INACTIVE=
                  
                
              

To verify the INACTIVE setting, run the following command:
$ grep "INACTIVE" /etc/default/useradd
The output should indicate the INACTIVE configuration option is set
to an appropriate integer as shown in the example below:
$ grep "INACTIVE" /etc/default/useradd
INACTIVE=
      Is it the case that the value of INACTIVE is greater than the expected value or is -1?
      

# sudo chage -l [Emergency_Administrator]

Password expires:never

Check to see if an emergency administrator account password or account expires with the following command:

# sudo chage -l [Emergency_Administrator]

Password expires:never

If Password expires or Account expires is set to anything other than never, this is a finding.
      Is it the case that any emergency administrator account or account password has an expiration date set?
      

$ sudo chage -E YYYY-MM-DD USER
              

Verify that temporary accounts have been provisioned with an expiration date
of 72 hours. For every temporary account, run the following command to
obtain its account aging and expiration information:
$ sudo chage -l temporary_account_name
Verify each of these accounts has an expiration date set within 72 hours or
as documented.
      Is it the case that any temporary accounts have no expiration date set or do not expire within 72 hours?
      

Verify that SUSE Linux Enterprise 15 contains no duplicate User IDs (UIDs) for interactive users.

Check that the operating system contains no duplicate UIDs for interactive users with the following command:

$ sudo awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd
      Is it the case that output is produced and the accounts listed are interactive user accounts?
      

$ sudo userdel unauthorized_user
            

To verify that there are no unauthorized local user accounts, run the following command:
$ less /etc/passwd 
Inspect the results, and if unauthorized local user accounts exist, remove them by running
the following command:
$ sudo userdel unauthorized_user
      Is it the case that there are unauthorized local user accounts on the system?
      

CREATE_HOME yes

Verify all local interactive users on SUSE Linux Enterprise 15 are assigned a home
directory upon creation with the following command:
$ grep -i create_home /etc/login.defs
CREATE_HOME yes
      Is it the case that the value for "CREATE_HOME" parameter is not set to "yes", the line is missing, or the line is commented out?
      

* hard maxlogins 
            

Verify SUSE Linux Enterprise 15 limits the number of concurrent sessions to
"" for all
accounts and/or account types with the following command:
$ grep -r -s maxlogins /etc/security/limits.conf /etc/security/limits.d/*.conf
/etc/security/limits.conf:* hard maxlogins 10
This can be set as a global domain (with the * wildcard) but may be set differently for multiple domains.
      Is it the case that the "maxlogins" item is missing, commented out, or the value is set greater
than "<sub idref="var_accounts_max_concurrent_login_sessions" />" and
is not documented with the Information System Security Officer (ISSO) as an
operational requirement for all domains that have the "maxlogins" item
assigned'?
      

PASS_MAX_DAYS 
              

Verify that SUSE Linux Enterprise 15 enforces a -day maximum password lifetime for new user accounts by running the following command:

$ grep -i pass_max_days /etc/login.defs

PASS_MAX_DAYS 
      Is it the case that the "PASS_MAX_DAYS" parameter value is greater than "<sub idref="var_accounts_maximum_age_login_defs" />", or commented out?
      

Verify that only the "root" account has a UID "0" assignment with the
following command:
$ awk -F: '$3 == 0 {print $1}' /etc/passwd
root
      Is it the case that any accounts other than "root" have a UID of "0"?
      

$ sudo cut -d: -f2 /etc/shadow
$6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/

Verify that the interactive user account passwords are using a strong
password hash with the following command:

$ sudo cut -d: -f2 /etc/shadow

$6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/

Password hashes ! or * indicate inactive accounts not
available for logon and are not evaluated.
      Is it the case that any interactive user password hash does not begin with "$6"?
      

$ sudo chage -M 
                USER
              

Check whether the maximum time period for existing passwords is restricted to  days with the following commands:

$ sudo awk -F: '$5 > 60 {print $1 " " $5}' /etc/shadow

$ sudo awk -F: '$5 <= 0 {print $1 " " $5}' /etc/shadow
      Is it the case that any results are returned that are not associated with a system account?
      

$ sudo chage -m 1 USER
              

Verify that SUSE Linux Enterprise 15 has configured the minimum time period between password changes for each user account is one day or greater with the following command:

$ sudo awk -F: '$4 < 1 {print $1 " " $4}' /etc/shadow
      Is it the case that any results are returned that are not associated with a system account?
      

auth required pam_faildelay.so delay=
              

Verify that the SUSE Linux Enterprise 15 operating system enforces a minimum delay betweeen
logon prompts following a failed logon attempt.

# grep pam_faildelay /etc/pam.d/common-auth
auth required pam_faildelay.so delay=

If the value of delay is not set to
 or greater,
"delay" is commented out, "delay" is missing, or the "pam_faildelay" line is missing
completely, this is a finding.
      Is it the case that the value of delay is not set properly or the line is commented or missing?
      

• add or modify the pam_tally2.so module line in /etc/pam.d/login to ensure both onerr=fail and deny= are present. For example:

  auth required pam_tally2.so onerr=fail silent audit deny=
                    

• add or modify the following line in /etc/pam.d/common-account:

  account required pam_tally2.so

Check that the systems locks a user account after - at most - 
consecutive failed login attempts with the following command:

# grep -E '^\s*auth\s+\S+\s+pam_(tally2|unix)\.so' /etc/pam.d/login
auth required pam_tally2.so onerr=fail deny=

If no line is returned, the line is commented out, or the line is missing
"onerr=fail", this is a finding.
If the line has "deny" set to a value outside of the range 1-,
this is a finding.

Check that the system resets the failed login attempts counter after a
successful login using the following command:

# grep pam_tally2.so /etc/pam.d/common-account
account required pam_tally2.so deny=

If the account option is missing, or commented out, this is a finding.
      Is it the case that the account option is missing or commented out?
      

TMOUT=
            

Run the following command to ensure the TMOUT value is configured for all users
on the system:

$ sudo grep TMOUT /etc/profile.d/autologout.sh

The output should return the following:
TMOUT=

readonly TMOUT
export TMOUT
      Is it the case that value of TMOUT is not less than or equal to expected setting?
      

UMASK 
              

Verify SUSE Linux Enterprise 15 defines default permissions for all authenticated users in such a way that the user can only read and modify their own files with the following command:

# grep -i umask /etc/login.defs

UMASK 
      Is it the case that the value for the "UMASK" parameter is not "<sub idref="var_accounts_user_umask" />", or the "UMASK" parameter is missing or is commented out?
      

$ sudo chmod o-w FILE
            

Verify that local initialization files do not execute world-writable programs with the following command:

Note: The example will be for a system that is configured to create user home directories in the "/home" directory.

$ sudo find /home -perm -002 -type f -name ".[^.]*" -exec ls -ld {} \;
      Is it the case that any local initialization files are found to reference world-writable files?
      

Verify that all local interactive user initialization file executable search path statements do not contain statements that will reference a working directory other than user home directories with the following commands:

$ sudo grep -i path= /home/*/.*

/home/[localinteractiveuser]/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin
      Is it the case that any local interactive user initialization files have executable search path statements that include directories outside of their home directory and is not documented with the ISSO as an operational requirement?
      

Verify that interactive users on the system have a home directory assigned with the following command:

$ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd

Inspect the output and verify that all interactive users (normally users with a UID greater than 1000) have a home directory defined.
      Is it the case that users home directory is not defined?
      

$ sudo mkdir /home/USER
            

Verify the assigned home directories of all interactive users on the system exist with the following command:

$ sudo pwck -r

user 'mailnull': directory 'var/spool/mqueue' does not exist

The output should not return any interactive users.
      Is it the case that users home directory does not exist?
      

To verify that McAfee Endpoint Security for Linux is
running, run the following command:
$ sudo ps -ef | grep -i mfetpd
      Is it the case that virus scanning software is not running?
      

$ sudo /usr/bin/aide --init

$ sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

$ sudo /usr/bin/aide --check

To find the location of the AIDE database file, run the following command:
$ sudo ls -l DBDIR/database_file_name
      Is it the case that there is no database file?
      

Check that AIDE is properly configured to protect the integrity of the
audit tools by running the following command:

# sudo cat /etc/aide.conf | grep /usr/sbin/au

/usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
/usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
/usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
/usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
/usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
/usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512

/usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512


If AIDE is configured properly to protect the integrity of the audit tools,
all lines listed above will be returned from the command.

If one or more lines are missing, this is a finding.
      Is it the case that integrity checks of the audit tools are missing or incomplete?
      

OnCalendar=*-*-* 05:00:0

[Timer]

Verify the operating system routinely checks the baseline configuration for unauthorized changes.

To determine that periodic AIDE execution has been scheduled, run the following command:
$ systemctl list-timers should display aidecheck.timer or similar
that starts a service to run AIDE check.
      Is it the case that AIDE is not configured to scan periodically?
      

05 4 * * * root /usr/bin/aide --check

05 4 * * 0 root /usr/bin/aide --check

Verify the operating system routinely checks the baseline configuration for unauthorized changes.

To determine that periodic AIDE execution has been scheduled, run the following command:
$ grep aide /etc/crontab
The output should return something similar to the following:
05 4 * * * root /usr/bin/aide --check

NOTE: The usage of special cron times, such as @daily or @weekly, is acceptable.
      Is it the case that AIDE is not configured to scan periodically?
      

 | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost

05 4 * * * root /usr/bin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost

To determine that periodic AIDE execution has been scheduled, run the following command:

$ sudo systemctl status  aidecheck-notify|grep loaded
The output should return that the service is loaded.
Also we should make sure that notification service is started by the check:
$ sudo systemctl list-dependencies --reverse aidecheck-notify,
which should display the aidecheck.service in the dependency tree
      Is it the case that AIDE has not been configured or has not been configured to notify personnel of scan details?
      

FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256

To determine that AIDE is verifying ACLs, run the following command:
$ grep acl /etc/aide.conf
Verify that the acl option is added to the correct ruleset.
      Is it the case that the acl option is missing or not added to the correct ruleset?
      

FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256

To determine that AIDE is verifying extended file attributes, run the following command:
$ grep xattrs /etc/aide.conf
Verify that the xattrs option is added to the correct ruleset.
      Is it the case that the xattrs option is missing or not added to the correct ruleset?
      

$ sudo systemctl enable apparmor.service

Run the following command to determine the current status of the
apparmor service:
$ sudo systemctl is-active apparmor
If the service is running, it should return the following: active
      Is it the case that it is not?
      

-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod

To determine if the system is configured to audit calls to the
chmod system call, run the following command:
$ sudo grep "chmod" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod

To determine if the system is configured to audit calls to the
chown system call, run the following command:
$ sudo grep "chown" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod

To determine if the system is configured to audit calls to the
fchmod system call, run the following command:
$ sudo grep "fchmod" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

To determine if the system is configured to audit calls to the
fchmodat system call, run the following command:
$ sudo grep "fchmodat" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod

To determine if the system is configured to audit calls to the
fchown system call, run the following command:
$ sudo grep "fchown" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod

To determine if the system is configured to audit calls to the
fchownat system call, run the following command:
$ sudo grep "fchownat" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

To determine if the system is configured to audit calls to the
fremovexattr system call, run the following command:
$ sudo grep "fremovexattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

To determine if the system is configured to audit calls to the
fsetxattr system call, run the following command:
$ sudo grep "fsetxattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

To determine if the system is configured to audit calls to the
lchown system call, run the following command:
$ sudo grep "lchown" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

To determine if the system is configured to audit calls to the
lremovexattr system call, run the following command:
$ sudo grep "lremovexattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

To determine if the system is configured to audit calls to the
lsetxattr system call, run the following command:
$ sudo grep "lsetxattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

To determine if the system is configured to audit calls to the
removexattr system call, run the following command:
$ sudo grep "removexattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

To determine if the system is configured to audit calls to the
setxattr system call, run the following command:
$ sudo grep "setxattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -F key=perm_mod

Verify that SUSE Linux Enterprise 15 generates an audit record for all uses of the "umount" and system call.
To determine if the system is configured to audit calls to the
"umount" system call, run the following command:
$ sudo grep "umount" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line like the following.
-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -k privileged-umount
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod

To determine if the system is configured to audit calls to the
umount2 system call, run the following command:
$ sudo grep "umount2" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a task,never

To check for the offending line, run the following command:
$ grep task,never /etc/audit/{rules.d,.}/audit.rules
There must not be any output, or else these lines must be removed from
the matching files.
      Is it the case that syscall auditing is still disabled?
      

-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that SUSE Linux Enterprise 15 is configured to audit the execution of the "chacl" command with the following command:

$ sudo auditctl -l | grep chacl

-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that SUSE Linux Enterprise 15 is configured to audit the execution of the "chcon" command with the following command:

$ sudo auditctl -l | grep chcon

-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

To verify that execution of the command is being audited, run the following command:
$ sudo grep "path=/usr/bin/chmod" /etc/audit/audit.rules /etc/audit/rules.d/*
The output should return something similar to:
-a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
      Is it the case that ?
      

-a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

To verify that execution of the command is being audited, run the following command:
$ sudo grep "path=/usr/bin/rm" /etc/audit/audit.rules /etc/audit/rules.d/*
The output should return something similar to:
-a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
      Is it the case that ?
      

-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that SUSE Linux Enterprise 15 is configured to audit the execution of the "setfacl" command with the following command:

$ sudo auditctl -l | grep setfacl

-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F arch=ARCH -S delete_module -F key=modules

To determine if the system is configured to audit calls to the
delete_module system call, run the following command:
$ sudo grep "delete_module" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=ARCH -S finit_module -F key=modules

-a always,exit -F arch=ARCH -S finit_module -F key=modules

To determine if the system is configured to audit calls to the
finit_module system call, run the following command:
$ sudo grep "finit_module" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=ARCH -S init_module -F key=modules

To determine if the system is configured to audit calls to the
init_module system call, run the following command:
$ sudo grep "init_module" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-w /var/log/lastlog -p wa -k logins

-w /var/log/lastlog -p wa -k logins

Verify SUSE Linux Enterprise 15 generates audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/lastlog" with the following command:

$ sudo auditctl -l | grep /var/log/lastlog

-w /var/log/lastlog -p wa -k logins
      Is it the case that the command does not return a line, or the line is commented out?
      

-w /var/log/tallylog -p wa -k logins

-w /var/log/tallylog -p wa -k logins

Verify SUSE Linux Enterprise 15 generates audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/tallylog" with the following command:

$ sudo auditctl -l | grep /var/log/tallylog

-w /var/log/tallylog -p wa -k logins
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export

-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export

To determine if the system is configured to audit calls to the
mount system call, run the following command:
$ sudo grep "mount" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that SUSE Linux Enterprise 15 is configured to audit the execution of the "chage" command with the following command:

$ sudo auditctl -l | grep chage

-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

To verify that auditing of privileged command use is configured, run the
following command:
$ sudo grep chfn /etc/audit/audit.rules /etc/audit/rules.d/*
It should return a relevant line in the audit rules.
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that SUSE Linux Enterprise 15 is configured to audit the execution of the "chsh" command with the following command:

$ sudo auditctl -l | grep chsh

-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chsh
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that SUSE Linux Enterprise 15 is configured to audit the execution of the "crontab" command with the following command:

$ sudo auditctl -l | grep crontab

-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that SUSE Linux Enterprise 15 is configured to audit the execution of the "gpasswd" command with the following command:

$ sudo auditctl -l | grep gpasswd

-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd
      Is it the case that the command does not return a line, or the line is commented out?
      

-w /sbin/insmod -p x -k modules

To verify that auditing of privileged command use is configured, run the
following command:

   sudo auditctl -l | grep -w '/sbin/insmod'

If the system is configured to audit the execution of the module management program "insmod",
the command will return a line.
      Is it the case that the command does not return a line, or the line is commented out?
      

-w /usr/bin/kmod -p x -k modules

-w /usr/bin/kmod -p x -k modules

Verify that SUSE Linux Enterprise 15 is configured to audit the execution of the "kmod" command with the following command:

$ sudo auditctl -l | grep kmod

-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-kmod
      Is it the case that the command does not return a line, or the line is commented out?
      

-w /sbin/modprobe -p x -k modules

-w /sbin/modprobe -p x -k modules

To verify that auditing of privileged command use is configured, run the
following command:

  sudo auditctl -l | grep -w '/sbin/modprobe'
  -w /sbin/modprobe -p x -k modules

It should return a relevant line in the audit rules.
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that SUSE Linux Enterprise 15 is configured to audit the execution of the "newgrp" command with the following command:

$ sudo auditctl -l | grep newgrp

-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-newgrp
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/sbin/pam_timestamp_check
-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/sbin/pam_timestamp_check
-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/passmass -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/passmass -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

To verify that auditing of privileged command use is configured, run the
following command:
$ sudo grep passmass /etc/audit/audit.rules /etc/audit/rules.d/*
It should return a relevant line in the audit rules.
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that SUSE Linux Enterprise 15 is configured to audit the execution of the "passwd" command with the following command:

$ sudo auditctl -l | grep passwd

-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd
      Is it the case that the command does not return a line, or the line is commented out?
      

-w /sbin/rmmod -p x -k modules

To verify that auditing of privileged command use is configured, run the
following command:

   sudo auditctl -l | grep -w '/sbin/rmmod'

If the system is configured to audit the execution of the module management program "rmmod",
the command will return a line.
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent

-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent

Verify that SUSE Linux Enterprise 15 is configured to audit the execution of the "ssh-agent" command with the following command:

$ sudo auditctl -l | grep ssh-agent

-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/lib/ssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/lib/ssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that SUSE Linux Enterprise 15 is configured to audit the execution of the "ssh-keysign" command with the following command:

$ sudo auditctl -l | grep ssh-keysign

-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-keysign
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that SUSE Linux Enterprise 15 is configured to audit the execution of the "su" command with the following command:

$ sudo auditctl -l | grep su

-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-su
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that SUSE Linux Enterprise 15 is configured to audit the execution of the "sudo" command with the following command:

$ sudo auditctl -l | grep sudo

-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-sudo
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that SUSE Linux Enterprise 15 is configured to audit the execution of the "sudoedit" command with the following command:

$ sudo auditctl -l | grep sudoedit

-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -k privileged-sudoedit
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/sbin/unix2_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/sbin/unix2_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

To verify that auditing of privileged command use is configured, run the
following command:
$ sudo grep unix2_chkpwd /etc/audit/audit.rules /etc/audit/rules.d/*
It should return a relevant line in the audit rules.
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that SUSE Linux Enterprise 15 is configured to audit the execution of the "unix_chkpwd" command with the following command:

$ sudo auditctl -l | grep unix_chkpwd

-a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix_chkpwd
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Verify that SUSE Linux Enterprise 15 is configured to audit the execution of the "usermod" command with the following command:

$ sudo auditctl -l | grep usermod

-a always,exit -F path=/usr/bin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod
      Is it the case that the command does not return a line, or the line is commented out?
      

-w /var/log/btmp -p wa -k session

-w /var/log/btmp -p wa -k session

Check that the file is being audited by running the following command:
 sudo auditctl -l | grep -w '/var/log/btmp'
      Is it the case that Audit rule is not present?
      

-w /run/utmp -p wa -k session

-w /run/utmp -p wa -k session

To Check the file is being audited by performing the following command
 sudo auditctl -l | grep -w '/run/utmp'
      Is it the case that Audit rule is not present?
      

 -w /var/log/wtmp -p wa -k session

 -w /var/log/wtmp -p wa -k session

Check that the file is being audited by performing the following command:
 sudo auditctl -l | grep -w '/var/log/wtmp'
      Is it the case that Audit rule is not present?
      

