of the Linux kernel that can protect against threats originating from within a corporate network to include malicious mobile code and poorly configured software on a host.
CCE-92470-4	Configure Firewalld to Use the Nftables Backend	Firewalld can be configured with many backends, such as nftables.	Nftables is modern kernel module for controlling network connections coming into a system. Utilizing the limit statement in "nftables" can help to mitigate DoS attacks.
CCE-92471-2	Uninstall firewalld Package	firewalld (Dynamic Firewall Manager) provides a dynamically managed firewall with support for network/firewall “zones” to assign a level of trust to a network and its associated connections, interfaces or sources. It has support for IPv4, IPv6, Ethernet bridges and also for IPSet firewall settings. There is a separation of the runtime and permanent configuration options. The `firewalld` package can be removed with the following command: $ sudo zypper remove firewalld	Running both nftables.service and firewalld.service may lead to conflict and unexpected results.
CCE-92472-0	Verify firewalld service disabled	Firewalld (Dynamic Firewall Manager) provides a dynamically managed firewall with support for network/firewall “zones” to assign a level of trust to a network and its associated connections, interfaces or sources. It has support for IPv4, IPv6, Ethernet bridges and also for IPSet firewall settings. There is a separation of the runtime and permanent configuration options. The `firewalld` service can be disabled with the following command: $ sudo systemctl mask --now firewalld.service	Running Firewalld along other service with the same functionality may lead to conflict and unexpected results.
CCE-92473-8	Configure Accepting Router Advertisements on All IPv6 Interfaces	To set the runtime status of the `net.ipv6.conf.all.accept_ra` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_ra=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.all.accept_ra = 0	An illicit router advertisement message could result in a man-in-the-middle attack.
CCE-92474-6	Disable Accepting Router Advertisements on all IPv6 Interfaces by Default	To set the runtime status of the `net.ipv6.conf.default.accept_ra` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_ra=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.default.accept_ra = 0	An illicit router advertisement message could result in a man-in-the-middle attack.
CCE-92475-3	Verify iptables Enabled	The `iptables` service can be enabled with the following command: $ sudo systemctl enable iptables.service	The `iptables` service provides the system's host-based firewalling capability for IPv4 and ICMP.
CCE-92476-1	Uninstall tcpd Package	The `tcpd` package can be removed with the following command: $ sudo zypper remove tcpd	Administrators can use TCP wrapper library and daemon for host control over network services. In these implementations, `xinetd` runs `tcpd` program, which first looks at the incoming connection as well as the access control lists in the /etc/hosts.allow and /etc/hosts.deny files. Removing the `xinetd` package decreases the risk of the xinetd service's accidental (or intentional) activation. The removal of `tcpd` package will support this protective measure in addition.
CCE-92477-9	Ensure /dev/shm is configured	The `/dev/shm` is a traditional shared memory concept. One program will create a memory portion, which other processes (if permitted) can access. If `/dev/shm` is not configured, tmpfs will be mounted to /dev/shm by systemd.	Any user can upload and execute files inside the `/dev/shm` similar to the `/tmp` partition. Configuring `/dev/shm` allows an administrator to set the noexec option on the mount, making /dev/shm useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw.
CCE-92478-7	Ensure the libaudit1 package as a part of audit Subsystem is Installed	The libaudit1 package should be installed.	The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.
CCE-92479-5	Set Existing Passwords Warning Age	To configure how many days prior to password expiration that a warning will be issued to users, run the command: $ sudo chage --warndays `7` USER This profile requirement is `7`.	Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered.
CCE-92480-3	Set existing passwords a period of inactivity before they been locked	Configure user accounts that have been inactive for over a given period of time to be automatically disabled by running the following command: $ sudo chage --inactive 30 USER	Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies.
CCE-92481-1	Set nftables Configuration for Loopback Traffic	Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network.	Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure.
CCE-92482-9	Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces by Default	To set the runtime status of the `net.ipv4.conf.default.log_martians` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.log_martians=1 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.conf.default.log_martians = 1	The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.
CCE-92483-7	Set Default iptables Policy for Forwarded Packets	To set the default policy to DROP (instead of ACCEPT) for the built-in FORWARD chain which processes packets that will be forwarded from one interface to another, add or correct the following line in `/etc/sysconfig/iptables`: :FORWARD DROP [0:0]	In `iptables`, the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to `DROP` implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted.
CCE-92484-5	Ensure the Root Bash Umask is Set Correctly	To ensure the root user's umask of the Bash shell is set properly, add or correct the `umask` setting in `/root/.bashrc` or `/root/.profile` to read as follows: umask 0027	The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users.
CCE-92485-2	Ensure nftables Rules are Permanent	nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames. The nftables service reads the `/etc/sysconfig/nftables.conf` file for a nftables file or files to include in the nftables ruleset. A nftables ruleset containing the input, forward, and output base chains allow network traffic to be filtered.	Changes made to nftables ruleset only affect the live system, you will also need to configure the nftables ruleset to apply on boot
CCE-92486-0	Install McAfee Endpoint Security for Linux (ENSL)	Install McAfee Endpoint Security for Linux antivirus software which is provided for systems and uses signatures to search for the presence of viruses on the filesystem. The `McAfeeTP` package can be installed with the following command: $ sudo zypper install McAfeeTP	Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems.
CCE-92487-8	Ensure McAfee Endpoint Security for Linux (ENSL) is running	Install McAfee Endpoint Security for Linux antivirus software which is provided for systems and uses signatures to search for the presence of viruses on the filesystem.	Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems.
CCE-92488-6	Record Events When Executables Are Run As Another User	Verify the system generates an audit record when actions are run as another user. sudo provides users with temporary elevated privileges to perform operations, either as the superuser or another user. If audit is using the "auditctl" tool to load the rules, run the following command: $ sudo grep execve /etc/audit/audit.rules If audit is using the "augenrules" tool to load the rules, run the following command: $ sudo grep -r execve /etc/audit/rules.d -a always,exit -F arch=b32 -S execve -C euid!=uid -F auid!=unset -k user_emulation -a always,exit -F arch=b64 S execve -C euid!=uid -F auid!=unset -k user_emulation If both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding.	Creating an audit log of users with temporary elevated privileges and the operation(s) they performed is essential to reporting. Administrators will want to correlate the events written to the audit trail with the records written to sudo's logfile to verify if unauthorized commands have been executed. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.
CCE-92489-4	Ensure package manager repositories are configured	Systems need to have package manager repositories configured to ensure they receive the latest patches and updates.	If the system's package repositories are misconfigured important patches may not be identified or a rogue repository could introduce compromised software.
CCE-92490-2	Install libselinux Package	The `libselinux` package can be installed with the following command: $ sudo zypper install libselinux	Security-enhanced Linux is a feature of the Linux kernel and a number of utilities with enhanced security functionality designed to add mandatory access controls to Linux. The `libselinux` package contains the core library of the Security-enhanced Linux system.
CCE-92491-0	Disable GNOME3 Automounting	The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. To disable automount within GNOME3, add or set `automount` to `false` in `/etc/dconf/db/local.d/00-security-settings`. For example: [org/gnome/desktop/media-handling] automount=false Once the settings have been added, add a lock to `/etc/dconf/db/local.d/locks/00-security-settings-lock` to prevent user modification. For example: /org/gnome/desktop/media-handling/automount After the settings have been set, run `dconf update`.	Disabling automatic mounting in GNOME3 can prevent the introduction of malware via removable media. It will, however, also prevent desktop users from legitimate use of removable media.
