CCE Identifiers in Guide to the Secure Configuration of SUSE Linux Enterprise Micro 5
| CCE ID |
Rule Title |
Description |
| CCE-93758-1 |
Install AIDE |
The aide package can be installed with the following command:
$ sudo zypper install aide
|
| CCE-93710-2 |
Build and Test AIDE Database |
Run the following command to generate a new database:
$ sudo /usr/bin/aide --init
By default, the database will be written to the file
/var/lib/aide/aide.db.new.
Storing the database, the configuration file /etc/aide.conf, and the binary
/usr/bin/aide
(or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity.
The newly-generated database can be installed as follows:
$ sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
To initiate a manual check, run the following command:
$ sudo /usr/bin/aide --check
If this check produces any unexpected output, investigate. |
| CCE-93703-7 |
Configure AIDE to Verify the Audit Tools |
The operating system file integrity tool must be configured to protect the integrity of the audit tools. |
| CCE-93721-9 |
Configure Systemd Timer Execution of AIDE |
At a minimum, AIDE should be configured to run a weekly scan.
To implement a systemd service and a timer unit to run the service periodically:
For example, if a systemd timer is expected to be started every day at 5AM
OnCalendar=*-*-* 05:00:0
[Timer] section in the timer unit and
a Unit section starting the AIDE check service unit should be referred. |
| CCE-93722-7 |
Configure Notification of Post-AIDE Scan Details |
AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
If AIDE has already been configured for periodic execution in /etc/crontab, append the
following line to the existing AIDE line:
| /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost
Otherwise, add the following line to /etc/crontab:
05 4 * * * root /usr/bin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost
AIDE can be executed periodically through other means; this is merely one example. |
| CCE-93742-5 |
Configure AIDE to Verify Access Control Lists (ACLs) |
By default, the acl option is added to the FIPSR ruleset in AIDE.
If using a custom ruleset or the acl option is missing, add acl
to the appropriate ruleset.
For example, add acl to the following line in /etc/aide.conf:
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already
configured by default.
The remediation provided with this rule adds acl to all rule sets available in
/etc/aide.conf
|
| CCE-93743-3 |
Configure AIDE to Verify Extended Attributes |
By default, the xattrs option is added to the FIPSR ruleset in AIDE.
If using a custom ruleset or the xattrs option is missing, add xattrs
to the appropriate ruleset.
For example, add xattrs to the following line in /etc/aide.conf:
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already
configured by default.
The remediation provided with this rule adds xattrs to all rule sets available in
/etc/aide.conf
|
| CCE-93785-4 |
Verify '/proc/sys/crypto/fips_enabled' exists |
On a system where FIPS 140-2 mode is enabled, /proc/sys/crypto/fips_enabled must exist.
To verify FIPS mode, run the following command:
cat /proc/sys/crypto/fips_enabled
|
| CCE-93601-3 |
The Installed Operating System Is Vendor Supported |
The installed operating system must be maintained by a vendor.
SUSE Linux Enterprise is supported by SUSE. As the SUSE Linux Enterprise
vendor, SUSE is responsible for providing security patches. |
| CCE-93760-7 |
Encrypt Partitions |
SUSE Linux Enterprise Micro 5 natively supports partition encryption through the
Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to
encrypt a partition is during installation time.
For manual installations, select the Encrypt checkbox during
partition creation to encrypt the partition. When this
option is selected the system will prompt for a passphrase to use in
decrypting the partition. The passphrase will subsequently need to be entered manually
every time the system boots.
Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on
the SUSE Linux Enterprise Micro 5 Documentation web site:
https://documentation.suse.com/sles/15-SP3/html/SLES-all/cha-security-cryptofs.html
. |
| CCE-93796-1 |
Ensure /home Located On Separate Partition |
If user home directories will be stored locally, create a separate partition
for /home at installation time (or migrate it later using LVM). If
/home will be mounted from another system such as an NFS server, then
creating a separate partition is not necessary at installation time, and the
mountpoint can instead be configured later. |
| CCE-93797-9 |
Ensure /var Located On Separate Partition |
The /var directory is used by daemons and other system
services to store frequently-changing data. Ensure that /var has its own partition
or logical volume at installation time, or migrate it using LVM. |
| CCE-93787-0 |
Ensure /var/log/audit Located On Separate Partition |
Audit logs are stored in the /var/log/audit directory.
Ensure that /var/log/audit has its own partition or logical
volume at installation time, or migrate it using LVM.
Make absolutely certain that it is large enough to store all
audit logs that will be created by the auditing daemon. |
| CCE-93754-0 |
Disable GDM Unattended or Automatic Login |
The GNOME Display Manager (GDM) can allow users to automatically login without
user interaction or credentials or unattended login. User should always be required to authenticate themselves
to the system that they are authorized to use. To disable user ability to automatically
login to the system, set the DISPLAYMANAGER_AUTOLOGIN=""
or DISPLAYMANAGER_PASSWORD_LESS_LOGIN="no" in the
/etc/sysconfig/displaymanager. For example:
DISPLAYMANAGER_AUTOLOGIN=""
DISPLAYMANAGER_PASSWORD_LESS_LOGIN="no"
|
| CCE-93715-1 |
Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate |
The sudo !authenticate option, when specified, allows a user to execute commands using
sudo without having to authenticate. This should be disabled by making sure that the
!authenticate option does not exist in /etc/sudoers configuration file or
any sudo configuration snippets in /etc/sudoers.d/. |
| CCE-93714-4 |
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD |
The sudo NOPASSWD tag, when specified, allows a user to execute
commands using sudo without having to authenticate. This should be disabled
by making sure that the NOPASSWD tag does not exist in
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. |
| CCE-93713-6 |
Ensure Users Re-Authenticate for Privilege Escalation - sudo |
The sudo NOPASSWD and !authenticate option, when
specified, allows a user to execute commands using sudo without having to
authenticate. This should be disabled by making sure that
NOPASSWD and/or !authenticate do not exist in
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/." |
| CCE-93716-9 |
Require Re-Authentication When Using the sudo Command |
The sudo timestamp_timeout tag sets the amount of time sudo password prompt waits.
The default timestamp_timeout value is 5 minutes.
The timestamp_timeout should be configured by making sure that the
timestamp_timeout tag exists in
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/.
If the value is set to an integer less than 0, the user's time stamp will not expire
and the user will not have to re-authenticate for privileged actions until the user's session is terminated. |
| CCE-93786-2 |
The operating system must restrict privilege elevation to authorized personnel |
The sudo command allows a user to execute programs with elevated
(administrator) privileges. It prompts the user for their password
and confirms your request to execute a command by checking a file,
called sudoers.
Restrict privileged actions by removing the following entries from the sudoers file:
ALL ALL=(ALL) ALL
ALL ALL=(ALL:ALL) ALL
|
| CCE-93733-4 |
Ensure sudo only includes the default configuration directory |
Administrators can configure authorized sudo users via drop-in files, and it is possible to include
other directories and configuration files from the file currently being parsed.
Make sure that /etc/sudoers only includes drop-in configuration files from /etc/sudoers.d,
or that no drop-in file is included.
Either the /etc/sudoers should contain only one #includedir directive pointing to
/etc/sudoers.d, and no file in /etc/sudoers.d/ should include other files or directories;
Or the /etc/sudoers should not contain any #include,
@include, #includedir or @includedir directives.
Note that the '#' character doesn't denote a comment in the configuration file. |
| CCE-93735-9 |
Ensure invoking users password for privilege escalation when using sudo |
The sudoers security policy requires that users authenticate themselves before they can use sudo.
When sudoers requires authentication, it validates the invoking user's credentials.
The expected output for:
sudo cvtsudoers -f sudoers /etc/sudoers | grep -E '^Defaults !?(rootpw|targetpw|runaspw)$'
Defaults !targetpw
Defaults !rootpw
Defaults !runaspw
or if cvtsudoers not supported:
sudo find /etc/sudoers /etc/sudoers.d \( \! -name '*~' -a \! -name '*.*' \) -exec grep -E --with-filename '^[[:blank:]]*Defaults[[:blank:]](.*[[:blank:]])?!?\b(rootpw|targetpw|runaspw)' -- {} \;
/etc/sudoers:Defaults !targetpw
/etc/sudoers:Defaults !rootpw
/etc/sudoers:Defaults !runaspw
|
| CCE-93720-1 |
Ensure zypper Removes Previous Package Versions |
zypper should be configured to remove previous software components after
new versions have been installed. To configure zypper to remove the
previous software components after updating, set the solver.upgradeRemoveDroppedPackages
to 1 in /etc/zypp/zypp.conf. |
| CCE-93712-8 |
Ensure gpgcheck Enabled In Main zypper Configuration |
The gpgcheck option controls whether
RPM packages' signatures are always checked prior to installation.