$ sudo grep execve /etc/audit/audit.rules

$ sudo grep -r execve /etc/audit/rules.d

-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid

-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid

-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid

-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid

Verify SUSE Linux Enterprise 15 audits the execution of privileged functions.

Check if SUSE Linux Enterprise 15 is configured to audit the execution of the "execve" system call using the following command:

$ sudo grep execve /etc/audit/audit.rules

The output should be the following:


-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid
-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid
      Is it the case that the command does not return all lines, or the lines are commented out?
      

-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions

-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions

To verify that auditing is configured for system administrator actions, run the following command:
$ sudo auditctl -l | grep "watch=/etc/sudoers\|watch=/etc/sudoers.d\|-w /etc/sudoers\|-w /etc/sudoers.d"
      Is it the case that there is not output?
      

-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

Verify SUSE Linux Enterprise 15 generates an audit record for unsuccessful attempts to use the creat system call.

If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:

$ sudo grep -r creat /etc/audit/rules.d

If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:

$ sudo grep creat /etc/audit/audit.rules

The output should be the following:

-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

Verify SUSE Linux Enterprise 15 generates an audit record for unsuccessful attempts to use the ftruncate system call.

If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:

$ sudo grep -r ftruncate /etc/audit/rules.d

If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:

$ sudo grep ftruncate /etc/audit/audit.rules

The output should be the following:

-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

Verify SUSE Linux Enterprise 15 generates an audit record for unsuccessful attempts to use the open system call.

If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:

$ sudo grep -r open /etc/audit/rules.d

If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:

$ sudo grep open /etc/audit/audit.rules

The output should be the following:

-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

Verify SUSE Linux Enterprise 15 generates an audit record for unsuccessful attempts to use the open_by_handle_at system call.

If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:

$ sudo grep -r open_by_handle_at /etc/audit/rules.d

If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:

$ sudo grep open_by_handle_at /etc/audit/audit.rules

The output should be the following:

-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

Verify SUSE Linux Enterprise 15 generates an audit record for unsuccessful attempts to use the openat system call.

If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:

$ sudo grep -r openat /etc/audit/rules.d

If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:

$ sudo grep openat /etc/audit/audit.rules

The output should be the following:

-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete

-a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete

Verify SUSE Linux Enterprise 15 generates an audit record for unsuccessful attempts to use the rename system call.

If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:

$ sudo grep -r rename /etc/audit/rules.d

If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:

$ sudo grep rename /etc/audit/audit.rules

The output should be the following:

-a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -k unsuccessful-delete
-a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -k unsuccessful-delete
-a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -k unsuccessful-delete
-a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -k unsuccessful-delete
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=4294967295 -k perm_mod

Verify SUSE Linux Enterprise 15 generates an audit record for unsuccessful attempts to use the renameat system call.

If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:

$ sudo grep -r renameat /etc/audit/rules.d

If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:

$ sudo grep renameat /etc/audit/audit.rules

The output should be the following:

-a always,exit -F arch=b32 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k unsuccessful-delete
-a always,exit -F arch=b64 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k unsuccessful-delete
-a always,exit -F arch=b32 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k unsuccessful-delete
-a always,exit -F arch=b64 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k unsuccessful-delete
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F arch=b32 -S renameat2 -F auid>=1000 -F auid!=-1 -k perm_mod
-a always,exit -F arch=b64 -S renameat2 -F auid>=1000 -F auid!=-1 -k perm_mod

To determine if the system is configured to audit unsuccessful calls
to the renameat2 system call, run the following command:
$ sudo grep "renameat2" /etc/audit.*
If the system is configured to audit this activity, it will return a line.

      Is it the case that no line is returned?
      

-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

Verify SUSE Linux Enterprise 15 generates an audit record for unsuccessful attempts to use the truncate system call.

If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:

$ sudo grep -r truncate /etc/audit/rules.d

If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:

$ sudo grep truncate /etc/audit/audit.rules

The output should be the following:

-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=-1 -k perm_mod
-a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=-1 -k perm_mod 

Verify SUSE Linux Enterprise 15 generates an audit record for unsuccessful attempts to use the unlink system call.

If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:

$ sudo grep -r unlink /etc/audit/rules.d

If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:

$ sudo grep unlink /etc/audit/audit.rules

The output should be the following:

-a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -k unsuccessful-delete
-a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -k unsuccessful-delete
-a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -k unsuccessful-delete
-a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -k unsuccessful-delete
      Is it the case that the command does not return a line, or the line is commented out?
      

-a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=-1 -k perm_mod
-a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=-1 -k perm_mod

Verify SUSE Linux Enterprise 15 generates an audit record for unsuccessful attempts to use the unlinkat system call.

If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:

$ sudo grep -r unlinkat /etc/audit/rules.d

If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:

$ sudo grep unlinkat /etc/audit/audit.rules

The output should be the following:

-a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k unsuccessful-delete
-a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k unsuccessful-delete
-a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k unsuccessful-delete
-a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k unsuccessful-delete
      Is it the case that the command does not return a line, or the line is commented out?
      

-w /etc/group -p wa -k audit_rules_usergroup_modification

-w /etc/group -p wa -k audit_rules_usergroup_modification

Verify SUSE Linux Enterprise 15 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group" with the following command:

$ sudo auditctl -l | grep -E '(/etc/group)'

-w /etc/group -p wa -k identity
      Is it the case that the command does not return a line, or the line is commented out?
      

-w /etc/gshadow -p wa -k audit_rules_usergroup_modification

-w /etc/gshadow -p wa -k audit_rules_usergroup_modification

Verify SUSE Linux Enterprise 15 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow" with the following command:

$ sudo auditctl -l | grep -E '(/etc/gshadow)'

-w /etc/gshadow -p wa -k identity

If the command does not return a line, or the line is commented out, this is a finding.
      Is it the case that the system is not configured to audit account changes?
      

-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification

-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification

Verify SUSE Linux Enterprise 15 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command:

$ sudo auditctl -l | grep -E '(/etc/security/opasswd)'

-w /etc/security/opasswd -p wa -k identity
      Is it the case that the command does not return a line, or the line is commented out?
      

-w /etc/passwd -p wa -k audit_rules_usergroup_modification

-w /etc/passwd -p wa -k audit_rules_usergroup_modification

Verify SUSE Linux Enterprise 15 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command:

$  sudo auditctl -l | grep -E '(/etc/passwd)'

-w /etc/passwd -p wa -k identity
      Is it the case that the command does not return a line, or the line is commented out?
      

-w /etc/shadow -p wa -k audit_rules_usergroup_modification

-w /etc/shadow -p wa -k audit_rules_usergroup_modification

Verify SUSE Linux Enterprise 15 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd with the following command:

$  sudo auditctl -l | grep -E '(/etc/shadow)'

-w /etc/shadow -p wa -k identity
      Is it the case that command does not return a line, or the line is commented out?
      

$ sudo grep log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log

$ sudo df -h /var/log/audit/
/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit

To verify whether audispd plugin off-loads audit records onto a different
system or media from the system being audited, run the following command:

$ sudo grep -i remote_server /etc/audit/audisp-remote.conf

The output should return something similar to where REMOTE_SYSTEM
is an IP address or hostname:
remote_server = REMOTE_SYSTEM

Determine which partition the audit records are being written to with the
following command:

$ sudo grep log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log

Check the size of the partition that audit records are written to with the
following command and verify whether it is sufficiently large:

$ sudo df -h /var/log/audit/
/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit
      Is it the case that audispd is not sending logs to a remote system and the local partition has inadequate space?
      

disk_full_action = ACTION
          

Inspect /etc/audit/audisp-remote.conf and locate the following line to
determine if the system is configured to either send to syslog, switch to single user mode,
or halt when the disk is full:
$ sudo grep -i disk_full_action /etc/audit/audisp-remote.conf
The output should return something similar to:
disk_full_action = single
Acceptable values also include syslog and halt.
      Is it the case that the system is not configured to switch to single user mode for corrective action?
      

/etc/audit/audisp-remote.conf

To verify the audispd plugin encrypts audit records off-loaded onto a different
system or media from the system being audited, run the following command:

$ sudo grep -i transport /etc/audit/audisp-remote.conf
The output should return the following:
transport = KRB5
      Is it the case that audispd is not encrypting audit records when sent over the network?
      

network_failure_action = ACTION
          

Inspect /etc/audit/audisp-remote.conf and locate the following line to
determine if the system is configured to perform a correct action according to the policy:
$ sudo grep -i network_failure_action /etc/audit/audisp-remote.conf
The output should return:
network_failure_action = 
      Is it the case that the system is not configured to switch to single user mode for corrective action?
      

disk_full_action = ACTION
          

Verify SUSE Linux Enterprise 15 takes the appropriate action when the audit storage volume is full.

Check that SUSE Linux Enterprise 15 takes the appropriate action when the audit storage volume is full with the following command:

$ sudo grep disk_full_action /etc/audit/auditd.conf

disk_full_action = 

If the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit storage volume is full.
      Is it the case that there is no evidence of appropriate action?
      

action_mail_acct = 
          

Verify that SUSE Linux Enterprise 15 is configured to notify the SA and/or ISSO (at a minimum) in the event of an audit processing failure with the following command:

$ sudo grep action_mail_acct /etc/audit/auditd.conf

action_mail_acct = 
      Is it the case that the value of the "action_mail_acct" keyword is not set to "<sub idref="var_auditd_action_mail_acct" />" and/or other accounts for security personnel, the "action_mail_acct" keyword is missing, or the retuned line is commented out, ask the system administrator to indicate how they and the ISSO are notified of an audit process failure. If there is no evidence of the proper personnel being notified of an audit processing failure?
      

space_left = SIZE_in_MB
          

Inspect /etc/audit/auditd.conf and locate the following line to
determine if the system is configured correctly:
space_left SIZE_in_MB
      Is it the case that the system is not configured a specfic size in MB to notify administrators of an issue?
      