CCE-92492-8	Disable GNOME3 Automount Opening	The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. To disable automount-open within GNOME3, add or set `automount-open` to `false` in `/etc/dconf/db/local.d/00-security-settings`. For example: [org/gnome/desktop/media-handling] automount-open=false Once the settings have been added, add a lock to `/etc/dconf/db/local.d/locks/00-security-settings-lock` to prevent user modification. For example: /org/gnome/desktop/media-handling/automount-open After the settings have been set, run `dconf update`.	Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. Disabling automatic mounting in GNOME3 can prevent the introduction of malware via removable media. It will, however, also prevent desktop users from legitimate use of removable media.
CCE-92493-6	Disable GNOME3 Automount running	The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. To disable autorun-never within GNOME3, add or set `autorun-never` to `true` in `/etc/dconf/db/local.d/00-security-settings`. For example: [org/gnome/desktop/media-handling] autorun-never=true Once the settings have been added, add a lock to `/etc/dconf/db/local.d/locks/00-security-settings-lock` to prevent user modification. For example: /org/gnome/desktop/media-handling/autorun-never After the settings have been set, run `dconf update`.	Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. Disabling automatic mount running in GNOME3 can prevent the introduction of malware via removable media. It will, however, also prevent desktop users from legitimate use of removable media.
CCE-92494-4	Set Default iptables Policy for Incoming Packets	To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in `/etc/sysconfig/iptables`: :INPUT DROP [0:0]	In `iptables` the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to `DROP` implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted.
CCE-92495-1	Set GNOME3 Screensaver Lock Delay After Activation Period	To activate the locking delay of the screensaver in the GNOME3 desktop when the screensaver is activated, add or set `lock-delay` to `uint32 0` in `/etc/dconf/db/local.d/00-security-settings`. For example: [org/gnome/desktop/screensaver] lock-delay=uint32 `0` After the settings have been set, run `dconf update`.	A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absence.
CCE-92496-9	Disable IPv6 Addressing on All IPv6 Interfaces	To disable support for (`ipv6`) addressing on all interface add the following line to `/etc/sysctl.d/ipv6.conf` (or another file in `/etc/sysctl.d`): net.ipv6.conf.all.disable_ipv6 = 1 This disables IPv6 on all network interfaces as other services and system functionality require the IPv6 stack loaded to work.	Any unnecessary network stacks - including IPv6 - should be disabled, to reduce the vulnerability to exploitation.
CCE-92497-7	Ensure logging is configured	The `/etc/rsyslog.conf` and `/etc/rsyslog.d/*.conf` files specifies rules for logging and which files are to be used to log certain classes of messages.	A great deal of important security-related information is sent via rsyslog (e.g., successful and failed su attempts, failed login attempts, root login attempts, etc.).
CCE-92498-5	Ensure Users Cannot Change GNOME3 Screensaver Settings	If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding `/org/gnome/desktop/screensaver/lock-delay` to `/etc/dconf/db/local.d/locks/00-security-settings-lock` to prevent user modification. For example: /org/gnome/desktop/screensaver/lock-delay After the settings have been set, run `dconf update`.	A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings.
CCE-92499-3	Verify Group Who Owns /etc/ipsec.d Directory	To properly set the group owner of `/etc/ipsec.d`, run the command: $ sudo chgrp root /etc/ipsec.d	The ownership of the /etc/ipsec.d directory by the root group is important because this directory hosts Libreswan configuration. Protection of this file is critical for system security. Assigning the ownership to root ensures exclusive control of the Libreswan configuration.
CCE-92500-8	Verify Group Who Owns /etc/nftables Directory	To properly set the group owner of `/etc/nftables`, run the command: $ sudo chgrp root /etc/nftables	The ownership of the /etc/nftables directory by the root group is important because this directory hosts nftables configuration. Protection of this directory is critical for system security. Assigning the ownership to root ensures exclusive control of the nftables configuration.
CCE-92501-6	Verify Group Who Owns /etc/selinux Directory	To properly set the group owner of `/etc/selinux`, run the command: $ sudo chgrp root /etc/selinux	The ownership of the /etc/selinux directory by the root group is important because this directory hosts SELinux configuration. Protection of this directory is critical for system security. Assigning the ownership to root ensures exclusive control of the SELinux configuration.
CCE-92502-4	Remove the GDM Package Group	By removing the `gdm` package, the system no longer has GNOME installed. If X Windows is not installed then the system cannot boot into graphical user mode. This prevents the system from being accidentally or maliciously booted into a `graphical.target` mode. To do so, run the following command: $ sudo yum remove gdm	Unnecessary service packages must not be installed to decrease the attack surface of the system. A graphical environment is unnecessary for certain types of systems including a virtualization hypervisor.
CCE-92503-2	Verify Group Who Owns /etc/sudoers.d Directory	To properly set the group owner of `/etc/sudoers.d`, run the command: $ sudo chgrp root /etc/sudoers.d	The ownership of the /etc/sudoers.d directory by the root group is important because this directory hosts sudo configuration. Protection of this directory is critical for system security. Assigning the ownership to root ensures exclusive control of the sudo configuration.
CCE-92504-0	Ensure all users last password change date is in the past	All users should have a password change date in the past.	If a user recorded password change date is in the future then they could bypass any set password expiration.
CCE-92505-7	Use Only FIPS 140-2 Validated Key Exchange Algorithms	Limit the key exchange algorithms to those which are FIPS-approved. Add or modify the following line in `/etc/ssh/sshd_config` KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 This rule ensures that only the key exchange algorithms mentioned above (or their subset) are configured for use, keeping the given order of algorithms.	FIPS-approved key exchange algorithms are required to be used. The system will attempt to use the first algorithm presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest algorithm available to secure the SSH connection.
CCE-92506-5	Verify Group Who Owns /etc/sysctl.d Directory	To properly set the group owner of `/etc/sysctl.d`, run the command: $ sudo chgrp root /etc/sysctl.d	The ownership of the /etc/sysctl.d directory by the root group is important because this directory hosts kernel configuration. Protection of this directory is critical for system security. Assigning the ownership to root ensures exclusive control of the kernel configuration.
CCE-92507-3	Ensure nftables Default Deny Firewall Policy	Base chain policy is the default verdict that will be applied to packets reaching the end of the chain. There are two policies: accept (Default) and drop. If the policy is set to accept, the firewall will accept any packet that is not configured to be denied and the packet will continue traversing the network stack. Run the following commands and verify that base chains contain a policy of DROP. $ nft list ruleset \| grep 'hook input' type filter hook input priority 0; policy drop; $ nft list ruleset \| grep 'hook forward' type filter hook forward priority 0; policy drop; $ nft list ruleset \| grep 'hook output' type filter hook output priority 0; policy drop;	It is easier to allow acceptable usage than to block unacceptable usage.
CCE-92508-1	Verify User Who Owns /etc/ipsec.d Directory	To properly set the owner of `/etc/ipsec.d`, run the command: $ sudo chown root /etc/ipsec.d	The ownership of the /etc/ipsec.d directory by the root user is important because this directory hosts Libreswan configuration. Protection of this file is critical for system security. Assigning the ownership to root ensures exclusive control of the Libreswan configuration.
CCE-92509-9	Verify User Who Owns /etc/nftables Directory	To properly set the owner of `/etc/nftables`, run the command: $ sudo chown root /etc/nftables	The ownership of the /etc/nftables directory by the root user is important because this directory hosts nftables configuration. Protection of this directory is critical for system security. Assigning the ownership to root ensures exclusive control of the nftables configuration.