To configure zypper to check package signatures before installing
them, ensure the following line appears in /etc/zypp/zypp.conf in
the [main] section:
gpgcheck=1
|
| CCE-93804-3 |
Ensure Software Patches Installed |
If the system is configured for online updates, invoking the following command will list available
security updates:
$ sudo zypper refresh && sudo zypper list-patches -g security
NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy
dictates. |
| CCE-93802-7 |
Modify the System Login Banner |
To configure the system login banner edit /etc/issue. Replace the
default text with a message compliant with the local site policy or a legal
disclaimer.
The DoD required text is either:
You are accessing a U.S. Government (USG) Information System (IS) that
is provided for USG-authorized use only. By using this IS (which includes
any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS
for purposes including, but not limited to, penetration testing, COMSEC
monitoring, network operations and defense, personnel misconduct (PM), law
enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private,
are subject to routine monitoring, interception, and search, and may be
disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access
controls) to protect USG interests -- not for your personal benefit or
privacy.
-Notwithstanding the above, using this IS does not constitute consent
to PM, LE or CI investigative searching or monitoring of the content of
privileged communications, or work product, related to personal
representation or services by attorneys, psychotherapists, or clergy, and
their assistants. Such communications and work product are private and
confidential. See User Agreement for details.
OR:
I've read & consent to terms in IS user agreem't.
|
| CCE-93730-0 |
Ensure PAM Displays Last Logon/Access Notification |
To configure the system to notify users of last logon/access using pam_lastlog,
add or correct the pam_lastlog settings in /etc/pam.d/login
to include showfailed option, such as:
session required pam_lastlog.so showfailed
And make sure that the silent option is not set for this specific line. |
| CCE-93750-8 |
The PAM configuration should not be changed automatically |
Verify the SUSE operating system is configured to not overwrite Pluggable
Authentication Modules (PAM) configuration on package changes. |
| CCE-94082-5 |
Limit Password Reuse |
Do not allow users to reuse recent passwords. This can be
accomplished by using the remember option for the
pam_pwhistory PAM modules.
In the file /etc/pam.d/common-password, make sure the parameters
remember and use_authtok are present, and that the value
for the remember parameter is or greater. For example:
password requisite pam_pwhistory.so ...existing_options... remember= use_authtok
The DoD STIG requirement is 5 passwords. |
| CCE-94092-4 |
Enforce Delay After Failed Logon Attempts |
To configure the system to introduce a delay after failed logon attempts,
add or correct the pam_faildelay settings in
/etc/pam.d/common-auth to make sure its delay parameter
is at least or greater. For example:
auth required pam_faildelay.so delay=
|
| CCE-93775-5 |
Set Deny For Failed Password Attempts |
The SUSE Linux Enterprise Micro 5 operating system must lock an account after - at most -
consecutive invalid access attempts. |
| CCE-94089-0 |
SLEM 5 must use the default pam_tally2 tally directory. |
This rule configures the system to use default pam_tally2 tally directory |
| CCE-94088-2 |
An SELinux Context must be configured for default pam_tally2 file option |
The file configuration option in PAM pam_tally2.so module defines where to keep counts.
Default is /var/log/tallylog. The configured directory must have the correct SELinux context. |
| CCE-93764-9 |
Set Password Strength Minimum Digit Characters |
The pam_cracklib module's dcredit parameter controls requirements
for usage of digits in a password. When set to a negative number, any
password will be required to contain that many digits. When set to a
positive number, pam_cracklib will grant +1 additional length credit for
each digit. Add dcredit=-1 after pam_cracklib.so to require use of
a digit in passwords. |
| CCE-93765-6 |
Set Password Strength Minimum Different Characters |
The pam_cracklib module's difok parameter controls requirements for
usage of different characters during a password change. The number of
changed characters refers to the number of changes required with respect to
the total number of positions in the current password. In other words,
characters may be the same within the two passwords; however, the positions
of the like characters must be different.
Make sure the difok parameter for the pam_cracklib module is
configured to greater than or equal to |
| CCE-93763-1 |
Set Password Strength Minimum Lowercase Characters |
The pam_cracklib module's lcredit= parameter controls requirements
for usage of lowercase letters in a password. When set to a negative
number, any password will be required to contain that many lowercase
characters. When set to a positive number, pam_cracklib will grant +1
additional length credit for each lowercase character.
Add lcredit=-1 after pam_cracklib.so to require use of a
lowercase character in passwords. |
| CCE-93766-4 |
Set Password Minimum Length |
The pam_cracklib module's minlen parameter controls requirements for
minimum characters required in a password. Add minlen=
to set minimum password length requirements. |
| CCE-93767-2 |
Set Password Strength Minimum Special Characters |
The pam_cracklib module's ocredit= parameter controls requirements
for usage of special (or ``other'') characters in a password. When set to a
negative number, any password will be required to contain that many special
characters. When set to a positive number, pam_cracklib will grant +1
additional length credit for each special character.
Make sure the ocredit parameter for the pam_cracklib module is
set to less than or equal to ocredit=
. |
| CCE-93729-2 |
Set Password Retry Limit |
The pam_cracklib module's retry parameter controls the maximum
number of times to prompt the user for the password before returning
with error. Make sure it is configured with a value that is no more than
. For example, retry=1. |
| CCE-93762-3 |
Set Password Strength Minimum Uppercase Characters |
The pam_cracklib module's ucredit= parameter controls requirements
for usage of uppercase letters in a password. When set to a negative
number, any password will be required to contain that many uppercase
characters. When set to a positive number, pam_cracklib will grant +1
additional length credit for each uppercase character.
Add ucredit=-1 after pam_cracklib.so to require use of an upper
case character in passwords. |
| CCE-93689-8 |
Set Password Hashing Algorithm in /etc/login.defs |
In /etc/login.defs, add or update the following line to ensure the system will use
as the hashing algorithm:
ENCRYPT_METHOD
|
| CCE-93681-5 |
Set PAM''s Password Hashing Algorithm |
The PAM system service can be configured to only store encrypted representations of passwords.
In "/etc/pam.d/common-password", the password section of the file controls which
PAM modules to execute during a password change.
Set the pam_unix.so module in the password section to include the option
password required pam_unix.so
other arguments...
This will help ensure that new passwords for local users will be stored using the
algorithm. |
| CCE-93682-3 |
Set Password Hashing Rounds in /etc/login.defs |
In /etc/login.defs, ensure SHA_CRYPT_MIN_ROUNDS and
SHA_CRYPT_MAX_ROUNDS has the minimum value of 5000.
For example:
SHA_CRYPT_MIN_ROUNDS 5000
SHA_CRYPT_MAX_ROUNDS 5000
Notice that if neither are set, they already have the default value of 5000.
If either is set, they must have the minimum value of 5000. |
| CCE-93744-1 |
Disable Ctrl-Alt-Del Reboot Activation |
By default, SystemD will reboot the system if the Ctrl-Alt-Del
key sequence is pressed.
To configure the system to ignore the Ctrl-Alt-Del key sequence from the
command line instead of rebooting the system, do either of the following:
ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
or
systemctl mask ctrl-alt-del.target
Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file,
as this file may be restored during future system updates. |
| CCE-93755-7 |
Check that vlock is installed to allow session locking |
The SUSE Linux Enterprise Micro 5 operating system must have vlock installed to allow for session locking.