To check if the system login banner is compliant,
run the following command:
$ cat /etc/gdm/banner
      Is it the case that it does not display the required banner?
      

To check if the system login banner is compliant,
run the following command:

$ cat /etc/issue
      Is it the case that it does not display the required banner?
      

maxpoll 
          

Verify SUSE Linux Enterprise 15 is securely comparing internal information system clocks at a regular interval with an NTP server with the following command:
$ sudo grep maxpoll /etc/ntp.conf /etc/chrony.conf /etc/chrony.d/
server [ntp.server.name] iburst maxpoll .
      Is it the case that "maxpoll" has not been set to the value of "<sub idref="var_time_service_set_maxpoll" />", is commented out, or is missing?
      

Verify SUSE Linux Enterprise 15 removes all software components after updated versions have been installed.


To verify that solver.upgradeRemoveDroppedPackages is configured properly, run the
following command:
$ grep -i upgradeRemoveDroppedPackages /etc/zypp/zypp.conf
The output should return something similar to:
solver.upgradeRemoveDroppedPackages=true
      Is it the case that 'solver.upgradeRemoveDroppedPackages is not enabled or configured correctly'?
      

To check how many digits are required in a password, run the following
command:
# grep pam_cracklib /etc/pam.d/common-password
password requisite pam_cracklib.so dcredit=
The dcredit parameter (as a negative number) will indicate how
many digits are required.
The DoD requires at least one digit in a password.
This would appear as dcredit=-1.
      Is it the case that dcredit is not found or not set to the required value?
      

To check how many characters must differ during a password change, run the
following command:
# grep pam_cracklib.so /etc/pam.d/common-password
password requisite pam_cracklib.so difok=
The difok parameter will indicate how many characters must differ.
The DoD requires at least eight characters differ during a password change.
This would appear as difok=8.
      Is it the case that difok is not found or not set to the required value?
      

Check that the operating system enforces password complexity by requiring
that at least one lower-case character be used by using the following
command:

# grep pam_cracklib.so /etc/pam.d/common-password
password requisite pam_cracklib.so lcredit=

If the command does not return anything, the returned line is commented
out, or has a second column value different from "requisite", or does not
contain lcredit=, this is a finding.

The DoD and FISMA require at least one lowercase character in a password.
This would appear as lcredit=-1.
      Is it the case that lcredit is not found or not set to the required value?
      

To check how many characters are required in a password, run the following command:
$ grep pam_cracklib.so /etc/pam.d/common-password
Your output should contain minlen=
      Is it the case that minlen is not found or not set to the required value (or higher)?
      

To check how many special characters are required in a password, run the
following command:
# grep pam_cracklib.so /etc/pam.d/common-password
password requisite pam_cracklib.so ocredit=
The ocredit parameter (as a negative number) will indicate how
many special characters are required.
The DoD and FISMA require at least one special character in a password.
This would appear as ocredit=-1.
      Is it the case that ocredit is not found or not set to the required value?
      

Check the password retry limit with the following command:

# grep pam_cracklib.so /etc/pam.d/common-password
password requisite pam_cracklib.so retry=

If the command does not return anything, or the returned line is
commented out, this is a finding.

If the value of retry is greater than
, this is a finding.
      Is it the case that retry is not found or not set to the required value (or lower)?
      

To check how many uppercase characters are required in a password, run the
following command:
grep pam_cracklib.so /etc/pam.d/common-password
password requisite pam_cracklib.so ucredit=
The ucredit parameter (as a negative number) will indicate how
many uppercase characters are required.
The DoD and FISMA require at least one uppercase character in a password.
This would appear as ucredit=-1.
      Is it the case that ucredit is not found or not set to the required value?
      

dconf update

/etc/dconf/db/gdm.d

/etc/dconf/db/local.d

In order to be sure that the databases are up-to-date, run the
dconf update
command as the administrator.
      Is it the case that The system-wide dconf databases are up-to-date with regards to respective keyfiles?
      

[org/gnome/login-screen]
banner-message-enable=true

/org/gnome/login-screen/banner-message-enable

To ensure a login warning banner is enabled, run the following:
$ grep banner-message-enable /etc/dconf/db/gdm.d/*
If properly configured, the output should be true.
To ensure a login warning banner is locked and cannot be changed by a user, run the following:
$ grep banner-message-enable /etc/dconf/db/gdm.d/locks/*
If properly configured, the output should be /org/gnome/login-screen/banner-message-enable.
      Is it the case that it is not?
      

[org/gnome/login-screen]
banner-message-text='APPROVED_BANNER'

/org/gnome/login-screen/banner-message-text

To ensure the login warning banner text is properly set, run the following:
$ grep banner-message-text /etc/dconf/db/gdm.d/*
If properly configured, the proper banner text will appear.
To ensure the login warning banner text is locked and cannot be changed by a user, run the following:
$ grep banner-message-text /etc/dconf/db/gdm.d/locks/*
If properly configured, the output should be /org/gnome/login-screen/banner-message-text.
      Is it the case that it does not?
      

[org/gnome/desktop/session]
idle-delay=uint32 900

To check the current idle time-out value, run the following command:
$ gsettings get org.gnome.desktop.session idle-delay
If properly configured, the output should be 'uint32 '.
To ensure that users cannot change the screensaver inactivity timeout setting, run the following:
$ grep idle-delay /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/desktop/session/idle-delay
      Is it the case that idle-delay is set to 0 or a value greater than <sub idref="inactivity_timeout_value" />?
      

gsettings set org.gnome.desktop.lockdown disable-lock-screen false

gsettings get org.gnome.desktop.lockdown disable-lock-screen

To check the status of the idle screen lock activation, run the following command:

gsettings get org.gnome.desktop.lockdown disable-lock-screen
If the result is "true", this is a finding.
Configure the SUSE operating system to allow the user to lock the GUI.
Run the following command to configure the SUSE operating system to allow the user to lock the GUI:
gsettings set org.gnome.desktop.lockdown disable-lock-screen false
      Is it the case that screensaver locking is not enabled and/or has not been set or configured correctly?
      

[org/gnome/desktop/screensaver]
picture-uri=string ''

/org/gnome/desktop/screensaver/picture-uri

To ensure the screensaver is configured to be blank, run the following command:
$ gsettings get org.gnome.desktop.screensaver picture-uri
If properly configured, the output should be ''.

To ensure that users cannot set the screensaver background, run the following:
$ grep picture-uri /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/desktop/screensaver/picture-uri
      Is it the case that it is not set or configured properly?
      

/org/gnome/desktop/session/idle-delay

To ensure that users cannot change session idle and lock settings, run the following:
$ grep 'idle-delay' /etc/dconf/db/local.d/locks/*
If properly configured, the output should return:
/org/gnome/desktop/session/idle-delay
      Is it the case that idle-delay is not locked?
      

/lib
/lib64
/usr/lib
/usr/lib64

$ sudo chgrp root DIR
              

Verify the system-wide shared library directories are group-owned by "root" with the following command:

$ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec stat -c "%n %G" '{}' \;

If any system-wide shared library directory is returned and is not group-owned by a required system account, this is a finding.
      Is it the case that any system-wide shared library directory is returned and is not group-owned by a required system account?
      

/lib
/lib64
/usr/lib
/usr/lib64

$ sudo chown root DIR
              

Verify the system-wide shared library directories are owned by "root" with the following command:

$ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d -exec stat -c "%n %U" '{}' \;
      Is it the case that any system-wide shared library directory is not owned by root?
      

/lib
/lib64
/usr/lib
/usr/lib64

$ sudo chmod go-w DIR
              

Shared libraries are stored in the following directories:
/lib
/lib64
/usr/lib
/usr/lib64

To find shared libraries that are group-writable or world-writable,
run the following command for each directory DIR which contains shared libraries:
$ sudo find -L DIR -perm /022 -type d
      Is it the case that any of these files are group-writable or world-writable?
      

$ sudo chmod +t DIR
            

To find world-writable directories that lack the sticky bit, run the following command:
$ sudo find / -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null
fixtext: |-
Configure all world-writable directories to have the sticky bit set to prevent unauthorized and unintended information transferred via shared system resources.

Set the sticky bit on all world-writable directories using the command, replace "[World-Writable Directory]" with any directory path missing the sticky bit:

$ chmod a+t [World-Writable Directory]
srg_requirement:
A sticky bit must be set on all SUSE Linux Enterprise 15 public directories to prevent unauthorized and unintended information transferred via shared system resources.
      Is it the case that any world-writable directories are missing the sticky bit?
      

The following command will discover and print world-writable directories that
are not group owned by a system account, given the assumption that only system
accounts have a gid lower than 1000.  Run it once for each local partition PART:
$ sudo find PART -xdev -type d -perm -0002 -gid +999 -print
      Is it the case that there is output?
      

/bin 
/sbin 
/usr/bin 
/usr/sbin 
/usr/local/bin 
/usr/local/sbin

$ sudo chgrp root DIR
            

System commands are stored in the following directories:
/bin 
/sbin 
/usr/bin 
/usr/sbin 
/usr/local/bin 
/usr/local/sbin
For each of these directories, run the following command to find directories not
owned by root:
$ sudo find -L $DIR ! -group root -type d -exec chgrp root {} \;
      Is it the case that any of these directories are not group owned by root?
      

/bin 
/sbin 
/usr/bin 
/usr/sbin 
/usr/local/bin 
/usr/local/sbin

$ sudo chown root DIR
            

System commands are stored in the following directories:
/bin 
/sbin 
/usr/bin 
/usr/sbin 
/usr/local/bin 
/usr/local/sbin
For each of these directories, run the following command to find directories not
owned by root:
$ sudo find -L $DIR ! -user root -type d
      Is it the case that any of these directories are not owned by root?
      