CCE-92510-7	Verify User Who Owns /etc/selinux Directory	To properly set the owner of `/etc/selinux`, run the command: $ sudo chown root /etc/selinux	The ownership of the /etc/selinux directory by the root user is important because this directory hosts SELinux configuration. Protection of this directory is critical for system security. Assigning the ownership to root ensures exclusive control of the SELinux configuration.
CCE-92511-5	Uninstall DHCP Client Package	If the system does not need to act as a DHCP client, the dhcp-client package can be uninstalled. The `dhcp-client` package can be removed with the following command: $ sudo zypper remove dhcp-client	Removing the DHCP client is necessary when the system works or will work in a static network environment. In this case the system has/will have a static IP address assigned.
CCE-92512-3	Verify User Who Owns /etc/sudoers.d Directory	To properly set the owner of `/etc/sudoers.d`, run the command: $ sudo chown root /etc/sudoers.d	The ownership of the /etc/sudoers.d directory by the root user is important because this directory hosts sudo configuration. Protection of this directory is critical for system security. Assigning the ownership to root ensures exclusive control of the sudo configuration.
CCE-92513-1	Verify User Who Owns /etc/sysctl.d Directory	To properly set the owner of `/etc/sysctl.d`, run the command: $ sudo chown root /etc/sysctl.d	The ownership of the /etc/sysctl.d directory by the root user is important because this directory hosts kernel configuration. Protection of this directory is critical for system security. Assigning the ownership to root ensures exclusive control of the kernel configuration.
CCE-92514-9	Configure Systemd Timesyncd Root Distance Servers	`systemd-timesyncd` server configuration should have RootDistanceMaxSec is listed in accordance with local policy. This setting describes the maximum estimated time required for a packet to travel to the server connected.	Configuring `systemd-timesyncd` RootDistanceMaxSec ensures time synchronization is using servers that are close enough to the client.
CCE-92515-6	Record Events that Modify the System's Mandatory Access Controls in usr/share	If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -w /usr/share/selinux/ -p wa -k MAC-policy If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules`: -w /usr/share/selinux/ -p wa -k MAC-policy	The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited.
CCE-92516-4	Configure Systemd Timer Execution of AIDE	At a minimum, AIDE should be configured to run a weekly scan. To implement a systemd service and a timer unit to run the service periodically: For example, if a systemd timer is expected to be started every day at 5AM OnCalendar=--* 05:00:0 [Timer] section in the timer unit and a Unit section starting the AIDE check service unit should be referred.	AIDE provides a means to check if unauthorized changes are made to the system. AIDE itself does not setup a periodic execution, so in order to detect unauthorized changes a systemd service to run the check and a systemd timer to take care of periodical execution of that systemd service should be defined.
CCE-92517-2	Verify Permissions On /etc/ipsec.d Directory	To properly set the permissions of `/etc/ipsec.d`, run the command: $ sudo chmod 0700 /etc/ipsec.d	Setting correct permissions on the /etc/ipsec.d directory is important because this directory hosts Libreswan configuration. Protection of this directory is critical for system security. Restricting the permissions ensures exclusive control of the Libreswan configuration.
CCE-92518-0	Uninstall nftables package	nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames and is the successor to iptables. The `nftables` package can be removed with the following command: $ sudo zypper remove nftables	Running both `firewalld` and `nftables` may lead to conflict.
CCE-92519-8	The mailx Package Is Installed	A mail server is required for sending emails. The `mailx` package can be installed with the following command: $ sudo zypper install mailx	Emails can be used to notify designated personnel about important system events such as failures or warnings.
CCE-92520-6	Disable the GNOME3 Login User List	In the default graphical environment, users logging directly into the system are greeted with a login screen that displays all known users. This functionality should be disabled by setting `disable-user-list` to `true`. To disable, add or edit `disable-user-list` to `/etc/dconf/db/gdm.d/00-security-settings`. For example: [org/gnome/login-screen] disable-user-list=true Once the setting has been added, add a lock to `/etc/dconf/db/gdm.d/locks/00-security-settings-lock` to prevent user modification. For example: /org/gnome/login-screen/disable-user-list After the settings have been set, run `dconf update`.	Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to quickly enumerate known user accounts without logging in.
CCE-92521-4	Verify Permissions On /etc/nftables Directory	To properly set the permissions of `/etc/nftables`, run the command: $ sudo chmod 0700 /etc/nftables	Setting correct permissions on the /etc/nftables directory is important because this directory hosts nftables configuration. Protection of this directory is critical for system security. Restricting the permissions ensures exclusive control of the nftables configuration.
CCE-92522-2	Enforce Usage of pam_wheel with Group Parameter for su Authentication	To ensure that only users who are members of the group set in the `group` option of `pam_wheel.so` module can run commands with altered privileges through the `su` command, make sure that the following line exists in the file `/etc/pam.d/su`: auth required pam_wheel.so use_uid group=`sugroup`	The `su` program allows to run commands with a substitute user and group ID. It is commonly used to run commands as the root user. Limiting access to such command is considered a good security practice.
CCE-92523-0	Ensure iptables are flushed	nftables is a replacement for iptables, ip6tables, ebtables and arptables	It is possible to mix iptables and nftables. However, this increases complexity and also the chance to introduce errors. For simplicity flush out all iptables rules, and ensure it is not loaded.
CCE-92524-8	Verify Permissions On /etc/selinux Directory	To properly set the permissions of `/etc/selinux`, run the command: $ sudo chmod 0755 /etc/selinux	Setting correct permissions on the /etc/selinux directory is important because this directory hosts SELinux configuration. Protection of this directory is critical for system security. Restricting the permissions ensures exclusive control of the SELinux configuration.
CCE-92525-5	Verify Permissions On /etc/sudoers.d Directory	To properly set the permissions of `/etc/sudoers.d`, run the command: $ sudo chmod 0750 /etc/sudoers.d	Setting correct permissions on the /etc/sudoers.d directory is important because this directory hosts sudo configuration. Protection of this directory is critical for system security. Restricting the permissions ensures exclusive control of the sudo configuration.
CCE-92526-3	Chrony Configure Pool and Server	`Chrony` is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on `chrony` can be found at https://chrony-project.org/. `Chrony` can be configured to be a client and/or a server. Add or edit server or pool lines to `/etc/chrony.conf` as appropriate: server <remote-server> Multiple servers may be configured.	If `chrony` is in use on the system proper configuration is vital to ensuring time synchronization is working properly.
CCE-92527-1	Verify Permissions On /etc/sysctl.d Directory	To properly set the permissions of `/etc/sysctl.d`, run the command: $ sudo chmod 0755 /etc/sysctl.d	Setting correct permissions on the /etc/sysctl.d directory is important because this directory hosts kernel configuration. Protection of this directory is critical for system security. Restricting the permissions ensures exclusive control of the kernel configuration.
CCE-92528-9	Ensure the Group Used by pam_wheel.so Module Exists on System and is Empty	Ensure that the group `sugroup` referenced by `var_pam_wheel_group_for_su` variable and used as value for the `pam_wheel.so` `group` option exists and has no members. This empty group used by `pam_wheel.so` in `/etc/pam.d/su` ensures that no user can run commands with altered privileges through the `su` command.	The `su` program allows to run commands with a substitute user and group ID. It is commonly used to run commands as the root user. Limiting access to such command is considered a good security practice.
CCE-92529-7	Verify nftables Service is Disabled	nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames and is the successor to iptables. The `nftables` service can be disabled with the following command: systemctl disable nftables	Running both `firewalld` and `nftables` may lead to conflict. `nftables` is actually one of the backends for `firewalld` management tools.