The kbd package can be installed with the following command:
$ sudo zypper install kbd
|
| CCE-93761-5 |
Install Smart Card Packages For Multifactor Authentication |
Configure the operating system to implement multifactor authentication by
installing the required package with the following command:
The pam_pkcs11 package can be installed with the following command:
$ sudo zypper install pam_pkcs11
The mozilla-nss package can be installed with the following command:
$ sudo zypper install mozilla-nss
The mozilla-nss-tools package can be installed with the following command:
$ sudo zypper install mozilla-nss-tools
The pcsc-ccid package can be installed with the following command:
$ sudo zypper install pcsc-ccid
The pcsc-lite package can be installed with the following command:
$ sudo zypper install pcsc-lite
The pcsc-tools package can be installed with the following command:
$ sudo zypper install pcsc-tools
The opensc package can be installed with the following command:
$ sudo zypper install opensc
The coolkey package can be installed with the following command:
$ sudo zypper install coolkey
|
| CCE-93680-7 |
Configure Smart Card Certificate Authority Validation |
Configure the operating system to do certificate status checking for PKI
authentication. Modify all of the cert_policy lines in
/etc/pam_pkcs11/pam_pkcs11.conf to include ca like so:
cert_policy = ca, ocsp_on, signature;
|
| CCE-93717-7 |
Configure Smart Card Certificate Status Checking |
Configure the operating system to do certificate status checking for PKI
authentication. Modify all of the cert_policy lines in
/etc/pam_pkcs11/pam_pkcs11.conf to include ocsp_on like so:
cert_policy = ca, ocsp_on, signature;
|
| CCE-93800-1 |
Enable Smart Card Logins in PAM |
This requirement only applies to components where this is specific to the
function of the device or has the concept of an organizational user (e.g.,
VPN, proxy capability). This does not apply to authentication for the
purpose of configuring the device itself (management).
Check that the pam_pkcs11.so option is configured in the
etc/pam.d/common-auth file with the following command:
# grep pam_pkcs11.so /etc/pam.d/common-auth
auth sufficient pam_pkcs11.so
For general information about enabling smart card authentication, consult
the documentation at:
|
| CCE-93780-5 |
Ensure All Accounts on the System Have Unique User IDs |
Change user IDs (UIDs), or delete accounts, so each has a unique name. |
| CCE-93731-8 |
Only Authorized Local User Accounts Exist on Operating System |
Enterprise Application tends to use the server or virtual machine exclusively.
Besides the default operating system user, there should be only authorized local
users required by the installed software groups and applications that exist on
the operating system. The authorized user list can be customized in the refine
value variable var_accounts_authorized_local_users_regex.
OVAL regular expression is used for the user list.
Configure the system so all accounts on the system are assigned to an active system,
application, or user account. Remove accounts that do not support approved system
activities or that allow for a normal user to perform administrative-level actions.
To remove unauthorized system accounts, use the following command:
$ sudo userdel unauthorized_user
|
| CCE-93688-0 |
Set Account Expiration Following Inactivity |
To specify the number of days after a password expires (which
signifies inactivity) until an account is permanently disabled, add or correct
the following line in /etc/default/useradd:
INACTIVE=
If a password is currently on the verge of expiration, then
useradd man page for more information. |
| CCE-93781-3 |
Never Automatically Remove or Disable Emergency Administrator Accounts |
Emergency accounts are privileged accounts that are established in response
to crisis situations where the need for rapid account activation is
required. Therefore, emergency account activation may bypass normal account
authorization processes. If these accounts are automatically disabled,
system maintenance during emergencies may not be possible, thus adversely
affecting system availability.
Check to see if an emergency administrator account password or account expires with the following command:
# sudo chage -l [Emergency_Administrator]
Password expires:never
If Password expires or Account expires is set to anything other than never, this is a finding. |
| CCE-93782-1 |
Assign Expiration Date to Temporary Accounts |
Temporary accounts are established as part of normal account activation
procedures when there is a need for short-term accounts. In the event
temporary accounts are required, configure the system to
terminate them after a documented time period. For every temporary account, run the following command to set an expiration date on
it, substituting USER and YYYY-MM-DD
appropriately:
$ sudo chage -E YYYY-MM-DD USER
YYYY-MM-DD indicates the documented expiration date for the
account. For U.S. Government systems, the operating system must be
configured to automatically terminate these types of accounts after a
period of 72 hours. |
| CCE-93685-6 |
Set Password Maximum Age |
To specify password maximum age for new accounts,
edit the file /etc/login.defs
and add or correct the following line:
PASS_MAX_DAYS
A value of 180 days is sufficient for many environments.
The DoD requirement is 60.
The profile requirement is |
| CCE-93683-1 |
Set Password Minimum Age |
To specify password minimum age for new accounts,
edit the file /etc/login.defs
and add or correct the following line:
PASS_MIN_DAYS
A value of 1 day is considered sufficient for many
environments. The DoD requirement is 1.
The profile requirement is |
| CCE-93686-4 |
Set Existing Passwords Maximum Age |
Configure non-compliant accounts to enforce a -day maximum password lifetime
restriction by running the following command:
$ sudo chage -M
USER
|
| CCE-93684-9 |
Set Existing Passwords Minimum Age |
Configure non-compliant accounts to enforce a 24 hours/1 day minimum password
lifetime by running the following command:
$ sudo chage -m 1 USER
|
| CCE-93774-8 |
Verify All Account Password Hashes are Shadowed with SHA512 |
Verify the operating system requires the shadow password suite
configuration be set to encrypt interactive user passwords using a strong
cryptographic hash.
Check that the interactive user account passwords are using a strong
password hash with the following command:
$ sudo cut -d: -f2 /etc/shadow
$6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/
Password hashes ! or * indicate inactive accounts not
available for logon and are not evaluated.
If any interactive user password hash does not begin with $6,
this is a finding. |
| CCE-93738-3 |
Prevent Login to Accounts With Empty Password |
If an account is configured for password authentication
but does not have an assigned password, it may be possible to log
into the account without authentication. Remove any instances of the
nullok in
password authentication configurations in /etc/pam.d/
to prevent logins with empty passwords. |
| CCE-93737-5 |
Ensure There Are No Accounts With Blank or Null Passwords |
Check the "/etc/shadow" file for blank passwords with the
following command:
$ sudo awk -F: '!$2 {print $1}' /etc/shadow
If the command returns any results, this is a finding.
Configure all accounts on the system to have a password or lock
the account with the following commands:
Perform a password reset:
$ sudo passwd [username]
Lock an account:
$ sudo passwd -l [username]
|
| CCE-93734-2 |
Verify Only Root Has UID 0 |
If any account other than root has a UID of 0, this misconfiguration should
be investigated and the accounts other than root should be removed or have
their UID changed.
If the account is associated with system commands or applications the UID
should be changed to one greater than "0" but less than "1000."
Otherwise assign a UID greater than "1000" that has not already been
assigned. |
| CCE-93732-6 |
Ensure that System Accounts Do Not Run a Shell Upon Login |
Some accounts are not associated with a human user of the system, and exist to perform some
administrative functions. Should an attacker be able to log into these accounts, they should
not be granted access to a shell.
The login shell for each local account is stored in the last field of each line in
/etc/passwd. System accounts are those user accounts with a user ID less than
1000. The user ID is stored in the third field. If any system account
other than root has a login shell, disable it with the command:
$ sudo usermod -s /sbin/nologin account
|
| CCE-93736-7 |
Ensure Home Directories are Created for New Users |
All local interactive user accounts, upon creation, should be assigned a home directory.
Configure the operating system to assign home directories to all new local interactive users by setting the CREATE_HOME
parameter in /etc/login.defs to yes as follows:
CREATE_HOME yes
|
| CCE-94093-2 |
Ensure the Logon Failure Delay is Set Correctly in login.defs |
To ensure the logon failure delay controlled by /etc/login.defs is set properly,
add or correct the FAIL_DELAY setting in /etc/login.defs to read as follows:
FAIL_DELAY
|
| CCE-93671-6 |
Limit the Number of Concurrent Login Sessions Allowed Per User |
Limiting the number of allowed users and sessions per user can limit risks related to Denial of
Service attacks. This addresses concurrent sessions for a single account and does not address
concurrent sessions by a single user via multiple accounts. To set the number of concurrent
sessions per user add the following line in /etc/security/limits.conf or
a file under /etc/security/limits.d/:
* hard maxlogins
|
| CCE-93805-0 |
Set Interactive Session Timeout |
Setting the TMOUT option in /etc/profile ensures that
all user sessions will terminate based on inactivity.
The value of TMOUT should be exported and read only.
The TMOUT
setting in /etc/profile.d/autologout.sh should read as follows:
TMOUT=
readonly TMOUT
export TMOUT |
| CCE-93790-4 |
User Initialization Files Must Not Run World-Writable Programs |
Set the mode on files being executed by the user initialization files with the
following command:
$ sudo chmod o-w FILE
|
| CCE-93789-6 |
Ensure that Users Path Contains Only Local Directories |
Ensure that all interactive user initialization files executable search
path statements do not contain statements that will reference a working
directory other than the users home directory. |
| CCE-93745-8 |
All Interactive Users Must Have A Home Directory Defined |
Assign home directories to all interactive users that currently do not
have a home directory assigned.