CtrlAltDelBurstAction=none

To ensure the system is configured to ignore the Ctrl-Alt-Del setting,
enter the following command:
$ sudo grep -i ctrlaltdelburstaction /etc/systemd/system.conf
The output should return:
CtrlAltDelBurstAction=none
      Is it the case that the system is configured to reboot when Ctrl-Alt-Del is pressed more than 7 times in 2 seconds.?
      

ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target

systemctl mask ctrl-alt-del.target

To ensure the system is configured to mask the Ctrl-Alt-Del sequence, Check
that the ctrl-alt-del.target is masked and not active with the following
command:
sudo systemctl status ctrl-alt-del.target
The output should indicate that the target is masked and not active. It
might resemble following output:
ctrl-alt-del.target
Loaded: masked (/dev/null; bad)
Active: inactive (dead)
      Is it the case that the system is configured to reboot when Ctrl-Alt-Del is pressed?
      

$ sudo grep pam_succeed_if /etc/pam.d/sudo

Verify the operating system is not configured to bypass password requirements for privilege
escalation. Check the configuration of the "/etc/pam.d/sudo" file with the following command:
$ sudo grep pam_succeed_if /etc/pam.d/sudo
      Is it the case that system is configured to bypass password requirements for privilege escalation?
      

session     optional    pam_lastlog.so showfailed

Verify users are provided with feedback on when account accesses last occurred with the following command:

$ sudo grep pam_lastlog /etc/pam.d/login

session optional pam_lastlog.so showfailed
      Is it the case that "pam_lastlog.so" is not properly configured in "/etc/pam.d/login" file?
      

user-db:user
system-db:gdm

To verify that the DConf User profile is configured correctly, run the following
command:

$ cat /etc/dconf/profile/gdm
The output should show the following:
user-db:user
system-db:gdm
      Is it the case that DConf User profile does not exist or is not configured correctly?
      

Check the system partitions to determine if they are encrypted with the following command:
blkid

Output will be similar to:
/dev/sda1: UUID=" ab12c3de-4f56-789a-8f33-3850cc8ce3a2
" TYPE="crypto_LUKS"
/dev/sda2: UUID=" bc98d7ef-6g54-321h-1d24-9870de2ge1a2
" TYPE="crypto_LUKS"

The boot partition and pseudo-file systems, such as /proc, /sys, and tmpfs,
are not required to use disk encryption and are not a finding.
      Is it the case that partitions do not have a type of crypto_LUKS?
      

gpgcheck=1

Verify that zypper verifies the signature of packages from a repository prior to install with the following command:

$ grep gpgcheck /etc/zypp/zypp.conf

gpgcheck=1

If "gpgcheck" is not set to "1", or if the option is missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified.
      Is it the case that there is no process to validate certificates that is approved by the organization?
      

To verify that the system real-time clock is set to UTC or GMT, run the following command:

# timedatectl status | grep -i "time zone"
# Time zone: UTC (UTC, +0000)

If "Timezone" is not set to UTC, this is a finding.
Fix Text: Configure the SUSE operating system is configured to use UTC.
To configure the system time zone to use UTC or GMT, run the following command, replacing [ZONE] with "UTC" or "GMT".
# sudo timedatectl set-timezone [ZONE]
      Is it the case that the system real-time clock is not configured to use UTC as its time base?
      

$ sudo chgrp USER_GROUP /home/USER
            

To verify the assigned home directory of all interactive users is group-
owned by that users primary GID, run the following command:
# ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)
      Is it the case that the group ownership is incorrect?
      

/bin
/sbin
/usr/bin
/usr/sbin
/usr/local/bin
/usr/local/sbin

$ sudo chgrp root FILE
              

Verify the system commands contained in the following directories are group-owned by "root", or a required system account, with the following command:

$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -exec ls -l {} \;
      Is it the case that any system commands are returned and is not group-owned by a required system account?
      

/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin

$ sudo chown root FILE
              

Verify the system commands contained in the following directories are owned by "root" with the following command:

$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/local/bin /usr/local/sbin ! -user root -exec ls -l {} \;
      Is it the case that any system commands are found to not be owned by root?
      

/lib
/lib64
/usr/lib
/usr/lib64

$ sudo chown root FILE
              

Verify the system-wide shared library files are owned by "root" with the following command:

$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -user root -exec ls -l {} \;
      Is it the case that any system wide shared library file is not owned by root?
      

$ sudo chmod 0740 /home/USER/.INIT_FILE
            

To verify that all user initialization files have a mode of 0740 or
less permissive, run the following command:
$ sudo find /home -type f -name '\.*' \( -perm -0002 -o -perm -0020 \)
There should be no output.
      Is it the case that they are not 0740 or more permissive?
      

/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin

$ sudo chmod go-w FILE
              

Verify the system commands contained in the following directories have mode "755" or less permissive with the following command:

$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/local/bin /usr/local/sbin -perm /022 -exec ls -l {} \;
      Is it the case that any system commands are found to be group-writable or world-writable?
      

$ sudo chmod 0750 /home/USER
            

To verify the assigned home directory of all interactive user home directories
have a mode of 0750 or less permissive, run the following command:
$ sudo ls -l /home
Inspect the output for any directories with incorrect permissions.
      Is it the case that they are more permissive?
      

/lib
/lib64
/usr/lib
/usr/lib64

$ sudo chmod go-w FILE
              

Verify the system-wide shared library files contained in the following directories have mode "755" or less permissive with the following command:

$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f -exec ls -l {} \;
      Is it the case that any system-wide shared library file is found to be group-writable or world-writable?
      

$ sudo chmod 0640 /var/log/messages

# grep -i messages /etc/permissions.local

/var/log/messages root:root 640

To check the permissions of /var/log/messages,
run the command:
$ ls -l /var/log/messages
If properly configured, the output should indicate the following permissions:
-rw-r-----

Check that permissions.local file contains the correct permissions rules with the following command:

# grep -i messages /etc/permissions.local

/var/log/messages root:root 640

If the command does not return any or different output, this is a finding.

Run the following command to correct the permissions after adding the missing entry:

# sudo chkstat --set --system
      Is it the case that Make sure /var/log/messages is not world-readable?
      

To check the permissions of /etc/ssh/*_key,
run the command:
$ ls -l /etc/ssh/*_key
If properly configured, the output should indicate the following permissions:
-rw-r-----
      Is it the case that /etc/ssh/*_key does not have unix mode -rw-r-----?
      

$ sudo chmod 0644 /etc/ssh/*.pub

To check the permissions of /etc/ssh/*.pub,
run the command:
$ ls -l /etc/ssh/*.pub
If properly configured, the output should indicate the following permissions:
-rw-r--r--
      Is it the case that /etc/ssh/*.pub does not have unix mode -rw-r--r--?
      

/bin
/sbin
/usr/bin
/usr/sbin
/usr/local/bin
/usr/local/sbin

$ sudo chmod 755 FILE
              

System commands are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/local/bin
/usr/local/sbin
/usr/sbin
To find system commands that have mode 0755 or less permissive,
run the following command for each directory DIR which contains system executables:
$ sudo find -L DIR -perm /022 -type f
      Is it the case that any system commands are found to be group or world writable?
      

$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)

$ sudo find MOUNTPOINT -xdev -nogroup 2>/dev/null

The following command will locate the mount points related to local devices:
$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)

The following command will show files which do not belong to a valid group:
$ sudo find MOUNTPOINT -xdev -nogroup 2>/dev/null

Replace MOUNTPOINT by the mount points listed by the fist command.

No files without a valid group should be located.
      Is it the case that there is output?
      

DISPLAYMANAGER_AUTOLOGIN=""
DISPLAYMANAGER_PASSWORD_LESS_LOGIN="no"

To verify that automatic or unattended logins are disabled, run the following command:
grep -i ^DISPLAYMANAGER_AUTOLOGIN /etc/sysconfig/displaymanager
The output should show the following:
DISPLAYMANAGER_AUTOLOGIN=""
     DISPLAYMANAGER_PASSWORD_LESS_LOGIN="no"
      Is it the case that GDM allows users to automatically login or unattended login?
      

# grub2-mkpasswd-pbkdf2

set superusers="boot"
password_pbkdf2 boot grub.pbkdf2.sha512.VeryLongString

grub2-mkconfig -o /boot/grub2/grub2.cfg

First, check whether the password is defined in either /boot/grub2/user.cfg or
/boot/grub2/grub.cfg.
Run the following commands:
$ sudo grep '^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$' /boot/grub2/user.cfg
$ sudo grep '^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$' /boot/grub2/grub.cfg


Second, check that a superuser is defined in /boot/grub2/grub.cfg.
$ sudo grep '^[\s]*set[\s]+superusers=("?)[a-zA-Z_]+\1$'  /boot/grub2/grub.cfg
      Is it the case that it does not produce any output?
      

# grub2-mkpasswd-pbkdf2

set superusers="boot"
password_pbkdf2 boot grub.pbkdf2.sha512.VeryLongString

grub2-mkconfig -o /boot/grub2/grub2.cfg

To verify the boot loader superuser password has been set, run the following command:
$ sudo grep "^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$" /boot/grub2/user.cfg
The output should be similar to:
GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7
0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828
      Is it the case that no password is set?
      

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.

By using this IS (which includes any device attached to this IS), you consent to the following conditions:

-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.

-At any time, the USG may inspect and seize data stored on this IS.

-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.

-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.

-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.

# more /etc/gdm/Xsession

if ! zenity --text-info \
--title "Consent" \
--filename=/etc/gdm/banner \
--no-markup \
--checkbox="Accept." 10 10; then
sleep 1;
exit 1;
fi

Verify the SUSE operating system displays the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on via the local GUI.

Note: If GNOME is not installed, this requirement is Not Applicable.