CCE-92530-5	System Audit Logs Must Have Mode 0750 or Less Permissive	If `log_group` in `/etc/audit/auditd.conf` is set to a group other than the `root` group account, change the mode of the audit log files with the following command: $ sudo chmod 0750 /var/log/audit Otherwise, change the mode of the audit log files with the following command: $ sudo chmod 0700 /var/log/audit	If users can write to audit logs, audit trails can be modified or destroyed.
CCE-92531-3	Ensure Outbound and Established Connections are Configured	Configure the firewall rules for new outbound and established connections.	If rules are not in place for new outbound, and established connections all packets will be dropped by the default policy preventing network usage.
CCE-92532-1	Ensure Authentication Required for Single User Mode	Single user mode is used for recovery when the system detects an issue during boot or by manual selection from the bootloader.	Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials.
CCE-92533-9	Ensure that /etc/cron.allow exists	The file `/etc/cron.allow` should exist and should be used instead of `/etc/cron.deny`.	Access to `crontab` should be restricted. It is easier to manage an allow list than a deny list. Therefore, `/etc/cron.allow` needs to be created and used instead of `/etc/cron.deny`. Regardless of the existence of any of these files, the root administrative user is always allowed to setup a crontab.
CCE-92534-7	System Audit Logs Must Be Group Owned By Root	All audit logs must be group owned by root user. The path for audit log can be configured via `log_file` parameter in /etc/audit/auditd.conf or, by default, the path for audit log is /var/log/audit/ . To properly set the group owner of `/var/log/audit/`, run the command: $ sudo chgrp root /var/log/audit/ If `log_group` in `/etc/audit/auditd.conf` is set to a group other than the `root` group account, change the group ownership of the audit logs to this specific group.	Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
CCE-92535-4	Verify Group Who Owns /etc/ipsec.conf File	To properly set the group owner of `/etc/ipsec.conf`, run the command: $ sudo chgrp root /etc/ipsec.conf	The ownership of the /etc/ipsec.conf file by the root group is important because this file hosts Libreswan configuration. Protection of this file is critical for system security. Assigning the ownership to root ensures exclusive control of the Libreswan configuration.
CCE-92536-2	Enforce all AppArmor Profiles	AppArmor profiles define what resources applications are able to access. To set all profiles to enforce mode run the following command: $ sudo aa-enforce /etc/apparmor.d/* To list unconfined processes run the following command: $ sudo aa-unconfined Any unconfined processes may need to have a profile created or activated for them and then be restarted.	Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This recommendation is intended to ensure that any policies that exist on the system are activated.
CCE-92537-0	Verify Group Who Owns /etc/ipsec.secrets File	To properly set the group owner of `/etc/ipsec.secrets`, run the command: $ sudo chgrp root /etc/ipsec.secrets	The ownership of the /etc/ipsec.secrets file by the root group is important because this file hosts Libreswan configuration. Protection of this file is critical for system security. Assigning the ownership to root ensures exclusive control of the Libreswan configuration.
CCE-92538-8	Configure Systemd Timesyncd Servers	`systemd-timesyncd` is a daemon that has been added for synchronizing the system clock across the network. The `systemd-timesyncd` daemon implements: - Implements an SNTP client - Runs with minimal privileges - Saves the current clock to disk every time a new NTP sync has been acquired - Is hooked up with networkd to only operate when network connectivity is available Add or edit server or pool lines to `/etc/systemd/timesyncd.conf` as appropriate: server <remote-server> Multiple servers may be configured.	Configuring `systemd-timesyncd` ensures time synchronization is working properly.
CCE-92539-6	Verify Group Who Owns /etc/security/opasswd File	To properly set the group owner of `/etc/security/opasswd`, run the command: $ sudo chgrp root /etc/security/opasswd	The `/etc/security/opasswd` file stores old passwords to prevent password reuse. Protection of this file is critical for system security.
CCE-92540-4	Verify Group Who Owns /etc/security/opasswd.old File	To properly set the group owner of `/etc/security/opasswd.old`, run the command: $ sudo chgrp root /etc/security/opasswd.old	The `/etc/security/opasswd.old` file stores backups of old passwords to prevent password reuse. Protection of this file is critical for system security.
CCE-92541-2	Verify Group Who Owns /etc/shells File	To properly set the group owner of `/etc/shells`, run the command: $ sudo chgrp root /etc/shells	The `/etc/shells` file contains the list of full pathnames to shells on the system. Since this file is used by many system programs this file should be protected.
CCE-92542-0	Ensure GPG keys are configured	The operation system or installed application can be successfully bootstrapped without the GPG key being trusted. However, you cannot install new packages or update them until the keys are trusted. Most packages managers implement GPG key signing to verify package integrity during installation. To verify GPG keys are configured correctly for your package manager, one of the following command groups may provide the needed information depending on the package manager in use. In SUSE Linux distributions, the administrators have to follow the next steps: 1. Log on to the system as a user with administrator rights. 2. Locate and download package, for example zoom_x86_64.rpm 3. Locate and download the public key (GPG) from the software download site, for example the key for zoom package is package-signing-key-5-12-6.pub 4. Import the key public key: `$ sudo rpm --import package-signing-key-5-12-6.pub` 5. List the keys, for example the command: `$ sudo rpm -qa gpg-pubkey*` will provide: `gpg-pubkey-dd79b481-62fe7502` 6. Get more details about the key, via the command: `$ sudo rpm -qa gpg-pubkey-dd79b481-62fe7502` 7. Check the GPG key, for example the command: `$ sudo rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'` will provide: `gpg-pubkey-dd79b481-62fe7502 --> gpg(Zoom Video Communications, Inc. <CryptoOpsCodeSignProd@zoom.us>)`	It is important to ensure that updates are obtained from a valid source to protect against spoofing that could lead to the inadvertent installation of malware on the system.
CCE-92543-8	Verify that audit tools are owned by group root	The SUSE Linux Enterprise 15 operating system audit tools must have the proper ownership configured to protected against unauthorized access. Verify it by running the following command: $ stat -c "%n %G" /usr/sbin/auditctl /usr/sbin/aureport /usr/sbin/ausearch /usr/sbin/autrace /usr/sbin/auditd /usr/sbin/augenrules /usr/sbin/audisp-syslog /usr/sbin/auditctl root /usr/sbin/aureport root /usr/sbin/ausearch root /usr/sbin/autrace root /usr/sbin/auditd root /usr/sbin/augenrules root /usr/sbin/audisp-syslog root Audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators	Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. Operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools.
CCE-92544-6	Audit Configuration Files Must Be Owned By Group root	All audit configuration files must be owned by group root. chown :root /etc/audit/audit.{rules,conf} /etc/audit/rules.d/	Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
CCE-92545-3	Verify User Who Owns /etc/security/opasswd File	To properly set the owner of `/etc/security/opasswd`, run the command: $ sudo chown root /etc/security/opasswd	The `/etc/security/opasswd` file stores old passwords to prevent password reuse. Protection of this file is critical for system security.
CCE-92546-1	Verify User Who Owns /etc/security/opasswd.old File	To properly set the owner of `/etc/security/opasswd.old`, run the command: $ sudo chown root /etc/security/opasswd.old	The `/etc/security/opasswd.old` file stores backups of old passwords to prevent password reuse. Protection of this file is critical for system security.
CCE-92547-9	Verify Who Owns /etc/shells File	To properly set the owner of `/etc/shells`, run the command: $ sudo chown root /etc/shells	The `/etc/shells` file contains the list of full pathnames to shells on the system. Since this file is used by many system programs this file should be protected.