This rule checks if the home directory is properly defined in a folder which has
at least one parent folder, like "user" in "/home/user" or "/remote/users/user".
Therefore, this rule will report a finding for home directories like /users,
/tmp or /. |
| CCE-93746-6 |
All Interactive Users Home Directories Must Exist |
Create home directories to all local interactive users that currently do not
have a home directory assigned. Use the following commands to create the user
home directory assigned in /etc/passwd:
$ sudo mkdir /home/USER
|
| CCE-93748-2 |
All Interactive User Home Directories Must Be Group-Owned By The Primary Group |
Change the group owner of interactive users home directory to the
group found in /etc/passwd. To change the group owner of
interactive users home directory, use the following command:
$ sudo chgrp USER_GROUP /home/USER
This rule ensures every home directory related to an interactive user is
group-owned by an interactive user. It also ensures that interactive users
are group-owners of one and only one home directory. |
| CCE-93749-0 |
Ensure All User Initialization Files Have Mode 0740 Or Less Permissive |
Set the mode of the user initialization files to 0740 with the
following command:
$ sudo chmod 0740 /home/USER/.INIT_FILE
|
| CCE-93747-4 |
All Interactive User Home Directories Must Have mode 0750 Or Less Permissive |
Change the mode of interactive users home directories to 0750. To
change the mode of interactive users home directory, use the
following command:
$ sudo chmod 0750 /home/USER
|
| CCE-93753-2 |
Ensure the Default Umask is Set Correctly in login.defs |
To ensure the default umask controlled by /etc/login.defs is set properly,
add or correct the UMASK setting in /etc/login.defs to read as follows:
UMASK
|
| CCE-93778-9 |
Set Boot Loader Password in grub2 |
The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
Since plaintext passwords are a security risk, generate a hash for the password
by running the following command:
# grub2-mkpasswd-pbkdf2
When prompted, enter the password that was selected.
Using the hash from the output, modify the /etc/grub.d/40_custom
file with the following content:
set superusers="boot"
password_pbkdf2 boot grub.pbkdf2.sha512.VeryLongString
NOTE: the bootloader superuser account and password MUST differ from the
root account and password.
Once the superuser password has been added,
update the
grub.cfg file by running:
grubby --update-kernel=ALL
|
| CCE-93779-7 |
Set the UEFI Boot Loader Password |
The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
Since plaintext passwords are a security risk, generate a hash for the password
by running the following command:
# grub2-mkpasswd-pbkdf2
When prompted, enter the password that was selected.
Using the hash from the output, modify the /etc/grub.d/40_custom
file with the following content:
set superusers="boot"
password_pbkdf2 boot grub.pbkdf2.sha512.VeryLongString
NOTE: the bootloader superuser account and password MUST differ from the
root account and password.
Once the superuser password has been added,
update the
grub.cfg file by running:
grubby --update-kernel=ALL
|
| CCE-94085-8 |
Install systemd-journal-remote Package |
Journald (via systemd-journal-remote ) supports the ability to send
log events it gathers to a remote log host or to receive messages
from remote hosts, thus enabling centralised log management. |
| CCE-94084-1 |
Enable systemd-journal-upload Service |
SUSE Linux Enterprise Micro 5 must offload rsyslog messages for networked systems in real time and
offload standalone systems at least weekly.
The systemd-journal-upload service can be enabled with the following command:
$ sudo systemctl enable systemd-journal-upload.service
|
| CCE-94080-9 |
Configure systemd-journal-upload TLS parameters: ServerKeyFile,ServerCertificateFile and TrustedCertificateFile |
SUSE Linux Enterprise Micro 5 must offload rsyslog messages for networked systems in real time and
offload standalone systems at least weekly |
| CCE-94081-7 |
Configure systemd-journal-upload URL |
SUSE Linux Enterprise Micro 5 must offload rsyslog messages for networked systems in real time and
offload standalone systems at least weekly |
| CCE-93752-4 |
Ensure System is Not Acting as a Network Sniffer |
The system should not be acting as a network sniffer, which can
capture all traffic on the network to which it is connected. Run the following
to determine if any interface is running in promiscuous mode:
$ ip link | grep PROMISC
Promiscuous mode of an interface can be disabled with the following command:
$ sudo ip link set dev device_name multicast off promisc off
|
| CCE-93769-8 |
Verify firewalld Enabled |
The firewalld service can be enabled with the following command:
$ sudo systemctl enable firewalld.service
|
| CCE-93635-1 |
Disable Accepting ICMP Redirects for All IPv6 Interfaces |
To set the runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_redirects = 0
|
| CCE-93630-2 |
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces |
To set the runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_source_route = 0
|
| CCE-93640-1 |
Disable Kernel Parameter for IPv6 Forwarding |
To set the runtime status of the net.ipv6.conf.all.forwarding kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.forwarding=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.forwarding = 0
|
| CCE-93636-9 |
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces |
To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_redirects = 0
|
| CCE-93632-8 |
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default |
To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_source_route = 0
|
| CCE-93641-9 |
Disable Kernel Parameter for IPv6 Forwarding by default |
To set the runtime status of the net.ipv6.conf.default.forwarding kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.forwarding=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.forwarding = 0
|
| CCE-93633-6 |
Disable Accepting ICMP Redirects for All IPv4 Interfaces |
To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.accept_redirects = 0
|
| CCE-93629-4 |
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces |
To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.accept_source_route = 0
|
| CCE-93634-4 |
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces |
To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_redirects = 0
|
| CCE-93631-0 |
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default |
To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_source_route = 0
|
| CCE-93626-0 |
Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces |
To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_syncookies=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.tcp_syncookies = 1
|
| CCE-93638-5 |
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces |
To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.send_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.send_redirects = 0
|
| CCE-93637-7 |
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default |
To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.send_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.send_redirects = 0
|
| CCE-93639-3 |
Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces |
To set the runtime status of the net.ipv4.ip_forward kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.ip_forward=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.ip_forward = 0
|
| CCE-93704-5 |
Deactivate Wireless Network Interfaces |
Deactivating wireless network interfaces should prevent normal usage of the wireless
capability.
Configure the system to disable wireless network interfaces by issuing the following
command for every active <WIFI-INTERFACE> in the system:
$ sudo wicked ifdown <WIFI-INTERFACE>
Also remove the configuration files for every wifi adapter from
/etc/wicked/ifconfig/<WIFI-INTERFACE>.xml to prevent future
connections. |
| CCE-93693-0 |
Verify that All World-Writable Directories Have Sticky Bits Set |
When the so-called 'sticky bit' is set on a directory, only the owner of a given file may
remove that file from the directory. Without the sticky bit, any user with write access to a
directory may remove any file in the directory. Setting the sticky bit prevents users from
removing each other's files. In cases where there is no reason for a directory to be
world-writable, a better solution is to remove that permission rather than to set the sticky
bit. However, if a directory is used by a particular application, consult that application's
documentation instead of blindly changing modes.
To set the sticky bit on a world-writable directory DIR, run the following command:
$ sudo chmod +t DIR
|
| CCE-93795-3 |
Ensure All World-Writable Directories Are Group Owned by a System Account |
All directories in local partitions which are
world-writable should be group owned by root or another
system account. If any world-writable directories are not
group owned by a system account, this should be investigated.
Following this, the files should be deleted or assigned to an
appropriate group. |
| CCE-93702-9 |
Verify that system commands directories have root as a group owner |
System commands are stored in the following directories:
by default:
/bin
/sbin
/usr/bin
/usr/sbin
/usr/local/bin
/usr/local/sbin
All these directories should have root user as a group owner.
If any system command directory is not group owned by a user other than root
correct its ownership with the following command:
$ sudo chgrp root DIR
|
| CCE-93700-3 |
Verify that system commands directories have root ownership |
System commands are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/sbin
/usr/local/bin
/usr/local/sbin
All these directories should be owned by the root user.
If any system command directory is not owned by a user other than root
correct its ownership with the following command:
$ sudo chown root DIR
|
| CCE-93799-5 |
Ensure All Files Are Owned by a Group |
If any file is not group-owned by a group present in /etc/group, the cause of the lack of
group-ownership must be investigated. Following this, those files should be deleted or
assigned to an appropriate group.