Check the configuration by running the following command:

# more /etc/gdm/Xsession

The beginning of the file must contain the following text immediately after #!/bin/sh:

if ! zenity --text-info \
--title "Consent" \
--filename=/etc/gdm/banner \
--no-markup \
--checkbox="Accept." 10 10; then
sleep 1;
exit 1;
fi

If the beginning of the file does not contain the above text immediately after the line (#!/bin/sh), this is a finding.
      Is it the case that the GNOME environment does not display the standard mandatory DoD notice and consent banner?
      

$ sudo zypper install pam_pkcs11

$ sudo zypper install mozilla-nss

$ sudo zypper install mozilla-nss-tools

$ sudo zypper install pcsc-ccid

$ sudo zypper install pcsc-lite

$ sudo zypper install pcsc-tools

$ sudo zypper install opensc

Check that SUSE Linux Enterprise 15 has the packages for smart card support installed.

Run the following command to determine if the pam_pkcs11 package is installed:
$ rpm -q pam_pkcs11

Run the following command to determine if the mozilla-nss package is installed:
$ rpm -q mozilla-nss

Run the following command to determine if the mozilla-nss-tools package is installed:
$ rpm -q mozilla-nss-tools

Run the following command to determine if the pcsc-ccid package is installed:
$ rpm -q pcsc-ccid

Run the following command to determine if the pcsc-lite package is installed:
$ rpm -q pcsc-lite

Run the following command to determine if the pcsc-tools package is installed:
$ rpm -q pcsc-tools

Run the following command to determine if the opensc package is installed:
$ rpm -q opensc
      Is it the case that smartcard software is not installed?
      

To verify that the installed operating system is supported, run
the following command:

$ grep -i "suse" /etc/os-release

SUSE Linux Enterprise 15
      Is it the case that the installed operating system is not supported?
      

cat /proc/sys/crypto/fips_enabled

To verify /proc/sys/crypto/fips_enabled exists, run the following command:
cat /proc/sys/crypto/fips_enabled
The output should be:
1
      Is it the case that the command 'cat /proc/sys/crypto/fips_enabled' returns nothing or '0' or the file does not exist?
      

install usb-storage /bin/false

If the system is configured to prevent the loading of the usb-storage kernel module,
it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
These lines instruct the module loading system to run another program (such as /bin/false) upon a module install event.

Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
$ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d
      Is it the case that no line is returned?
      

Verify the nosuid option is configured for the /home mount point,
    run the following command:
    $ sudo mount | grep '\s/home\s'
    . . . /home . . . nosuid . . .

      Is it the case that the "/home" file system does not have the "nosuid" option set?
      

To verify the noexec option is configured for all NFS mounts, run the following command:
$ mount | grep nfs
All NFS mounts should show the noexec setting in parentheses.  This is not applicable if NFS is
not implemented.
      Is it the case that the setting does not show?
      

To verify the nosuid option is configured for all NFS mounts, run
the following command:
$ mount | grep nfs
All NFS mounts should show the nosuid setting in parentheses. This
is not applicable if NFS is not implemented.
      Is it the case that the setting does not show?
      

Verify file systems that are used for removable media are mounted with the "nosuid" option with the following command:

$ sudo more /etc/fstab

UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0
      Is it the case that file system found in "/etc/fstab" refers to removable media and it does not have the "nosuid" option set?
      

$ ip link | grep PROMISC

$ sudo ip link set dev device_name multicast off promisc off

Verify that Promiscuous mode of an interface is disabled, run the following command:
$ ip link | grep PROMISC
      Is it the case that any network device is in promiscuous mode?
      

To verify that null passwords cannot be used, run the following command:

$ grep pam_unix.so /etc/pam.d/* | grep nullok

If this produces any output, it may be possible to log into accounts
with empty passwords. Remove any instances of the nullok option to
prevent logins with empty passwords.
      Is it the case that NULL passwords can be used?
      

$ sudo awk -F: '!$2 {print $1}' /etc/shadow

$ sudo passwd [username]

$ sudo passwd -l [username]

To verify that null passwords cannot be used, run the following command:
$ sudo awk -F: '!$2 {print $1}' /etc/shadow
If this produces any output, it may be possible to log into accounts
with empty passwords.
      Is it the case that Blank or NULL passwords can be used?
      

$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)

$ sudo find MOUNTPOINT -xdev -nouser 2>/dev/null

The following command will locate the mount points related to local devices:
$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)

The following command will show files which do not belong to a valid user:
$ sudo find MOUNTPOINT -xdev -nouser 2>/dev/null

Replace MOUNTPOINT by the mount points listed by the fist command.

No files without a valid user should be located.
      Is it the case that files exist that are not owned by a valid user?
      

$ sudo rm /[path]/[to]/[file]/shosts.equiv

Verify that there are no shosts.equiv files on the system, run the following command:
$ find / -name shosts.equiv
      Is it the case that shosts.equiv files exist?
      

$ sudo usermod -s /sbin/nologin account
              

To obtain a listing of all users, their UIDs, and their shells, run the command:
$ awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd
Identify the system accounts from this listing. These will primarily be the accounts with UID
numbers less than 1000, other than root.
      Is it the case that any system account other than root has a login shell?
      

$ sudo find / -name '.shosts' -type f -delete

To verify that there are no .shosts files
on the system, run the following command:
$ sudo find / -name '.shosts'
      Is it the case that .shosts files exist?
      

$ sudo zypper install aide

Run the following command to determine if the aide package is installed: $ rpm -q aide
      Is it the case that the package is not installed?
      

      Is it the case that the package is not installed?
      

Run the following command to determine if the audit package is installed: $ rpm -q audit
      Is it the case that the audit package is not installed?
      

$ sudo zypper install firewalld

Run the following command to determine if the firewalld package is installed: $ rpm -q firewalld
      Is it the case that the package is not installed?
      

$ sudo zypper install mailx

Run the following command to determine if the mailx package is installed: $ rpm -q mailx
      Is it the case that the package is not installed?
      

$ sudo zypper install pam_apparmor

Run the following command to determine if the pam_apparmor package is installed: $ rpm -q pam_apparmor
      Is it the case that the package is not installed?
      

$ sudo zypper remove telnet-server

Run the following command to determine if the telnet-server package is installed:
$ rpm -q telnet-server
      Is it the case that the package is installed?
      

 $ sudo zypper remove vsftpd

Run the following command to determine if the vsftpd package is installed:
$ rpm -q vsftpd
      Is it the case that the package is installed?
      

Check that soft links between PAM configuration files are removed with the following command:

# find /etc/pam.d/ -type l -iname "common-*"

If any results are returned, this is a finding.
      Is it the case that there is output?
      

Verify that a separate file system/partition has been created for /home with the following command:

$ mountpoint /home

      Is it the case that "/home is not a mountpoint" is returned?
      

Verify that a separate file system/partition has been created for /var with the following command:

$ mountpoint /var

      Is it the case that "/var is not a mountpoint" is returned?
      

Verify that a separate file system/partition has been created for /var/log/audit with the following command:

$ mountpoint /var/log/audit

      Is it the case that "/var/log/audit is not a mountpoint" is returned?
      

grep "^/usr/sbin/au" /etc/permissions.local

/usr/sbin/audispd root:root 0750
/usr/sbin/auditctl root:root 0750
/usr/sbin/auditd root:root 0750
/usr/sbin/ausearch root:root 0755
/usr/sbin/aureport root:root 0755
/usr/sbin/autrace root:root 0750
/usr/sbin/augenrules root:root 0750

Check that permissions.local file contains the correct permissions
rules with the following command:

grep "^/usr/sbin/au" /etc/permissions.local

/usr/sbin/audispd root:root 0750
/usr/sbin/auditctl root:root 0750
/usr/sbin/auditd root:root 0750
/usr/sbin/ausearch root:root 0755
/usr/sbin/aureport root:root 0755
/usr/sbin/autrace root:root 0750
/usr/sbin/augenrules root:root 0750


If the command does not return all the above lines, the missing ones need
to be added.

Run the following command to correct the permissions after adding missing
entries:

# sudo chkstat --set --system
      Is it the case that ?
      

Verify the operating system has all system log files under the
/var/log directory with a permission set to 640,
by using the following command:

sudo find /var/log -perm /137 -type f -exec stat -c "%n %a" {} \;

      Is it the case that not all log files have permission 640 or stricter?
      

# grep -i audit /etc/permissions.local

/var/log/audit/ root:root 600
/var/log/audit/audit.log root:root 600
/etc/audit/audit.rules root:root 640
/etc/audit/rules.d/audit.rules root:root 640

Check that permissions.local file contains the correct permissionsi
rules with the following command:

# grep -i audit /etc/permissions.local

/var/log/audit/ root:root 600
/var/log/audit/audit.log root:root 600
/etc/audit/audit.rules root:root 640
/etc/audit/rules.d/audit.rules root:root 640

If the command does not return all the above lines, the missing ones need
to be added.

Run the following command to correct the permissions after adding missing
entries:

# sudo chkstat --set --system
      Is it the case that ?
      

$ sudo echo "root: " >> /etc/aliases
$ sudo newaliases

Find the list of alias maps used by the Postfix mail server:
$ sudo postconf alias_maps
Query the Postfix alias maps for an alias for the root user:
$ sudo postmap -q root hash:/etc/aliases
The output should return an alias.
      Is it the case that the alias is not set?
      

/lib
/lib64
/usr/lib
/usr/lib64

$ sudo chgrp root FILE
              

Verify the system-wide shared library files are group-owned by "root" with the following command:

$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -group root -exec ls -l {} \;
      Is it the case that any system wide shared library file is returned and is not group-owned by a required system account?
      

*.* @
                
              
            

*.* @@
                
              
            

*.* :omrelp:
                
              
            

To ensure logs are sent to a remote host, examine the file
/etc/rsyslog.conf.
If using UDP, a line similar to the following should be present:
 *.* @
If using TCP, a line similar to the following should be present:
 *.* @@
If using RELP, a line similar to the following should be present:
 *.* :omrelp:
      Is it the case that no evidence that the audit logs are being off-loaded to another system or media?
      