CCE-92548-7	All AppArmor Profiles are in enforce or complain mode	AppArmor profiles define what resources applications are able to access. To set all profiles to either `enforce` or `complain` mode run the following command to set all profiles to `enforce` mode: $ sudo aa-enforce /etc/apparmor.d/* run the following command to set all profiles to `complain` mode: $ sudo aa-complain /etc/apparmor.d/* To list unconfined processes run the following command: $ sudo aa-unconfined Any unconfined processes may need to have a profile created or activated for them and then be restarted.	Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This recommendation is intended to ensure that any policies that exist on the system are activated.
CCE-92549-5	Verify that audit tools are owned by root	The SUSE Linux Enterprise 15 operating system audit tools must have the proper ownership configured to protected against unauthorized access. Verify it by running the following command: $ stat -c "%n %U" /usr/sbin/auditctl /usr/sbin/aureport /usr/sbin/ausearch /usr/sbin/autrace /usr/sbin/auditd /usr/sbin/augenrules /usr/sbin/audisp-syslog /usr/sbin/auditctl root /usr/sbin/aureport root /usr/sbin/ausearch root /usr/sbin/autrace root /usr/sbin/auditd root /usr/sbin/augenrules root /usr/sbin/audisp-syslog root Audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators	Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. Operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools.
CCE-92550-3	Audit Configuration Files Must Be Owned By Root	All audit configuration files must be owned by root user. To properly set the owner of `/etc/audit/`, run the command: $ sudo chown root /etc/audit/ To properly set the owner of `/etc/audit/rules.d/`, run the command: $ sudo chown root /etc/audit/rules.d/	Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
CCE-92551-1	Record Attempts to perform maintenance activities	The SUSE Linux Enterprise 15 operating system must generate audit records for privileged activities, nonlocal maintenance, diagnostic sessions and other system-level access. Verify the operating system audits activities performed during nonlocal maintenance and diagnostic sessions. Run the following command: $ sudo auditctl -l \| grep sudo.log -w /var/log/sudo.log -p wa -k maintenance If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -w /var/log/sudo.log -p wa -k maintenance If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules`: -w /var/log/sudo.log -p wa -k maintenance	If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. This requirement addresses auditing-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch.
CCE-92552-9	Ensure Unnecessary Services and Ports Are Not Accepted	Services and ports can be accepted or explicitly rejected or dropped by a zone. For every zone, a default behavior can be set that handles incoming traffic that is not further specified. Such behavior is defined by setting the target of the zone. The possible options are: - `ACCEPT` - accepts all incoming packets except those disabled by a specific rule. - `REJECT` - disables all incoming packets except those that have been allowed in specific rules and the source machine is informed about the rejection. - `DROP` - disables all incoming packets except those that have been allowed in specific rules and no information sent to the source machine.	To reduce the attack surface of a system, all services and ports should be blocked unless required.
CCE-92553-7	System Audit Logs Must Be Owned By Root	All audit logs must be owned by root user. The path for audit log can be configured via `log_file` parameter in /etc/audit/auditd.conf or by default, the path for audit log is /var/log/audit/ . To properly set the owner of `/var/log/audit/`, run the command: $ sudo chown root /var/log/audit/	Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
CCE-92554-5	Ensure User Bash History File Has Correct Permissions	Set the mode of the bash history file to `0600` with the following command: $ sudo chmod 0600 /home/USER/.bash_history	Incorrect permissions may enable malicious users to recover other users' command history.
CCE-92555-2	Verify that audit tools Have Mode 0755 or less	The SUSE Linux Enterprise 15 operating system audit tools must have the proper permissions configured to protected against unauthorized access. Verify it by running the following command: $ stat -c "%n %a" /usr/sbin/auditctl /usr/sbin/aureport /usr/sbin/ausearch /usr/sbin/autrace /usr/sbin/auditd /usr/sbin/augenrules /usr/sbin/audisp-syslog /usr/sbin/auditctl 755 /usr/sbin/aureport 755 /usr/sbin/ausearch 755 /usr/sbin/autrace 755 /usr/sbin/auditd 755 /usr/sbin/augenrules 755 /usr/sbin/audisp-syslog 755 Audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators	Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. Operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools.
CCE-92556-0	Ensure network interfaces are assigned to appropriate zone	Firewall zones define the trust level of network connections or interfaces. Note: Changing firewall settings while connected over network can result in being locked out of the system.	A network interface not assigned to the appropriate zone can allow unexpected or undesired network traffic to be accepted on the interface.
CCE-92557-8	Audit Configuration Files Permissions are 640 or More Restrictive	All audit configuration files permissions must be 640 or more restrictive. chmod 0640 /etc/audit/audit.{rules,conf} /etc/audit/rules.d/	Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
CCE-92558-6	Verify Permissions on /etc/security/opasswd File	To properly set the permissions of `/etc/security/opasswd`, run the command: $ sudo chmod 0600 /etc/security/opasswd	The `/etc/security/opasswd` file stores old passwords to prevent password reuse. Protection of this file is critical for system security.
CCE-92559-4	Verify Permissions on /etc/security/opasswd.old File	To properly set the permissions of `/etc/security/opasswd.old`, run the command: $ sudo chmod 0600 /etc/security/opasswd.old	The `/etc/security/opasswd.old` file stores backups of old passwords to prevent password reuse. Protection of this file is critical for system security.
CCE-92560-2	Verify nftables Service is Enabled	The nftables service allows for the loading of nftables rulesets during boot, or starting on the nftables service The `nftables` service can be enabled with the following command: $ sudo systemctl enable nftables.service	The nftables service restores the nftables rules from the rules files referenced in the `/etc/sysconfig/nftables.conf` file during boot or the starting of the nftables service
CCE-92561-0	Ensure logrotate is Installed	logrotate is installed by default. The `logrotate` package can be installed with the following command: $ sudo zypper install logrotate	The logrotate package provides the logrotate services.
CCE-92562-8	Verify Permissions on /etc/shells File	To properly set the permissions of `/etc/shells`, run the command: $ sudo chmod 0644 /etc/shells	The `/etc/shells` file contains the list of full pathnames to shells on the system. Since this file is used by many system programs this file should be protected.
CCE-92563-6	Disable XDMCP in GDM	XDMCP is an unencrypted protocol, and therefore, presents a security risk, see e.g. XDMCP Gnome docs. To disable XDMCP support in Gnome, set `Enable` to `false` under the `[xdmcp]` configuration section in `/etc/gdm/custom.conf`. For example: [xdmcp] Enable=false	XDMCP provides unencrypted remote access through the Gnome Display Manager (GDM) which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to login using XDMCP, the privileged user password could be compromised due to typed XEvents and keystrokes will traversing over the network in clear text.
CCE-92564-4	Ensure all outbound and established connections are configured for nftables	Configure the nftables firewall rules for new outbound and established connections	If rules are not in place for new outbound and established connections, all packets will be dropped by the default policy preventing network usage.
CCE-92565-1	Verify Only Group Root Has GID 0	If any group other than root has a GID of 0, this misconfiguration should be investigated and the groups other than root should be removed or have their GID changed.	Ensuring that only the `root` group has a GID of 0 helps prevent root group owned files from becoming accidentally accessible to non-privileged users.
CCE-92566-9	Ensure journald ForwardToSyslog is disabled	Data from journald should be kept in the confines of the service and not forwarded to other services.	If journald is the method for capturing logs, all logs of the system should be handled by journald and not forwarded to other logging mechanisms.
