CCE Identifiers in Guide to the Secure Configuration of SUSE Linux Enterprise Server 16
| CCE ID |
Rule Title |
Description |
| CCE-95701-9 |
Build and Test AIDE Database |
Run the following command to generate a new database:
$ sudo /usr/bin/aide --init
By default, the database will be written to the file
/var/lib/aide/aide.db.new.
Storing the database, the configuration file /etc/aide.conf, and the binary
/usr/bin/aide
(or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity.
The newly-generated database can be installed as follows:
$ sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
To initiate a manual check, run the following command:
$ sudo /usr/bin/aide --check
If this check produces any unexpected output, investigate. |
| CCE-95702-7 |
Configure Systemd Timer Execution of AIDE |
At a minimum, AIDE should be configured to run a weekly scan.
To implement a systemd service and a timer unit to run the service periodically:
For example, if a systemd timer is expected to be started every day at 5AM
OnCalendar=*-*-* 05:00:0
[Timer] section in the timer unit and
a Unit section starting the AIDE check service unit should be referred. |
| CCE-95709-2 |
The Installed Operating System Is Vendor Supported |
The installed operating system must be maintained by a vendor.
SUSE Linux Enterprise is supported by SUSE. As the SUSE Linux Enterprise
vendor, SUSE is responsible for providing security patches. |
| CCE-95704-3 |
Ensure PAM Displays Last Logon/Access Notification |
To configure the system to notify users of last logon/access using pam_lastlog,
add or correct the pam_lastlog settings in /etc/pam.d/postlogin-session
to include showfailed option, such as:
session optional pam_lastlog2.so showfailed
And make sure that the silent option is not set for this specific line. |
| CCE-95711-8 |
Ensure that System Accounts Do Not Run a Shell Upon Login |
Some accounts are not associated with a human user of the system, and exist to perform some
administrative functions. Should an attacker be able to log into these accounts, they should
not be granted access to a shell.
The login shell for each local account is stored in the last field of each line in
/etc/passwd. System accounts are those user accounts with a user ID less than
1000. The user ID is stored in the third field. If any system account
other than root has a login shell, disable it with the command:
$ sudo usermod -s /sbin/nologin account
|
| CCE-95713-4 |
Restrict Serial Port Root Logins |
To restrict root logins on serial ports,
ensure lines of this form do not appear in /etc/securetty:
ttyS0
ttyS1
|
| CCE-95717-5 |
Ensure SMEP is not disabled during boot |
The SMEP is used to prevent the supervisor mode from executing user space code,
it is enabled by default since Linux kernel 3.0. But it could be disabled through
kernel boot parameters.
Ensure that Supervisor Mode Execution Prevention (SMEP) is not disabled by
the nosmep boot parameter option.
Check that the line GRUB_CMDLINE_LINUX="..." within /etc/default/grub
doesn't contain the argument nosmep.
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --remove-args="nosmep"
|
| CCE-95707-6 |
Enforce Spectre v2 mitigation |
Spectre V2 is an indirect branch poisoning attack that can lead to data leakage.
An exploit for Spectre V2 tricks the indirect branch predictor into executing
code from a future indirect branch chosen by the attacker, even if the privilege
level is different.
Since Linux Kernel 4.15 you can check the Spectre V2 mitigation state with the following command:
cat /sys/devices/system/cpu/vulnerabilities/spectre_v2
Enforce the Spectre V2 mitigation by adding the argument
spectre_v2=on to the default
GRUB 2 command line for the Linux operating system.
Configure the default Grub2 kernel command line to contain spectre_v2=on as follows:
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) spectre_v2=on"
|
| CCE-95714-2 |
Ensure Logs Sent To Remote Host |
To configure rsyslog to send logs to a remote log server,
open /etc/rsyslog.conf and read and understand the last section of the file,
which describes the multiple directives necessary to activate remote
logging.