$ sudo zypper refresh && sudo zypper list-patches -g security

$ sudo systemctl enable auditd.service

Run the following command to determine the current status of the
auditd service:
$ sudo systemctl is-active auditd
If the service is running, it should return the following: active
      Is it the case that the auditd service is not running?
      

$ sudo systemctl mask --now autofs.service

To check that the autofs service is disabled in system boot configuration,
run the following command:
$ sudo systemctl is-enabled autofs
Output should indicate the autofs service has either not been installed,
or has been disabled at all runlevels, as shown in the example below:
$ sudo systemctl is-enabled autofs disabled

Run the following command to verify autofs is not active (i.e. not running) through current runtime configuration:
$ sudo systemctl is-active autofs

If the service is not running the command will return the following output:
inactive

The service will also be masked, to check that the autofs is masked, run the following command:
$ sudo systemctl show autofs | grep "LoadState\|UnitFileState"

If the service is masked the command will return the following outputs:

LoadState=masked

UnitFileState=masked
      Is it the case that the "autofs" is loaded and not masked?
      

$ sudo systemctl enable firewalld.service

Run the following command to determine the current status of the
firewalld service:
$ sudo systemctl is-active firewalld
If the service is running, it should return the following: active
      Is it the case that the "firewalld" service is disabled, masked, or not started.?
      

$ sudo systemctl mask --now kdump.service

To check that the kdump service is disabled in system boot configuration,
run the following command:
$ sudo systemctl is-enabled kdump
Output should indicate the kdump service has either not been installed,
or has been disabled at all runlevels, as shown in the example below:
$ sudo systemctl is-enabled kdump disabled

Run the following command to verify kdump is not active (i.e. not running) through current runtime configuration:
$ sudo systemctl is-active kdump

If the service is not running the command will return the following output:
inactive

The service will also be masked, to check that the kdump is masked, run the following command:
$ sudo systemctl show kdump | grep "LoadState\|UnitFileState"

If the service is masked the command will return the following outputs:

LoadState=masked

UnitFileState=masked
      Is it the case that the "kdump" is loaded and not masked?
      

$ sudo systemctl enable sshd.service

Run the following command to determine the current status of the
sshd service:
$ sudo systemctl is-active sshd
If the service is running, it should return the following: active
      Is it the case that sshd service is disabled?
      

ENCRYPT_METHOD 
              

Verify that the shadow password suite configuration is set to encrypt password with a FIPS 140-2 approved cryptographic hashing algorithm.

Check the hashing algorithm that is being used to hash passwords with the following command:

$ sudo grep -i ENCRYPT_METHOD /etc/login.defs

ENCRYPT_METHOD 
      Is it the case that ENCRYPT_METHOD is not set to <sub idref="var_password_hashing_algorithm" />?
      

password    required    pam_unix.so 
                other arguments...
              

Inspect the password section of /etc/pam.d/common-password
and ensure that the pam_unix.so module is configured to use the argument
:

$ sudo grep "^password.*pam_unix\.so.*" /etc/pam.d/common-password
password required pam_unix.so 

      Is it the case that "<sub idref="var_password_hashing_algorithm_pam" />" is missing, or is commented out?
      

SHA_CRYPT_MIN_ROUNDS 5000
SHA_CRYPT_MAX_ROUNDS 5000

Inspect /etc/login.defs and ensure that if eihter
SHA_CRYPT_MIN_ROUNDS or SHA_CRYPT_MAX_ROUNDS
are set, they must have the minimum value of 5000.
      Is it the case that it does not?
      

cert_policy = ca, ocsp_on, signature;

To verify the operating system implements certificate status checking for PKI
authentication, run the following command:
$ sudo grep -i cert_policy /etc/pam_pkcs11/pam_pkcs11.conf
The output should return multiple lines similiar to the following:
cert_policy = ca, ocsp_on, signature;
cert_policy = ca, ocsp_on, signature;
cert_policy = ca, ocsp_on, signature;
      Is it the case that ca is not configured?
      

cert_policy = ca, ocsp_on, signature;

To verify the operating system implements certificate status checking for PKI
authentication, run the following command:
$ sudo grep -i cert_policy /etc/pam_pkcs11/pam_pkcs11.conf
The output should return multiple lines similiar to the following:
cert_policy = ca, ocsp_on, signature;
cert_policy = ca, ocsp_on, signature;
cert_policy = ca, ocsp_on, signature;
      Is it the case that ocsp_on is not configured?
      

# grep pam_pkcs11.so /etc/pam.d/common-auth

auth sufficient pam_pkcs11.so

• https://www.suse.com/c/configuring-smart-card-authentication-suse-linux-enterprise/

Remote access is access to DoD nonpublic information systems by an
authorized user (or an information system) communicating through an
external, non-organization-controlled network. Remote access methods
include, for example, dial-up, broadband, and wireless.

This requirement only applies to components where this is specific to the
function of the device or has the concept of an organizational user (e.g.,
VPN, proxy capability). This does not apply to authentication for the
purpose of configuring the device itself (management).

Check that the pam_pkcs11.so option is configured in the
etc/pam.d/common-auth file with the following command:

# grep pam_pkcs11.so /etc/pam.d/common-auth


auth sufficient pam_pkcs11.so


If pam_pkcs11.so is not set in etc/pam.d/common-auth this
is a finding.
      Is it the case that non-exempt accounts are not using CAC authentication?
      

PermitEmptyPasswords no

To determine how the SSH daemon's PermitEmptyPasswords option is set, run the following command:

$ sudo grep -i PermitEmptyPasswords /etc/ssh/sshd_config

If a line indicating no is returned, then the required value is set.

      Is it the case that the required value is not set?
      

PermitRootLogin no

To determine how the SSH daemon's PermitRootLogin option is set, run the following command:

$ sudo grep -i PermitRootLogin /etc/ssh/sshd_config

If a line indicating no is returned, then the required value is set.

      Is it the case that the required value is not set?
      

IgnoreUserKnownHosts yes

To determine how the SSH daemon's IgnoreUserKnownHosts option is set, run the following command:

$ sudo grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config

If a line indicating yes is returned, then the required value is set.

      Is it the case that the required value is not set?
      

X11Forwarding no

To determine how the SSH daemon's X11Forwarding option is set, run the following command:

$ sudo grep -i X11Forwarding /etc/ssh/sshd_config

If a line indicating no is returned, then the required value is set.

      Is it the case that the required value is not set?
      

PermitUserEnvironment no

To determine how the SSH daemon's PermitUserEnvironment option is set, run the following command:

$ sudo grep -i PermitUserEnvironment /etc/ssh/sshd_config

If a line indicating no is returned, then the required value is set.

      Is it the case that the required value is not set?
      

StrictModes yes

To determine how the SSH daemon's StrictModes option is set, run the following command:

$ sudo grep -i StrictModes /etc/ssh/sshd_config

If a line indicating yes is returned, then the required value is set.

      Is it the case that the required value is not set?
      

Banner /etc/issue

To determine how the SSH daemon's Banner option is set, run the following command:

$ sudo grep -i Banner /etc/ssh/sshd_config

If a line indicating /etc/issue is returned, then the required value is set.

      Is it the case that the required value is not set?
      

PrintLastLog yes

To determine how the SSH daemon's PrintLastLog option is set, run the following command:

$ sudo grep -i PrintLastLog /etc/ssh/sshd_config

If a line indicating yes is returned, then the required value is set.

      Is it the case that the required value is not set?
      

ClientAliveInterval 
                
              
            

Run the following command to see what the timeout interval is:
$ sudo grep ClientAliveInterval /etc/ssh/sshd_config
If properly configured, the output should be:
ClientAliveInterval 
      Is it the case that it is commented out or not configured properly?
      

To ensure ClientAliveInterval is set correctly, run the following command:

$ sudo grep ClientAliveCountMax /etc/ssh/sshd_config

If properly configured, the output should be:
ClientAliveCountMax 0

In this case, the SSH timeout occurs precisely when
the ClientAliveInterval is set.
      Is it the case that it is commented out or not configured properly?
      

LogLevel VERBOSE

To determine how the SSH daemon's LogLevel option is set, run the following command:

$ sudo grep -i LogLevel /etc/ssh/sshd_config

If a line indicating VERBOSE is returned, then the required value is set.

      Is it the case that the required value is not set?
      

Ciphers aes256-ctr,aes192-ctr,aes128-ctr

Only FIPS ciphers should be used. To verify that only FIPS-approved
ciphers are in use, run the following command:
$ sudo grep Ciphers /etc/ssh/sshd_config
The output should contain only following ciphers (or a subset) in the exact order:
aes256-ctr,aes192-ctr,aes128-ctr
      Is it the case that FIPS ciphers are not configured or the enabled ciphers are not FIPS-approved?
      

KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256

Only FIPS-approved key exchange algorithms must be used. To verify that only FIPS-approved
key exchange algorithms are in use, run the following command:
$ sudo grep -i kexalgorithms /etc/ssh/sshd_config
The output should contain only following algorithms (or a subset) in the exact order:
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
      Is it the case that KexAlgorithms option is commented out, contains non-approved algorithms, or the FIPS-approved algorithms are not in the exact order?
      

MACs hmac-sha2-512,hmac-sha2-256

Only FIPS-approved MACs should be used. To verify that only FIPS-approved
MACs are in use, run the following command:
$ sudo grep -i macs /etc/ssh/sshd_config
The output should contain only following MACs (or a subset) in the exact order:
MACs 
      Is it the case that MACs option is commented out or not using FIPS-approved hash algorithms?
      

[nss]
memcache_timeout = 
          

To verify that SSSD's in-memory cache expires after a day, run the following command:
$ sudo grep memcache_timeout /etc/sssd/sssd.conf
If configured properly, output should be memcache_timeout = .
      Is it the case that it does not exist or is not configured properly?
      