CCE-92567-7	Enable seccomp to safely compute untrusted bytecode	This kernel feature is useful for number crunching applications that may need to compute untrusted bytecode during their execution. By using pipes or other transports made available to the process as file descriptors supporting the read/write syscalls, it's possible to isolate those applications in their own address space using seccomp. The configuration that was used to build kernel is available at `/boot/config-`. To check the configuration value for `CONFIG_SECCOMP`, run the following command: `grep CONFIG_SECCOMP /boot/config-` For each kernel installed, a line with value "y" should be returned.	`seccomp` enables the ability to filter system calls made by an application, effectively isolating the system's resources from it.
CCE-92568-5	Enable use of Berkeley Packet Filter with seccomp	Enable tasks to build secure computing environments defined in terms of Berkeley Packet Filter programs which implement task-defined system call filtering polices. The configuration that was used to build kernel is available at `/boot/config-`. To check the configuration value for `CONFIG_SECCOMP_FILTER`, run the following command: `grep CONFIG_SECCOMP_FILTER /boot/config-` For each kernel installed, a line with value "y" should be returned.	Use of BPF filters allows for expressive filtering of system calls using a filter program language with a long history of being exposed to userland.
CCE-92569-3	Ensure a Table Exists for Nftables	Tables in nftables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of six families.	Nftables doesn't have any default tables. Without a table being built, nftables will not filter network traffic.
CCE-92570-1	Enable different security models	This allows you to choose different security modules to be configured into your kernel. The configuration that was used to build kernel is available at `/boot/config-`. To check the configuration value for `CONFIG_SECURITY`, run the following command: `grep CONFIG_SECURITY /boot/config-` For each kernel installed, a line with value "y" should be returned.	This is enables kernel security primitives required by the LSM framework.
CCE-92571-9	Disable mutable hooks	Ensure kernel structures associated with LSMs are always mapped as read-only after system boot. The configuration that was used to build kernel is available at `/boot/config-`. To check the configuration value for `CONFIG_SECURITY_WRITABLE_HOOKS`, run the following command: `grep CONFIG_SECURITY_WRITABLE_HOOKS /boot/config-` Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.	If CONFIG_SECURITY_WRITABLE_HOOKS is enabled, then hooks can be loaded at runtime and being able to manipulate hooks is a way to bypass all LSMs.
CCE-92572-7	Enable Yama support	This enables support for LSM module Yama, which extends DAC support with additional system-wide security settings beyond regular Linux discretionary access controls. The module will limit the use of the system call `ptrace()`. The configuration that was used to build kernel is available at `/boot/config-`. To check the configuration value for `CONFIG_SECURITY_YAMA`, run the following command: `grep CONFIG_SECURITY_YAMA /boot/config-` For each kernel installed, a line with value "y" should be returned.	Unrestricted usage of ptrace allows compromised binaries to run ptrace on another processes of the user.
CCE-92573-5	Disable Mounting of freevxfs	To configure the system to prevent the `freevxfs` kernel module from being loaded, add the following line to the file `/etc/modprobe.d/freevxfs.conf`: install freevxfs /bin/false This entry will cause a non-zero return value during a `freevxfs` module installation and additionally convey the meaning of the entry to the user in form of an error message. If you would like to omit a non-zero return value and an error message, you may want to add a different line instead (both `/bin/true` and `/bin/false` are allowed by OVAL and will be accepted by the scan): install freevxfs /bin/true This effectively prevents usage of this uncommon filesystem.	Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.
CCE-92574-3	Disable Mounting of hfs	To configure the system to prevent the `hfs` kernel module from being loaded, add the following line to the file `/etc/modprobe.d/hfs.conf`: install hfs /bin/false This entry will cause a non-zero return value during a `hfs` module installation and additionally convey the meaning of the entry to the user in form of an error message. If you would like to omit a non-zero return value and an error message, you may want to add a different line instead (both `/bin/true` and `/bin/false` are allowed by OVAL and will be accepted by the scan): install hfs /bin/true This effectively prevents usage of this uncommon filesystem.	Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.
CCE-92575-0	Disable Mounting of hfsplus	To configure the system to prevent the `hfsplus` kernel module from being loaded, add the following line to the file `/etc/modprobe.d/hfsplus.conf`: install hfsplus /bin/false This entry will cause a non-zero return value during a `hfsplus` module installation and additionally convey the meaning of the entry to the user in form of an error message. If you would like to omit a non-zero return value and an error message, you may want to add a different line instead (both `/bin/true` and `/bin/false` are allowed by OVAL and will be accepted by the scan): install hfsplus /bin/true This effectively prevents usage of this uncommon filesystem.	Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.
CCE-92576-8	Record Attempts to Alter Logon and Logout Events - faillog	The audit system already collects login information for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -w /var/log/faillog -p wa -k logins If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules`: -w /var/log/faillog -p wa -k logins	Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.
CCE-92577-6	Disable Mounting of jffs2	To configure the system to prevent the `jffs2` kernel module from being loaded, add the following line to the file `/etc/modprobe.d/jffs2.conf`: install jffs2 /bin/false This entry will cause a non-zero return value during a `jffs2` module installation and additionally convey the meaning of the entry to the user in form of an error message. If you would like to omit a non-zero return value and an error message, you may want to add a different line instead (both `/bin/true` and `/bin/false` are allowed by OVAL and will be accepted by the scan): install jffs2 /bin/true This effectively prevents usage of this uncommon filesystem.	Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.
CCE-92578-4	Ensure Base Chains Exist for Nftables	Tables in nftables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of six families. Chains are containers for rules. They exist in two kinds, base chains and regular chains. A base chain is an entry point for packets from the networking stack, a regular chain may be used as jump target and is used for better rule organization.	If a base chain doesn't exist with a hook for input, forward, and delete, packets that would flow through those chains will not be touched by nftables.
CCE-92579-2	Ensure overlayfs kernel module is not available	To configure the system to prevent the `overlayfs` kernel module from being loaded, add the following line to the file `/etc/modprobe.d/overlayfs.conf`: install overlayfs /bin/false This entry will cause a non-zero return value during a `overlayfs` module installation and additionally convey the meaning of the entry to the user in form of an error message. If you would like to omit a non-zero return value and an error message, you may want to add a different line instead (both `/bin/true` and `/bin/false` are allowed by OVAL and will be accepted by the scan): install overlayfs /bin/true overlayfs is a Linux filesystem that layers multiple filesystems to create a single unified view which allows a user to "merge" several mount points into a unified filesystem.	The overlayfs has known CVE's. Disabling the overlayfs reduces the local attack surface by removing support for unnecessary filesystem types and mitigates potential risks associated with unauthorized execution of setuid files, enhancing the overall system security.
CCE-92580-0	Disable RDS Support	The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high-bandwidth, low-latency communications between nodes in a cluster. To configure the system to prevent the `rds` kernel module from being loaded, add the following line to the file `/etc/modprobe.d/rds.conf`: install rds /bin/false This entry will cause a non-zero return value during a `rds` module installation and additionally convey the meaning of the entry to the user in form of an error message. If you would like to omit a non-zero return value and an error message, you may want to add a different line instead (both `/bin/true` and `/bin/false` are allowed by OVAL and will be accepted by the scan): install rds /bin/true	Disabling RDS protects the system against exploitation of any flaws in its implementation.
CCE-92581-8	Disable TIPC Support	The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the system to prevent the `tipc` kernel module from being loaded, add the following line to the file `/etc/modprobe.d/tipc.conf`: install tipc /bin/false This entry will cause a non-zero return value during a `tipc` module installation and additionally convey the meaning of the entry to the user in form of an error message. If you would like to omit a non-zero return value and an error message, you may want to add a different line instead (both `/bin/true` and `/bin/false` are allowed by OVAL and will be accepted by the scan): install tipc /bin/true	Disabling TIPC protects the system against exploitation of any flaws in its implementation.