Along with these other directives, the system can be configured
to forward its logs to a particular log server by
adding or correcting one of the following lines,
substituting
To use UDP for log message delivery:
*.* @
Or in RainerScript:
*.* action(type="omfwd" ... target="" protocol="udp")
To use TCP for log message delivery:
*.* @@
Or in RainerScript:
*.* action(type="omfwd" ... target="" protocol="tcp")
To use RELP for log message delivery:
*.* :omrelp:
Or in RainerScript:
*.* action(type="omfwd" ... target="" protocol="relp")
There must be a resolvable DNS CNAME or Alias record set to "" for logs to be sent correctly to the centralized logging utility. |
| CCE-95705-0 |
Ensure All Files Are Owned by a Group |
If any file is not group-owned by a valid defined group, the cause of the lack of
group-ownership must be investigated. Following this, those files should be deleted or
assigned to an appropriate group. The groups need to be defined in /etc/group
or in /usr/lib/group if nss-altfiles are configured to be used
in /etc/nsswitch.conf.
Locate the mount points related to local devices by the following command:
$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)
For all mount points listed by the previous command, it is necessary to search for files which
do not belong to a valid group using the following command:
$ sudo find MOUNTPOINT -xdev -nogroup 2>/dev/null
|
| CCE-95710-0 |
Ensure All Files Are Owned by a User |
If any files are not owned by a user, then the cause of their lack of ownership should be
investigated. Following this, the files should be deleted or assigned to an appropriate user.
Locate the mount points related to local devices by the following command:
$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)
For all mount points listed by the previous command, it is necessary to search for files which
do not belong to a valid user using the following command:
$ sudo find MOUNTPOINT -xdev -nouser 2>/dev/null
|
| CCE-95703-5 |
Enable NX or XD Support in the BIOS |
Reboot the system and enter the BIOS or Setup configuration menu.
Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located
under a Security section. Look for Execute Disable (XD) on Intel-based systems and No Execute (NX)
on AMD-based systems. |
| CCE-95708-4 |
Install PAE Kernel on Supported 32-bit x86 Systems |
Systems that are using the 64-bit x86 kernel package
do not need to install the kernel-PAE package because the 64-bit
x86 kernel already includes this support. However, if the system is
32-bit and also supports the PAE and NX features as
determined in the previous section, the kernel-PAE package should
be installed to enable XD or NX support.
The kernel-PAE package can be installed with the following command:
$ sudo zypper install kernel-PAE
The installation process should also have configured the
bootloader to load the new kernel at boot. Verify this after reboot
and modify /etc/default/grub if necessary. |
| CCE-95712-6 |
Install libselinux Package |
The libselinux package can be installed with the following command:
$ sudo zypper install libselinux
|
| CCE-95715-9 |
Enable the selinuxuser_execmod SELinux Boolean |
By default, the SELinux boolean selinuxuser_execmod is enabled.
If this setting is disabled, it should be enabled.
To enable the selinuxuser_execmod SELinux boolean, run the following command:
$ sudo setsebool -P selinuxuser_execmod on
|
| CCE-95716-7 |
Enable auditd Service |
The auditd service is an essential userspace component of
the Linux Auditing System, as it is responsible for writing audit records to
disk.
The auditd service can be enabled with the following command:
$ sudo systemctl enable auditd.service
|
| CCE-95706-8 |
Enable Auditing for Processes Which Start Prior to the Audit Daemon |
To ensure all processes can be audited, even those which start
prior to the audit daemon, add the argument audit=1 to the default
GRUB 2 command line for the Linux operating system.
Configure the default Grub2 kernel command line to contain audit=1 as follows:
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit=1"
|
|
Remove Default Configuration to Disable Syscall Auditing |
By default, SUSE Linux Enterprise Server 16 ships an audit rule to disable syscall
auditing for performance reasons.
To make sure that syscall auditing works, this line must be removed from
/etc/audit/rules.d/audit.rules and /etc/audit/audit.rules:
-a task,never
|
|
Record Events that Modify the System's Mandatory Access Controls (/etc/selinux) |
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /etc/selinux/ -p wa -k MAC-policy
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules:
-w /etc/selinux/ -p wa -k MAC-policy
|
|
Record Events that Modify the System's Discretionary Access Controls - fchmodat2 |
At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmodat2 -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmodat2 -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmodat2 -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmodat2 -F auid>=1000 -F auid!=unset -F key=perm_mod
|
|
Ensure auditd Collects File Deletion Events by User - renameat2 |
At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit
system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S renameat2 -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 for 32-bit
system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S renameat2 -F auid>=1000 -F auid!=unset -F key=delete
|
|
Set type of computer node name logging in audit logs |
To configure Audit daemon to use a unique identifier
as computer node name in the audit events,
set name_format to /etc/audit/auditd.conf. |