Locate the mount points related to local devices by the following command:
$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)
For all mount points listed by the previous command, it is necessary to search for files which
do not belong to a valid group using the following command:
$ sudo find MOUNTPOINT -xdev -nogroup 2>/dev/null
|
| CCE-93798-7 |
Ensure All Files Are Owned by a User |
If any files are not owned by a user, then the cause of their lack of ownership should be
investigated. Following this, the files should be deleted or assigned to an appropriate user.
Locate the mount points related to local devices by the following command:
$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)
For all mount points listed by the previous command, it is necessary to search for files which
do not belong to a valid user using the following command:
$ sudo find MOUNTPOINT -xdev -nouser 2>/dev/null
|
| CCE-93660-9 |
Verify permissions of log files |
Any operating system providing too much information in error messages
risks compromising the data and security of the structure, and content
of error messages needs to be carefully considered by the organization.
Organizations carefully consider the structure/content of error messages.
The extent to which information systems are able to identify and handle
error conditions is guided by organizational policy and operational
requirements. Information that could be exploited by adversaries includes,
for example, erroneous logon attempts with passwords entered by mistake
as the username, mission/business information that can be derived from
(if not stated explicitly by) information recorded, and personal
information, such as account numbers, social security numbers, and credit
card numbers. |
| CCE-93687-2 |
Verify Permissions and Ownership of Old Passwords File |
To properly set the owner of /etc/security/opasswd, run the command: $ sudo chown root /etc/security/opasswd
To properly set the group owner of /etc/security/opasswd, run the command: $ sudo chgrp root /etc/security/opasswd
To properly set the permissions of /etc/security/opasswd, run the command: $ sudo chmod 0600 /etc/security/opasswd
|
| CCE-94069-2 |
Verify that Shared Library Directories Have Root Group Ownership |
System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are also
stored in /lib/modules. All files in these directories should be
group-owned by the root user. If the directories, is found to be owned
by a user other than root correct its
ownership with the following command:
$ sudo chgrp root DIR
|
| CCE-94068-4 |
Verify that Shared Library Directories Have Root Ownership |
System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are also
stored in /lib/modules. All files in these directories should be
owned by the root user. If the directories, is found to be owned
by a user other than root correct its
ownership with the following command:
$ sudo chown root DIR
|
| CCE-93801-9 |
Verify that System Executable Directories Have Restrictive Permissions |
System executables are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/sbin
/usr/local/bin
/usr/local/sbin
These directories should not be group-writable or world-writable.
If any directory DIR in these directories is found to be
group-writable or world-writable, correct its permission with the
following command:
$ sudo chmod go-w DIR
|
| CCE-94067-6 |
Verify that Shared Library Directories Have Restrictive Permissions |
System-wide shared library directories, which contain are linked to executables
during process load time or run time, are stored in the following directories
by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are
stored in /lib/modules. All sub-directories in these directories
should not be group-writable or world-writable. If any file in these
directories is found to be group-writable or world-writable, correct
its permission with the following command:
$ sudo chmod go-w DIR
|
| CCE-93701-1 |
Verify that system commands files are group owned by root or a system account |
System commands files are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/sbin
/usr/local/bin
/usr/local/sbin
All files in these directories should be owned by the root group,
or a system account.
If the directory, or any file in these directories, is found to be owned
by a group other than root or a a system account correct its ownership
with the following command:
$ sudo chgrp root FILE
|
| CCE-93699-7 |
Verify that System Executables Have Root Ownership |
System executables are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin
All files in these directories should be owned by the root user.
If any file FILE in these directories is found
to be owned by a user other than root, correct its ownership with the
following command:
$ sudo chown root FILE
|
| CCE-94066-8 |
Verify that Shared Library Files Have Root Ownership |
System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are also
stored in /lib/modules. All files in these directories should be
owned by the root user. If the directory, or any file in these
directories, is found to be owned by a user other than root correct its
ownership with the following command:
$ sudo chown root FILE
|
| CCE-93698-9 |
Verify that System Executables Have Restrictive Permissions |
System executables are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin
All files in these directories should not be group-writable or world-writable.
If any file FILE in these directories is found
to be group-writable or world-writable, correct its permission with the
following command:
$ sudo chmod go-w FILE
|
| CCE-94065-0 |
Verify that Shared Library Files Have Restrictive Permissions |
System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are
stored in /lib/modules. All files in these directories
should not be group-writable or world-writable. If any file in these
directories is found to be group-writable or world-writable, correct
its permission with the following command:
$ sudo chmod go-w FILE
|
| CCE-94064-3 |
Verify the system-wide library files in directories
"/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root. |
System-wide library files are stored in the following directories
by default:
/lib
/lib64
/usr/lib
/usr/lib64
All system-wide shared library files should be protected from unauthorised
access. If any of these files is not group-owned by root, correct its group-owner with
the following command:
$ sudo chgrp root FILE
|
| CCE-93772-2 |
Disable the Automounter |
The autofs daemon mounts and unmounts filesystems, such as user
home directories shared via NFS, on demand. In addition, autofs can be used to handle
removable media, and the default configuration provides the cdrom device as /misc/cd.
However, this method of providing access to removable media is not common, so autofs
can almost always be disabled if NFS is not in use. Even if NFS is required, it may be
possible to configure filesystem mounts statically by editing /etc/fstab
rather than relying on the automounter.
The autofs service can be disabled with the following command:
$ sudo systemctl mask --now autofs.service
|
| CCE-93784-7 |
Disable Modprobe Loading of USB Storage Driver |
To prevent USB storage devices from being used, configure the kernel module loading system
to prevent automatic loading of the USB storage driver.
To configure the system to prevent the usb-storage
kernel module from being loaded, add the following line to the file /etc/modprobe.d/usb-storage.conf:
install usb-storage /bin/false
This will prevent the modprobe program from loading the usb-storage
module, but will not prevent an administrator (or another program) from using the
insmod program to load the module manually. |
| CCE-93791-2 |
Add nosuid Option to /home |
The nosuid mount option can be used to prevent
execution of setuid programs in /home. The SUID and SGID permissions
should not be required in these user data directories.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/home. |
| CCE-93792-0 |
Add nosuid Option to Removable Media Partitions |
The nosuid mount option prevents set-user-identifier (SUID)
and set-group-identifier (SGID) permissions from taking effect. These permissions
allow users to execute binaries with the same permissions as the owner and group
of the file respectively. Users should not be allowed to introduce SUID and SGID
files into the system via partitions mounted from removeable media.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
any removable media partitions. |
| CCE-93695-5 |
Verify that local /var/log/messages is not world-readable |
Files containing sensitive informations should be protected by restrictive
permissions. Most of the time, there is no need that these files need to be read by any non-root user
To properly set the permissions of /var/log/messages, run the command:
$ sudo chmod 0640 /var/log/messages
Check that "permissions.local" file contains the correct permissions rules with the following command:
# grep -i messages /etc/permissions.local
/var/log/messages root:root 640
|
| CCE-93697-1 |
Verify Permissions of Local Logs of audit Tools |
The SUSE operating system audit tools must have the proper permissions
configured to protect against unauthorized access.
Check that "permissions.local" file contains the correct permissions rules
with the following command:
grep "^/usr/sbin/au" /etc/permissions.local
/usr/sbin/audispd root:root 0750
/usr/sbin/auditctl root:root 0750
/usr/sbin/auditd root:root 0750
/usr/sbin/ausearch root:root 0755
/usr/sbin/aureport root:root 0755
/usr/sbin/autrace root:root 0750
/usr/sbin/augenrules root:root 0750
Audit tools include but are not limited to vendor-provided and open-source
audit tools needed to successfully view and manipulate audit information
system activity and records. Audit tools include custom queries and report
generators. |
| CCE-93776-3 |
Verify that Local Logs of the audit Daemon are not World-Readable |
Files containing sensitive informations should be protected by restrictive
permissions. Most of the time, there is no need that these files need to be
read by any non-root user.