CCE-92582-6	Ensure One Logging Service Is In Use	Ensure that a logging system is active and in use. systemctl is-active rsyslog systemd-journald The command should return at least one `active`.	The system should have one active logging service to avoid conflicts and ensure consistency.
CCE-92583-4	Add nodev Option to /var/log/audit	The `nodev` mount option can be used to prevent device files from being created in `/var/log/audit`. Legitimate character and block devices should exist only in the `/dev` directory on the root partition or within chroot jails built for system services. Add the `nodev` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/var/log/audit`.	The only legitimate location for device files is the `/dev` directory located on the root partition. The only exception to this is chroot jails.
CCE-92584-2	Add noexec Option to /var/log/audit	The `noexec` mount option can be used to prevent binaries from being executed out of `/var/log/audit`. Add the `noexec` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/var/log/audit`.	Allowing users to execute binaries from directories containing audit log files such as `/var/log/audit` should never be necessary in normal operation and can expose the system to potential compromise.
CCE-92585-9	Enable logrotate Timer	The `logrotate` timer can be enabled with the following command: $ sudo systemctl enable logrotate.timer	Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full.
CCE-92586-7	Ensure auditd Collects Changes to Cron Jobs - /etc/cron.d/	At a minimum, the audit system should collect administrator actions for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -w /etc/cron.d/ -p wa -k cronjobs If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules`: -w /etc/cron.d/ -p wa -k cronjobs	The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes. Editing the sudoers file may be sign of an attacker trying to establish persistent methods to a system, auditing the editing of the sudoers files mitigates this risk.
CCE-92587-5	Add nosuid Option to /var/log/audit	The `nosuid` mount option can be used to prevent execution of setuid programs in `/var/log/audit`. The SUID and SGID permissions should not be required in directories containing audit log files. Add the `nosuid` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/var/log/audit`.	The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from partitions designated for audit log files.
CCE-92588-3	Ensure auditd Collects Changes to Cron Jobs - /var/spool/cron	If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -w /var/spool/cron -p wa -k cronjobs If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules`: -w /var/spool/cron -p wa -k cronjobs	In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
CCE-92589-1	Add nodev Option to /var/log	The `nodev` mount option can be used to prevent device files from being created in `/var/log`. Legitimate character and block devices should exist only in the `/dev` directory on the root partition or within chroot jails built for system services. Add the `nodev` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/var/log`.	The only legitimate location for device files is the `/dev` directory located on the root partition. The only exception to this is chroot jails.
CCE-92590-9	Add nodev Option to /var	The `nodev` mount option can be used to prevent device files from being created in `/var`. Legitimate character and block devices should exist only in the `/dev` directory on the root partition or within chroot jails built for system services. Add the `nodev` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/var`.	The only legitimate location for device files is the `/dev` directory located on the root partition. The only exception to this is chroot jails.
CCE-92591-7	Verify Non-Interactive Accounts Are Locked	Accounts meant for non-interactive purposes should be locked to prevent unauthorized access. Accounts with non-standard shells (those not defined in `/etc/shells`) should be locked using `usermod -L`.	Locking non-interactive accounts improves security by preventing potential misuse. While many systems configure these accounts with invalid strings, setting the shell field to `nologin` is also suggested
CCE-92592-5	Ensure nologin Shell is Not Listed in /etc/shells	The `/sbin/nologin` shell is used to restrict accounts from having login access and should not be listed as a valid login shell in `/etc/shells`. To verify that nologin is not listed in /etc/shells, run: $ grep nologin /etc/shells The command should return no output.	The `/etc/shells` is consulted by various programs to evaluate whether the user is somehow restricted. For example, the chsh utility will consult the file to determine if the user is allowed to change their shell.
CCE-92593-3	Ensure that System Accounts Are Locked	Some accounts are not associated with a human user of the system, and exist to perform some administrative functions. An attacker should not be able to log into these accounts. System accounts are those user accounts with a user ID less than `1000`. If any system account other than `root`, `halt`, `sync`, `shutdown` and `nfsnobody` has an unlocked password, disable it with the command: $ sudo usermod -L account	Disabling authentication for default system accounts makes it more difficult for attackers to make use of them to compromise a system.
CCE-92594-1	Ensure AppArmor is installed	AppArmor provide Mandatory Access Controls.	Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available.
CCE-92595-8	Uninstall cyrus-imapd Package	The `cyrus-imapd` package can be removed with the following command: $ sudo zypper remove cyrus-imapd	If there is no need to make the cyrus-imapd software available, removing it provides a safeguard against its activation.
CCE-92596-6	Uninstall dnsmasq Package	dnsmasq is a lightweight tool that provides DNS caching, DNS forwarding and DHCP (Dynamic Host Configuration Protocol) services. The `dnsmasq` package can be removed with the following command: $ sudo zypper remove dnsmasq	Unless a system is specifically designated to act as a DNS caching, DNS forwarding and/or DHCP server, it is recommended that the package be removed to reduce the potential attack surface.
CCE-92597-4	Remove ftp Package	FTP (File Transfer Protocol) is a traditional and widely used standard tool for transferring files between a server and clients over a network, especially where no authentication is necessary (permits anonymous users to connect to a server). The `ftp` package can be removed with the following command: $ sudo zypper remove ftp	FTP does not protect the confidentiality of data or authentication credentials. It is recommended SFTP be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be removed to reduce the potential attack surface.
CCE-92598-2	Install systemd-journal-remote Package	Journald (via systemd-journal-remote ) supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralised log management.	Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system.
CCE-92599-0	Ensure rsyslog Default File Permissions Configured	rsyslog will create logfiles that do not already exist on the system. This settings controls what permissions will be applied to these newly created files.	It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected.
CCE-92600-6	Disable Bluetooth Service	The `bluetooth` service can be disabled with the following command: $ sudo systemctl mask --now bluetooth.service $ sudo service bluetooth stop	Disabling the `bluetooth` service prevents the system from attempting connections to Bluetooth devices, which entails some security risk. Nevertheless, variation in this risk decision may be expected due to the utility of Bluetooth connectivity and its limited range.
CCE-92601-4	The Chronyd service is enabled	chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at https://chrony-project.org/. Chrony can be configured to be a client and/or a server. To enable Chronyd service, you can run: `# systemctl enable chronyd.service` This recommendation only applies if chrony is in use on the system.	If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly.
CCE-92602-2	Disable dnsmasq Service	The `dnsmasq` service can be disabled with the following command: $ sudo systemctl mask --now dnsmasq.service	Unless a system is specifically designated to act as a DNS caching, DNS forwarding and/or DHCP server, it is recommended that the package be removed to reduce the potential attack surface.
CCE-92603-0	Disable LDAP Server (slapd)	The Lightweight Directory Access Protocol (LDAP) is a service that provides a method for looking up information from a central database.	If the system will not need to act as an LDAP server, it is recommended that the software be disabled to reduce the potential attack surface.
CCE-92604-8	Enable systemd-journal-upload Service	The `systemd-journal-upload` service is part of the `systemd-journal-remote` package and enables centralized logging by uploading local systemd journal entries to a remote log server via HTTPS. This service acts as a client that pushes journal data to a remote host running the `systemd-journal-remote` receiver service. The `systemd-journal-upload` service can be enabled with the following command: $ sudo systemctl enable systemd-journal-upload.service	Centralized logging through `systemd-journal-upload` is essential for security monitoring, incident response, and compliance requirements. Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data stored locally to hide their activities. Remote logging ensures that audit trails remain intact even if the local system is compromised. Additionally, centralized logs facilitate correlation of events across multiple systems, enabling better detection of distributed attacks and security incidents.