[pam]
offline_credentials_expiration = 1

To verify that SSSD expires offline credentials, run the following command:
$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf
If configured properly, output should be
offline_credentials_expiration = 1
      Is it the case that it does not exist or is not configured properly?
      

To determine if !authenticate has not been configured for sudo, run the following command:
$ sudo grep -r \!authenticate /etc/sudoers /etc/sudoers.d/
The command should return no output.
      Is it the case that !authenticate is specified in the sudo config files?
      

To determine if NOPASSWD has been configured for sudo, run the following command:
$ sudo grep -ri nopasswd /etc/sudoers /etc/sudoers.d/
The command should return no output.
      Is it the case that nopasswd is specified in the sudo config files?
      

To determine if NOPASSWD or !authenticate have been configured for
sudo, run the following command:
$ sudo grep -ri "nopasswd\|\!authenticate" /etc/sudoers /etc/sudoers.d/
The command should return no output.
      Is it the case that nopasswd and/or !authenticate is enabled in sudo?
      

Verify the operating system requires re-authentication
when using the "sudo" command to elevate privileges, run the following command:
sudo grep -ri '^Defaults.*timestamp_timeout' /etc/sudoers /etc/sudoers.d
The output should be:
/etc/sudoers:Defaults timestamp_timeout=0 or "timestamp_timeout" is set to a positive number.
If conflicting results are returned, this is a finding.
      Is it the case that timestamp_timeout is not set with the appropriate value for sudo?
      

Determine if "sudoers" file restricts sudo access run the following commands:
$ sudo grep -PR '^\s*ALL\s+ALL\=\(ALL\)\s+ALL\s*$' /etc/sudoers /etc/sudoers.d/*
$ sudo grep -PR '^\s*ALL\s+ALL\=\(ALL\:ALL\)\s+ALL\s*$' /etc/sudoers /etc/sudoers.d/*
      Is it the case that either of the commands returned a line?
      

To determine whether sudo command includes configuration files from the appropriate directory,
run the following command:
$ sudo grep -rP '^[#@]include(dir)?' /etc/sudoers /etc/sudoers.d
If only the line /etc/sudoers:#includedir /etc/sudoers.d is returned, then the drop-in include configuration is set correctly.
Any other line returned is a finding.
      Is it the case that the /etc/sudoers doesn't include /etc/sudores.d or includes other directories??
      

 sudo cvtsudoers -f sudoers /etc/sudoers | grep -E '^Defaults !?(rootpw|targetpw|runaspw)$' 

 Defaults !targetpw
      Defaults !rootpw
      Defaults !runaspw 

 sudo find /etc/sudoers /etc/sudoers.d \( \! -name '*~' -a \! -name '*.*' \) -exec grep -E --with-filename '^[[:blank:]]*Defaults[[:blank:]](.*[[:blank:]])?!?\b(rootpw|targetpw|runaspw)' -- {} \; 

 /etc/sudoers:Defaults !targetpw
      /etc/sudoers:Defaults !rootpw
      /etc/sudoers:Defaults !runaspw 

Run the following command to Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation:
 sudo cvtsudoers -f sudoers /etc/sudoers | grep -E '^Defaults !?(rootpw|targetpw|runaspw)' 
or if cvtsudoers not supported:
 sudo find /etc/sudoers /etc/sudoers.d \( \! -name '*~' -a \! -name '*.*' \) -exec grep -E --with-filename '^[[:blank:]]*Defaults[[:blank:]](.*[[:blank:]])?!?\b(rootpw|targetpw|runaspw)' -- {} \; 
If no results are returned, this is a finding.
If conflicting results are returned, this is a finding.
If "Defaults !targetpw" is not defined, this is a finding.
If "Defaults !rootpw" is not defined, this is a finding.
If "Defaults !runaspw" is not defined, this is a finding.
      Is it the case that invoke user passwd when using sudo?
      

$ sudo sysctl -w kernel.dmesg_restrict=1

kernel.dmesg_restrict = 1

The runtime status of the kernel.dmesg_restrict kernel parameter can be queried
by running the following command:
$ sysctl kernel.dmesg_restrict
1.

      Is it the case that the correct value is not returned?
      

$ sudo sysctl -w kernel.kptr_restrict=
              

kernel.kptr_restrict = 
              

The runtime status of the kernel.kptr_restrict kernel parameter can be queried
by running the following command:
$ sysctl kernel.kptr_restrict
The output of the command should indicate either:
kernel.kptr_restrict = 1
or:
kernel.kptr_restrict = 2
The output of the command should not indicate:
kernel.kptr_restrict = 0

The preferable way how to assure the runtime compliance is to have
correct persistent configuration, and rebooting the system.

The persistent kernel parameter configuration is performed by specifying the appropriate
assignment in any file located in the /etc/sysctl.d directory.
Verify that there is not any existing incorrect configuration by executing the following command:
$ grep -r '^\s*kernel.kptr_restrict\s*=' /etc/sysctl.conf /etc/sysctl.d
The command should not find any assignments other than:
kernel.kptr_restrict = 1
or:
kernel.kptr_restrict = 2

Conflicting assignments are not allowed.
      Is it the case that the kernel.kptr_restrict is not set to 1 or 2 or is configured to be 0?
      

$ sudo sysctl -w kernel.randomize_va_space=2

kernel.randomize_va_space = 2

The runtime status of the kernel.randomize_va_space kernel parameter can be queried
by running the following command:
$ sysctl kernel.randomize_va_space
2.

      Is it the case that the correct value is not returned?
      

$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0

net.ipv4.conf.all.accept_redirects = 0

The runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.conf.all.accept_redirects
0.

      Is it the case that the correct value is not returned?
      

$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0

net.ipv4.conf.all.accept_source_route = 0

The runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.conf.all.accept_source_route
0.

      Is it the case that the correct value is not returned?
      

$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0

net.ipv4.conf.all.send_redirects = 0

The runtime status of the net.ipv4.conf.all.send_redirects kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.conf.all.send_redirects
0.

      Is it the case that the correct value is not returned?
      

$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0

net.ipv4.conf.default.accept_redirects = 0

The runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.conf.default.accept_redirects
0.

      Is it the case that the correct value is not returned?
      

$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0

net.ipv4.conf.default.accept_source_route = 0

The runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.conf.default.accept_source_route
0.

      Is it the case that the correct value is not returned?
      

$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0

net.ipv4.conf.default.send_redirects = 0

The runtime status of the net.ipv4.conf.default.send_redirects kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.conf.default.send_redirects
0.

      Is it the case that the correct value is not returned?
      

$ sudo sysctl -w net.ipv4.ip_forward=0

net.ipv4.ip_forward = 0

The runtime status of the net.ipv4.ip_forward kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.ip_forward
0.
The ability to forward packets is only appropriate for routers.
      Is it the case that the correct value is not returned?
      

$ sudo sysctl -w net.ipv4.tcp_syncookies=1

net.ipv4.tcp_syncookies = 1

The runtime status of the net.ipv4.tcp_syncookies kernel parameter can be queried
by running the following command:
$ sysctl net.ipv4.tcp_syncookies
1.

      Is it the case that the correct value is not returned?
      

$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0

net.ipv6.conf.all.accept_redirects = 0

The runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter can be queried
by running the following command:
$ sysctl net.ipv6.conf.all.accept_redirects
0.

      Is it the case that the correct value is not returned?
      

$ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0

net.ipv6.conf.all.accept_source_route = 0

The runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter can be queried
by running the following command:
$ sysctl net.ipv6.conf.all.accept_source_route
0.

      Is it the case that the correct value is not returned?
      

$ sudo sysctl -w net.ipv6.conf.all.forwarding=0

net.ipv6.conf.all.forwarding = 0

The runtime status of the net.ipv6.conf.all.forwarding kernel parameter can be queried
by running the following command:
$ sysctl net.ipv6.conf.all.forwarding
0.
The ability to forward packets is only appropriate for routers.
      Is it the case that IP forwarding value is "1" and the system is not router?
      

$ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0

net.ipv6.conf.default.accept_redirects = 0

The runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter can be queried
by running the following command:
$ sysctl net.ipv6.conf.default.accept_redirects
0.

      Is it the case that the correct value is not returned?
      

$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0

net.ipv6.conf.default.accept_source_route = 0

The runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter can be queried
by running the following command:
$ sysctl net.ipv6.conf.default.accept_source_route
0.

      Is it the case that the correct value is not returned?
      

$ sudo sysctl -w net.ipv6.conf.default.forwarding=0

net.ipv6.conf.default.forwarding = 0

The runtime status of the net.ipv6.conf.default.forwarding kernel parameter can be queried
by running the following command:
$ sysctl net.ipv6.conf.default.forwarding
0.
The ability to forward packets is only appropriate for routers.
      Is it the case that IPv6 Forwading is not disabled?
      

$ sudo zypper install kbd

Run the following command to determine if the kbd package is installed:
$ rpm -q kbd
      Is it the case that the package is not installed?
      

$ sudo wicked ifdown <WIFI-INTERFACE>

Verify that there are no wireless interfaces configured on the system
with the following command:

# wicked show all
lo up
link: #1, state up
type: loopback
config: compat:suse:/etc/sysconfig/network/ifcfg-lo
leases: ipv4 static granted
leases: ipv6 static granted
addr: ipv4 127.0.0.1/8 [static]
addr: ipv6 ::1/128 [static]

wlan0 up
link: #3, state up, mtu 1500
type: wireless, hwaddr 06:00:00:00:00:02
config: wicked:xml:/etc/wicked/ifconfig/wlan0.xml
leases: ipv4 dhcp granted
addr: ipv4 10.0.0.101/16 [dhcp]
route: ipv4 default via 10.0.0.1 proto dhcp
The output should not contain any interfaces of type wireless in
state up.

If a wireless interface is configured it must be documented and approved by
the local Authorizing Official.
      Is it the case that a wireless interface is configured and has not been documented and approved by the Information System Security Officer (ISSO)?