Check that "permissions.local" file contains the correct permissions rules with the following command:
# grep -i audit /etc/permissions.local
/var/log/audit/ root:root 600
/var/log/audit/audit.log root:root 600
/etc/audit/audit.rules root:root 640
/etc/audit/rules.d/audit.rules root:root 640
|
| CCE-93625-2 |
Restrict Access to Kernel Message Buffer |
To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command: $ sudo sysctl -w kernel.dmesg_restrict=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.dmesg_restrict = 1
|
| CCE-93627-8 |
Restrict Exposed Kernel Pointer Addresses Access |
To set the runtime status of the kernel.kptr_restrict kernel parameter, run the following command: $ sudo sysctl -w kernel.kptr_restrict=
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.kptr_restrict =
|
| CCE-93628-6 |
Enable Randomized Layout of Virtual Address Space |
To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command: $ sudo sysctl -w kernel.randomize_va_space=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.randomize_va_space = 2
|
| CCE-94091-6 |
Install policycoreutils-python-utils package |
The policycoreutils-python-utils package can be installed with the following command:
$ sudo zypper install policycoreutils-python-utils
|
| CCE-94097-3 |
Install policycoreutils Package |
The policycoreutils package can be installed with the following command:
$ sudo zypper install policycoreutils
|
| CCE-94095-7 |
Configure SELinux Policy |
The SELinux targeted policy is appropriate for
general-purpose desktops and servers, as well as systems in many other roles.
To configure the system to use this policy, add or correct the following line
in /etc/selinux/config:
SELINUXTYPE=
Other policies, such as mls, provide additional security labeling
and greater confinement but are not compatible with many general-purpose
use cases. |
| CCE-94094-0 |
Ensure SELinux State is Enforcing |
The SELinux state should be set to /etc/selinux/config, add or correct the
following line to configure the system to boot into enforcing mode:
SELINUX=
|
| CCE-94087-4 |
Map System Users To The Appropriate SELinux Role |
Configure the operating system to prevent non-privileged users from executing
privileged functions to include disabling, circumventing, or altering
implemented security safeguards/countermeasures. All administrators must be
mapped to the sysadm_u or staff_u users with the
appropriate domains (sysadm_t and staff_t).
$ sudo semanage login -m -s sysadm_u USER
or
$ sudo semanage login -m -s staff_u USER
All authorized non-administrative
users must be mapped to the user_u role or the appropriate domain
(user_t).
$ sudo semanage login -m -s user_u USER
|
| CCE-93773-0 |
Disable KDump Kernel Crash Analyzer (kdump) |
The kdump service provides a kernel crash dump analyzer. It uses the kexec
system call to boot a secondary kernel ("capture" kernel) following a system
crash, which can load information from the crashed kernel for analysis.
The kdump service can be disabled with the following command:
$ sudo systemctl mask --now kdump.service
|
| CCE-93678-1 |
Configure System to Forward All Mail For The Root Account |
Make sure that mails delivered to root user are forwarded to a monitored
email address. Make sure that the address
is a valid email address
reachable from the system in question. Use the following command to
configure the alias:
$ sudo echo "root: " >> /etc/aliases
$ sudo newaliases
|
| CCE-93794-6 |
Mount Remote Filesystems with noexec |
Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of
any NFS mounts. |
| CCE-93793-8 |
Mount Remote Filesystems with nosuid |
Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of
any NFS mounts. |
| CCE-93803-5 |
A remote time server for Chrony is configured |
Chrony is a daemon which implements the Network Time Protocol (NTP). It is designed
to synchronize system clocks across a variety of systems and use a source that is highly
accurate. More information on chrony can be found at
https://chrony-project.org/.
Chrony can be configured to be a client and/or a server.
Add or edit server or pool lines to /etc/chrony.conf as appropriate:
server <remote-server>
Multiple servers may be configured. |
| CCE-93709-4 |
Configure Time Service Maxpoll Interval |
The maxpoll should be configured to
in /etc/ntp.conf or
/etc/chrony.conf (or /etc/chrony.d/) to continuously poll time servers. To configure
maxpoll in /etc/ntp.conf or /etc/chrony.conf (or /etc/chrony.d/)
add the following after each server, pool or peer entry:
maxpoll
to server directives. If using chrony, any pool directives
should be configured too. |
| CCE-93741-7 |
Remove Host-Based Authentication Files |
The shosts.equiv file lists remote hosts and users that are trusted by the local
system. To remove these files, run the following command to delete them from any location:
$ sudo rm /[path]/[to]/[file]/shosts.equiv
|
| CCE-93740-9 |
Remove User Host-Based Authentication Files |
The ~/.shosts (in each user's home directory) files
list remote hosts and users that are trusted by the
local system. To remove these files, run the following command
to delete them from any location:
$ sudo find / -name '.shosts' -type f -delete
|
|
Uninstall telnet-server Package |
The telnet-server package can be removed with the following command:
$ sudo zypper remove telnet-server
|
| CCE-93770-6 |
Install the OpenSSH Server Package |
The openssh-server package should be installed.
The openssh-server package can be installed with the following command:
$ sudo zypper install openssh-server
|
| CCE-93771-4 |
Enable the OpenSSH Service |
The SSH server service, sshd, is commonly needed.
The sshd service can be enabled with the following command:
$ sudo systemctl enable sshd.service
|
| CCE-93751-6 |
Verify Permissions on SSH Server Private *_key Key Files |
SSH server private keys - files that match the /etc/ssh/*_key glob, have to have restricted permissions.
If those files are owned by the root user and the root group, they have to have the 0640 permission or stricter. |
| CCE-93663-3 |
Verify Permissions on SSH Server Public *.pub Key Files |
To properly set the permissions of /etc/ssh/*.pub, run the command: $ sudo chmod 0644 /etc/ssh/*.pub
|
| CCE-94086-6 |
OpenSSH Service Must Use Passcode for Their Private Keys |
Verify the SSH private key files have a passcode.
For each private key stored on the system, use the following command:
$ sudo ssh-keygen -y -f /path/to/file
If the contents of the key are displayed, without asking a passphrase this is a finding. |
| CCE-93694-8 |
Set SSH Client Alive Count Max |
The SSH server sends at most ClientAliveCountMax messages
during a SSH session and waits for a response from the SSH client.
The option ClientAliveInterval configures timeout after
each ClientAliveCountMax message. If the SSH server does not
receive a response from the client, then the connection is considered unresponsive
and terminated.
For SSH earlier than v8.2, a ClientAliveCountMax value of 0
causes a timeout precisely when the ClientAliveInterval is set.
Starting with v8.2, a value of 0 disables the timeout functionality
completely. If the option is set to a number greater than 0, then
the session will be disconnected after
ClientAliveInterval * ClientAliveCountMax seconds without receiving
a keep alive message. |
| CCE-93692-2 |
Set SSH Client Alive Interval |
SSH allows administrators to set a network responsiveness timeout interval.
After this interval has passed, the unresponsive client will be automatically logged out.
To set this timeout interval, edit the following line in /etc/ssh/sshd_config as
follows:
ClientAliveInterval
The timeout interval is given in seconds. For example, have a timeout
of 10 minutes, set interval to 600.
If a shorter timeout has already been set for the login shell, that value will
preempt any SSH setting made in /etc/ssh/sshd_config. Keep in mind that
some processes may stop SSH from correctly detecting that the user is idle. |
| CCE-93650-0 |
Disable SSH Access via Empty Passwords |
Disallow SSH login with empty passwords.
The default SSH configuration disables logins with empty passwords. The appropriate
configuration is used if no value is set for PermitEmptyPasswords.
To explicitly disallow SSH login from accounts with empty passwords,
add or correct the following line in
/etc/ssh/sshd_config:
PermitEmptyPasswords no
Any accounts with empty passwords should be disabled immediately, and PAM configuration
should prevent users from being able to assign themselves empty passwords. |
| CCE-93644-3 |
Disable SSH Root Login |
The root user should never be allowed to login to a
system directly over a network.
To disable root login via SSH, add or correct the following line in
/etc/ssh/sshd_config:
PermitRootLogin no
|
| CCE-93646-8 |
Disable SSH Support for User Known Hosts |
SSH can allow system users to connect to systems if a cache of the remote
systems public keys is available. This should be disabled.
To ensure this behavior is disabled, add or correct the following line in
/etc/ssh/sshd_config:
IgnoreUserKnownHosts yes
|
| CCE-93648-4 |
Disable X11 Forwarding |
The X11Forwarding parameter provides the ability to tunnel X11 traffic
through the connection to enable remote graphic connections.
SSH has the capability to encrypt remote X11 connections when SSH's
X11Forwarding option is enabled.