CCE-92605-5	Enable systemd-journald Service	The `systemd-journald` service is an essential component of systemd. The `systemd-journald` service can be enabled with the following command: $ sudo systemctl enable systemd-journald.service	In the event of a system failure, SUSE Linux Enterprise 15 must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to system processes.
CCE-92606-3	Disable tftp Service	The `tftp` service should be disabled. The `tftp` service can be disabled with the following command: $ sudo systemctl mask --now tftp.service	Disabling the `tftp` service ensures the system is not acting as a TFTP server, which does not provide encryption or authentication.
CCE-92607-1	Set PAM Password Hashing Algorithm - password-auth	The PAM system service can be configured to only store encrypted representations of passwords. In `/etc/pam.d/password-auth`, the `password` section of the file controls which PAM modules to execute during a password change. Set the `pam_unix.so` module in the `password` section to include the option `sha512` and no other hashing algorithms as shown below: password sufficient pam_unix.so `sha512` other arguments... This will help ensure that new passwords for local users will be stored using the `sha512` algorithm.	Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text. This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the `crypt_style` configuration option in `/etc/libuser.conf` ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.
CCE-92608-9	Disable systemd-journal-remote Socket	Journald supports the ability to receive messages from remote hosts, thus acting as a log server. Clients should not receive data from other hosts. NOTE: The same package, systemd-journal-remote , is used for both sending logs to remote hosts and receiving incoming logs. With regards to receiving logs, there are two Systemd unit files; systemd-journal-remote.socket and systemd-journal-remote.service.	If a client is configured to also receive data, thus turning it into a server, the client system is acting outside it's operational boundary.
CCE-92609-7	Configure ARP filtering for All IPv4 Interfaces	To set the runtime status of the `net.ipv4.conf.all.arp_filter` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.arp_filter=`0` To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.conf.all.arp_filter = `0`	Prevents the Linux Kernel from handling the ARP table globally. By default, the kernel may respond to an ARP request from a certain interface with information from another interface.
CCE-92610-5	Configure Response Mode of ARP Requests for All IPv4 Interfaces	To set the runtime status of the `net.ipv4.conf.all.arp_ignore` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.arp_ignore=`0` To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.conf.all.arp_ignore = `0`	Avoids ARP Flux on system that have more than one interface on the same subnet.
CCE-92611-3	Prevent Routing External Traffic to Local Loopback on All IPv4 Interfaces	To set the runtime status of the `net.ipv4.conf.all.route_localnet` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.route_localnet=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.conf.all.route_localnet = 0	Refuse the routing of packets whose source or destination address is the local loopback. This prohibits the use of network 127/8 for local routing purposes. Enabling `route_localnet` can expose applications listening on localhost to external traffic.
CCE-92612-1	Configure systemd-journal-upload TLS parameters: ServerKeyFile, ServerCertificateFile and TrustedCertificateFile	SUSE Linux Enterprise 15 must offload rsyslog messages for networked systems in real time and offload standalone systems at least weekly	Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity
CCE-92613-9	Configure systemd-journal-upload URL	SUSE Linux Enterprise 15 must offload rsyslog messages for networked systems in real time and offload standalone systems at least weekly	Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity
CCE-92622-0	Verify No .forward Files Exist	The `.forward` file specifies an email address to forward the user's mail to.	Use of the `.forward` file poses a security risk in that sensitive data may be inadvertently transferred outside the organization. The .forward file also poses a risk as it can be used to execute commands that may perform unintended actions.
CCE-92626-1	Use Only Strong Key Exchange algorithms	Limit the Key Exchange to strong algorithms. The following line in `/etc/ssh/sshd_config` demonstrates use of those: KexAlgorithms `ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256`	Key exchange is any method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm. If the sender and receiver wish to exchange encrypted messages, each must be equipped to encrypt messages to be sent and decrypt messages received
CCE-92655-0	Verify No netrc Files Exist	The `.netrc` files contain login information used to auto-login into FTP servers and reside in the user's home directory. These files may contain unencrypted passwords to remote FTP servers making them susceptible to access by unauthorized users and should not be used. Any `.netrc` files should be removed.	Unencrypted passwords for remote FTP servers may be stored in `.netrc` files.
CCE-92692-3	Configure Logind to terminate idle sessions after certain time of inactivity	To configure `logind` service to terminate inactive user sessions after `300` seconds, edit the file `/etc/systemd/logind.conf`. Ensure that there is a section [Login] which contains the configuration StopIdleSessionSec=`300` .	Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been let unattended.
CCE-92693-1	Record Access Events to Audit Log Directory	The audit system should collect access events to read audit log directory. The following audit rule will assure that access to audit log directory are collected. Set ARCH to either b32 for 32-bit system, or have two lines for both b32 and b64 in case your system is 64-bit. -a always,exit -F arch=ARCH -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the rule to a file with suffix `.rules` in the directory `/etc/audit/rules.d`. If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the rule to `/etc/audit/audit.rules` file.	Attempts to read the logs should be recorded, suspicious access to audit log files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.'
CCE-92694-9	Record Events that Modify the System's Mandatory Access Controls (/etc/selinux)	If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following lines to a file with suffix `.rules` in the directory `/etc/audit/rules.d`: -w /etc/selinux/ -p wa -k MAC-policy If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following lines to `/etc/audit/audit.rules`: -w /etc/selinux/ -p wa -k MAC-policy	The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited.
CCE-92695-6	Ensure auditd Collects File Deletion Events by User - renameat2	At a minimum, the audit system should collect file deletion events for all users and root. If the `auditd` daemon is configured to use the `augenrules` program to read audit rules during daemon startup (the default), add the following line to a file with suffix `.rules` in the directory `/etc/audit/rules.d`, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S renameat2 -F auid>=1000 -F auid!=unset -F key=delete If the `auditd` daemon is configured to use the `auditctl` utility to read audit rules during daemon startup, add the following line to `/etc/audit/audit.rules` file, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S renameat2 -F auid>=1000 -F auid!=unset -F key=delete	Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.
CCE-92696-4	Set type of computer node name logging in audit logs	To configure Audit daemon to use a unique identifier as computer node name in the audit events, set `name_format` to `hostname` in `/etc/audit/auditd.conf`.	If option `name_format` is left at its default value of `none`, audit events from different computers may be hard to distinguish.
CCE-92697-2	Ensure users' .netrc Files are not group or world accessible	While the system administrator can establish secure permissions for users' .netrc files, the users can easily override these. This rule ensures every .netrc file or directory under the home directory related to an interactive user is not group or world accessible	.netrc files may contain unencrypted passwords that may be used to attack other systems. Note: While the complete removal of .netrc files is recommended, if any are required on the system, secure permissions must be applied.
CCE-92698-0	Verify Group Who Owns Backup gshadow File	To properly set the group owner of `/etc/gshadow-`, run the command: $ sudo chgrp root /etc/gshadow-	The `/etc/gshadow-` file is a backup of `/etc/gshadow`, and as such, it contains group password hashes. Protection of this file is critical for system security.
CCE-92699-8	Verify User Who Owns Backup gshadow File	To properly set the owner of `/etc/gshadow-`, run the command: $ sudo chown root /etc/gshadow-	The `/etc/gshadow-` file is a backup of `/etc/gshadow`, and as such, it contains group password hashes. Protection of this file is critical for system security.
CCE-92700-4	Verify Permissions on Backup gshadow File	To properly set the permissions of `/etc/gshadow-`, run the command: $ sudo chmod 0000 /etc/gshadow-	The `/etc/gshadow-` file is a backup of `/etc/gshadow`, and as such, it contains group password hashes. Protection of this file is critical for system security.