The default SSH configuration disables X11Forwarding. The appropriate
configuration is used if no value is set for X11Forwarding.
To explicitly disable X11 Forwarding, add or correct the following line in
/etc/ssh/sshd_config:
X11Forwarding no
|
| CCE-93649-2 |
Do Not Allow SSH Environment Options |
Ensure that users are not able to override environment variables of the SSH daemon.
The default SSH configuration disables environment processing. The appropriate
configuration is used if no value is set for PermitUserEnvironment.
To explicitly disable Environment options, add or correct the following
/etc/ssh/sshd_config:
PermitUserEnvironment no
|
| CCE-93647-6 |
Enable Use of Strict Mode Checking |
SSHs StrictModes option checks file and ownership permissions in
the user's home directory .ssh folder before accepting login. If world-
writable permissions are found, logon is rejected.
The default SSH configuration has StrictModes enabled. The appropriate
configuration is used if no value is set for StrictModes.
To explicitly enable StrictModes in SSH, add or correct the following line in
/etc/ssh/sshd_config:
StrictModes yes
|
| CCE-93642-7 |
Enable SSH Warning Banner |
To enable the warning banner and ensure it is consistent
across the system, add or correct the following line in
/etc/ssh/sshd_config:
Banner /etc/issue
Another section contains information on how to create an
appropriate system-wide warning banner. |
| CCE-93645-0 |
Enable SSH Print Last Log |
Ensure that SSH will display the date and time of the last successful account logon.
The default SSH configuration enables print of the date and time of the last login.
The appropriate configuration is used if no value is set for PrintLastLog.
To explicitly enable LastLog in SSH, add or correct the following line in
/etc/ssh/sshd_config:
PrintLastLog yes
|
| CCE-93643-5 |
Set SSH Daemon LogLevel to VERBOSE |
The VERBOSE parameter configures the SSH daemon to record login and logout activity.
To specify the log level in
SSH, add or correct the following line in
/etc/ssh/sshd_config:
LogLevel VERBOSE
|
| CCE-93673-2 |
Use Only FIPS 140-2 Validated Ciphers |
Limit the ciphers to those algorithms which are FIPS-approved.
Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode.
The following line in /etc/ssh/sshd_config
demonstrates use of FIPS-approved ciphers:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
The man page sshd_config(5) contains a list of supported ciphers.
The rule is parametrized to use the following ciphers: |
| CCE-93672-4 |
Use Only FIPS 140-2 Validated Ciphers |
Limit the ciphers to those algorithms which are FIPS-approved.
The following line in /etc/ssh/sshd_config
demonstrates use of FIPS-approved ciphers:
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
This rule ensures that there are configured ciphers mentioned
above (or their subset), keeping the given order of algorithms. |
| CCE-93696-3 |
Use Only FIPS 140-2 Validated Key Exchange Algorithms |
Limit the key exchange algorithms to those which are FIPS-approved.
Add or modify the following line in /etc/ssh/sshd_config
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
This rule ensures that only the key exchange algorithms mentioned
above (or their subset) are configured for use, keeping the given
order of algorithms. |
| CCE-93691-4 |
Use Only FIPS 140-2 Validated MACs |
Limit the MACs to those hash algorithms which are FIPS-approved.
The following line in /etc/ssh/sshd_config
demonstrates use of FIPS-approved MACs:
MACs hmac-sha2-512,hmac-sha2-256
The man page sshd_config(5) contains a list of supported MACs.
The rule is parametrized to use the following MACs: |
| CCE-93690-6 |
Use Only FIPS 140-2 Validated MACs |
Limit the MACs to those hash algorithms which are FIPS-approved.
The following line in /etc/ssh/sshd_config
demonstrates use of FIPS-approved MACs:
MACs hmac-sha2-512,hmac-sha2-256
This rule ensures that there are configured MACs mentioned
above (or their subset), keeping the given order of algorithms. |
| CCE-93718-5 |
Configure SSSD's Memory Cache to Expire |
SSSD's memory cache should be configured to set to expire records after
memcache_timeout to
[nss] section in /etc/sssd/sssd.conf.
For example:
[nss]
memcache_timeout =
|
| CCE-93719-3 |
Configure SSSD to Expire Offline Credentials |
SSSD should be configured to expire offline credentials after 1 day.
To configure SSSD to expire offline credentials, set
offline_credentials_expiration to 1 under the [pam]
section in /etc/sssd/sssd.conf. For example:
[pam]
offline_credentials_expiration = 1
|
| CCE-94096-5 |
Ensure the default plugins for the audit dispatcher are Installed |
The audit-audispd-plugins package should be installed. |
| CCE-93756-5 |
Ensure the audit Subsystem is Installed |
The audit package should be installed. |
| CCE-93768-0 |
Enable auditd Service |
The auditd service is an essential userspace component of
the Linux Auditing System, as it is responsible for writing audit records to
disk.
The auditd service can be enabled with the following command:
$ sudo systemctl enable auditd.service
|
| CCE-93739-1 |
Remove Default Configuration to Disable Syscall Auditing |
By default, SUSE Linux Enterprise Micro 5 ships an audit rule to disable syscall
auditing for performance reasons.
To make sure that syscall auditing works, this line must be removed from
/etc/audit/rules.d/audit.rules and /etc/audit/audit.rules:
-a task,never
|
| CCE-93654-2 |
Ensure auditd Collects Information on Exporting to Media (successful) |
At a minimum, the audit system should collect media exportation
events for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
|
| CCE-93725-0 |
Record Attempts to Alter Process and Session Initiation Information btmp |
The audit system already collects process information for all
users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing such process information:
-w /var/log/btmp -p wa -k session
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for attempted manual
edits of files involved in storing such process information:
-w /var/log/btmp -p wa -k session
|
| CCE-93723-5 |
Record Attempts to Alter Process and Session Initiation Information utmp |
The audit system already collects process information for all
users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing such process information:
-w /run/utmp -p wa -k session
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for attempted manual
edits of files involved in storing such process information:
-w /run/utmp -p wa -k session
|
| CCE-93724-3 |
Record Attempts to Alter Process and Session Initiation Information wtmp |
The audit system already collects process information for all
users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing such process information:
-w /var/log/wtmp -p wa -k session
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for attempted manual
edits of files involved in storing such process information:
-w /var/log/wtmp -p wa -k session
|
| CCE-93705-2 |
Record Events When Privileged Executables Are Run |
Verify the system generates an audit record when privileged functions are executed.
If audit is using the "auditctl" tool to load the rules, run the following command:
$ sudo grep execve /etc/audit/audit.rules
If audit is using the "augenrules" tool to load the rules, run the following command:
$ sudo grep -r execve /etc/audit/rules.d
-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid
-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid
If both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding.
If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding. |
| CCE-93674-0 |
Ensure auditd Collects System Administrator Actions |
At a minimum, the audit system should collect administrator actions
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the default),
add the following line to a file with suffix .rules in the directory
/etc/audit/rules.d:
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions
|
| CCE-93657-5 |
Record Events that Modify User/Group Information - /etc/group |
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, in order to capture events that modify
account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification
|
| CCE-93659-1 |
Record Events that Modify User/Group Information - /etc/security/opasswd |
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, in order to capture events that modify
account changes:
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
|
| CCE-93656-7 |
Record Events that Modify User/Group Information - /etc/passwd |
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, in order to capture events that modify
account changes:
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
|
| CCE-93658-3 |
Record Events that Modify User/Group Information - /etc/shadow |
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, in order to capture events that modify
account changes:
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
|
| CCE-93653-4 |
Record Events that Modify the System's Discretionary Access Controls - fchmod |
At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
|
| CCE-93651-8 |
Record Events that Modify the System's Discretionary Access Controls - fremovexattr |
At a minimum, the audit system should collect file permission
changes for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
|
| CCE-93652-6 |
Record Events that Modify the System's Discretionary Access Controls - lchown |
At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
|
| CCE-93655-9 |
Record Events that Modify the System's Discretionary Access Controls - umount2 |
At a minimum, the audit system should collect file system umount2
changes. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod
|
| CCE-93618-7 |
Record Any Attempts to Run chacl |
At a minimum, the audit system should collect any execution attempt
of the chacl command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| CCE-93616-1 |
Record Any Attempts to Run chmod |
At a minimum, the audit system should collect any execution attempt
of the chmod command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| CCE-93617-9 |
Record Any Attempts to Run setfacl |
At a minimum, the audit system should collect any execution attempt
of the setfacl command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| CCE-93619-5 |
Record Any Attempts to Run chcon |
At a minimum, the audit system should collect any execution attempt
of the chcon command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| CCE-93620-3 |
Record Any Attempts to Run rm |
At a minimum, the audit system should collect any execution attempt
of the rm command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| CCE-94098-1 |
Record Any Attempts to Run semanage |
At a minimum, the audit system should collect any execution attempt
of the semanage command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| CCE-94099-9 |
Record Any Attempts to Run setfiles |
At a minimum, the audit system should collect any execution attempt
of the setfiles command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| CCE-94100-5 |
Record Any Attempts to Run setsebool |
At a minimum, the audit system should collect any execution attempt
of the setsebool command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| CCE-93666-6 |
Record Unsuccessful Access Attempts to Files - open |
At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
|
| CCE-93667-4 |
Record Unsuccessful Delete Attempts to Files - rename |
The audit system should collect unsuccessful file deletion
attempts for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
|
| CCE-93675-7 |
Ensure auditd Collects Information on Kernel Module Unloading - delete_module |
To capture kernel module unloading events, use following line, setting ARCH to
either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S delete_module -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured
to use the augenrules program (the default), add the line to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl utility,
add the line to file /etc/audit/audit.rules. |
| CCE-93676-5 |
Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module |
If the auditd daemon is configured to use the augenrules program
to read audit rules during daemon startup (the default), add the following lines to a file
with suffix .rules in the directory /etc/audit/rules.d to capture kernel module
loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S finit_module -F key=modules
If the auditd daemon is configured to use the auditctl utility to read audit
rules during daemon startup, add the following lines to /etc/audit/audit.rules file
in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S finit_module -F key=modules
|
| CCE-93665-8 |
Record Attempts to Alter Logon and Logout Events - lastlog |
The audit system already collects login information for all users
and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing logon events:
-w /var/log/lastlog -p wa -k logins
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for unattempted manual
edits of files involved in storing logon events:
-w /var/log/lastlog -p wa -k logins
|
| CCE-93664-1 |
Record Attempts to Alter Logon and Logout Events - tallylog |
The audit system already collects login information for all users
and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing logon events:
-w /var/log/tallylog -p wa -k logins
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for unattempted manual
edits of files involved in storing logon events:
-w /var/log/tallylog -p wa -k logins
|
| CCE-93607-0 |
Ensure auditd Collects Information on the Use of Privileged Commands - chage |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| CCE-93610-4 |
Ensure auditd Collects Information on the Use of Privileged Commands - chfn |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| CCE-93605-4 |
Ensure auditd Collects Information on the Use of Privileged Commands - chsh |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| CCE-93608-8 |
Ensure auditd Collects Information on the Use of Privileged Commands - crontab |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| CCE-93603-9 |
Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| CCE-93612-0 |
Ensure auditd Collects Information on the Use of Privileged Commands - insmod |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-w /sbin/insmod -p x -k modules
|
| CCE-93615-3 |
Ensure auditd Collects Information on the Use of Privileged Commands - kmod |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-w /usr/bin/kmod -p x -k modules
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-w /usr/bin/kmod -p x -k modules
|
| CCE-93614-6 |
Ensure auditd Collects Information on the Use of Privileged Commands - modprobe |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-w /sbin/modprobe -p x -k modules
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-w /sbin/modprobe -p x -k modules
|
| CCE-93604-7 |
Ensure auditd Collects Information on the Use of Privileged Commands - newgrp |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| CCE-93622-9 |
Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/sbin/pam_timestamp_check
-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/sbin/pam_timestamp_check
-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| CCE-93602-1 |
Ensure auditd Collects Information on the Use of Privileged Commands - passwd |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| CCE-93613-8 |
Ensure auditd Collects Information on the Use of Privileged Commands - rmmod |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-w /sbin/rmmod -p x -k modules
|
| CCE-93611-2 |
Record Any Attempts to Run ssh-agent |
At a minimum, the audit system should collect any execution attempt
of the ssh-agent command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
|
| CCE-94071-8 |
Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/lib/ssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/lib/ssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| CCE-93623-7 |
Ensure auditd Collects Information on the Use of Privileged Commands - su |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| CCE-93624-5 |
Ensure auditd Collects Information on the Use of Privileged Commands - sudo |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| CCE-93609-6 |
Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| CCE-93606-2 |
Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| CCE-93621-1 |
Ensure auditd Collects Information on the Use of Privileged Commands - usermod |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| CCE-93707-8 |
Configure audispd Plugin To Send Logs To Remote Server |
Configure the audispd plugin to off-load audit records onto a different
system or media from the system being audited.
Set the remote_server option in /etc/audit/audisp-remote.conf
with an IP address or hostname of the system that the audispd plugin should
send audit records to. For example
remote_server =
|
| CCE-94090-8 |
Configure a Sufficiently Large Partition for Audit Logs |
The SUSE Linux Enterprise Micro 5 operating system must allocate audit record storage
capacity to store at least one weeks worth of audit records when audit
records are not immediately sent to a central audit record storage
facility.
The partition size needed to capture a week's worth of audit records is
based on the activity level of the system and the total storage capacity
available.
In normal circumstances, 10.0 GB of storage space for audit
records will be sufficient.
Determine which partition the audit records are being written to with the
following command:
$ sudo grep log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log
Check the size of the partition that audit records are written to with the
following command:
$ sudo df -h /var/log/audit/
/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit
|
| CCE-93728-4 |
Configure audispd's Plugin disk_full_action When Disk Is Full |
Configure the action the operating system takes if the disk the audit records
are written to becomes full. Edit the file /etc/audit/audisp-remote.conf.
Add or modify the following line, substituting ACTION appropriately:
disk_full_action = ACTION
Set this value to single to cause the system to switch to single user
mode for corrective action. Acceptable values also include syslog and
halt. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined. |
| CCE-93706-0 |
Encrypt Audit Records Sent With audispd Plugin |
Configure the operating system to encrypt the transfer of off-loaded audit
records onto a different system or media from the system being audited.
Uncomment the enable_krb5 option in /etc/audit/audisp-remote.conf ,
and set it with the following line:
enable_krb5 = yes
|
| CCE-93727-6 |
Configure audispd's Plugin network_failure_action On Network Failure |
Configure the action the operating system takes if there is an error sending
audit records to a remote system. Edit the file /etc/audit/audisp-remote.conf.
Add or modify the following line, substituting ACTION appropriately:
network_failure_action = ACTION
Set this value to single to cause the system to switch to single user
mode for corrective action. Acceptable values also include syslog and
halt. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined.
This profile configures the action to be |
| CCE-93679-9 |
Configure auditd Disk Full Action when Disk Space Is Full |
The auditd service can be configured to take an action
when disk space is running low but prior to running out of space completely.
Edit the file /etc/audit/auditd.conf. Add or modify the following line,
substituting ACTION appropriately:
disk_full_action = ACTION
Set this value to single to cause the system to switch to single-user
mode for corrective action. Acceptable values also include syslog,
exec,
single, and halt. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined. Details regarding all possible values for ACTION are described in the
auditd.conf man page. |
| CCE-93677-3 |
Configure auditd mail_acct Action on Low Disk Space |
The auditd service can be configured to send email to
a designated account in certain situations. Add or correct the following line
in /etc/audit/auditd.conf to ensure that administrators are notified
via email for those situations:
action_mail_acct =
|
| CCE-93788-8 |
Configure auditd space_left Action on Low Disk Space |
The auditd service can be configured to take an action
when disk space starts to run low.
Edit the file /etc/audit/auditd.conf. Modify the following line,
substituting ACTION appropriately:
space_left_action = ACTION
Possible values for ACTION are described in the auditd.conf man page.
These include:
syslogemailexecsuspendsinglehalt
Set this to email (instead of the default,
which is suspend) as it is more likely to get prompt attention. Acceptable values
also include suspend, single, and halt. |
| CCE-93708-6 |
Configure auditd space_left on Low Disk Space |
The auditd service can be configured to take an action
when disk space is running low but prior to running out of space completely.
Edit the file /etc/audit/auditd.conf. Add or modify the following line,
substituting PERCENTAGE appropriately:
space_left = PERCENTAGE%
Set this value to at least 25 to cause the system to
notify the user of an issue. |