CCE Identifiers in Guide to the Secure Configuration of SUSE Linux Enterprise Micro 5
| CCE ID |
Rule Title |
Description |
| CCE-94078-3 |
Disable Prelinking |
The prelinking feature changes binaries in an attempt to decrease their startup
time. In order to disable it, change or add the following line inside the file
/etc/sysconfig/prelink:
PRELINKING=no
Next, run the following command to return binaries to a normal, non-prelinked state:
$ sudo /usr/sbin/prelink -ua
|
| CCE-93758-1 |
Install AIDE |
The aide package can be installed with the following command:
$ sudo zypper install aide
|
| CCE-93710-2 |
Build and Test AIDE Database |
Run the following command to generate a new database:
$ sudo /usr/bin/aide --init
By default, the database will be written to the file
/var/lib/aide/aide.db.new.
Storing the database, the configuration file /etc/aide.conf, and the binary
/usr/bin/aide
(or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity.
The newly-generated database can be installed as follows:
$ sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
To initiate a manual check, run the following command:
$ sudo /usr/bin/aide --check
If this check produces any unexpected output, investigate. |
| CCE-93703-7 |
Configure AIDE to Verify the Audit Tools |
The operating system file integrity tool must be configured to protect the integrity of the audit tools. |
| CCE-93721-9 |
Configure Systemd Timer Execution of AIDE |
At a minimum, AIDE should be configured to run a weekly scan.
To implement a systemd service and a timer unit to run the service periodically:
For example, if a systemd timer is expected to be started every day at 5AM
OnCalendar=*-*-* 05:00:0
[Timer] section in the timer unit and
a Unit section starting the AIDE check service unit should be referred. |
| CCE-93722-7 |
Configure Notification of Post-AIDE Scan Details |
AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
If AIDE has already been configured for periodic execution in /etc/crontab, append the
following line to the existing AIDE line:
| /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost
Otherwise, add the following line to /etc/crontab:
05 4 * * * root /usr/bin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost
AIDE can be executed periodically through other means; this is merely one example. |
| CCE-93742-5 |
Configure AIDE to Verify Access Control Lists (ACLs) |
By default, the acl option is added to the FIPSR ruleset in AIDE.
If using a custom ruleset or the acl option is missing, add acl
to the appropriate ruleset.
For example, add acl to the following line in /etc/aide.conf:
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already
configured by default.
The remediation provided with this rule adds acl to all rule sets available in
/etc/aide.conf
|
| CCE-93743-3 |
Configure AIDE to Verify Extended Attributes |
By default, the xattrs option is added to the FIPSR ruleset in AIDE.
If using a custom ruleset or the xattrs option is missing, add xattrs
to the appropriate ruleset.
For example, add xattrs to the following line in /etc/aide.conf:
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already
configured by default.
The remediation provided with this rule adds xattrs to all rule sets available in
/etc/aide.conf
|
| CCE-93785-4 |
Verify '/proc/sys/crypto/fips_enabled' exists |
On a system where FIPS 140-2 mode is enabled, /proc/sys/crypto/fips_enabled must exist.
To verify FIPS mode, run the following command:
cat /proc/sys/crypto/fips_enabled
|
| CCE-93601-3 |
The Installed Operating System Is Vendor Supported |
The installed operating system must be maintained by a vendor.
SUSE Linux Enterprise is supported by SUSE. As the SUSE Linux Enterprise
vendor, SUSE is responsible for providing security patches. |
| CCE-93760-7 |
Encrypt Partitions |
SUSE Linux Enterprise Micro 5 natively supports partition encryption through the
Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to
encrypt a partition is during installation time.
For manual installations, select the Encrypt checkbox during
partition creation to encrypt the partition. When this
option is selected the system will prompt for a passphrase to use in
decrypting the partition. The passphrase will subsequently need to be entered manually
every time the system boots.
Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on
the SUSE Linux Enterprise Micro 5 Documentation web site:
https://documentation.suse.com/sles/15-SP3/html/SLES-all/cha-security-cryptofs.html
. |
| CCE-94076-7 |
Ensure /dev/shm is configured |
The /dev/shm is a traditional shared memory concept.
One program will create a memory portion, which other processes
(if permitted) can access. If /dev/shm is not configured,
tmpfs will be mounted to /dev/shm by systemd. |
| CCE-93796-1 |
Ensure /home Located On Separate Partition |
If user home directories will be stored locally, create a separate partition
for /home at installation time (or migrate it later using LVM). If
/home will be mounted from another system such as an NFS server, then
creating a separate partition is not necessary at installation time, and the
mountpoint can instead be configured later. |
| CCE-93797-9 |
Ensure /var Located On Separate Partition |
The /var directory is used by daemons and other system
services to store frequently-changing data. Ensure that /var has its own partition
or logical volume at installation time, or migrate it using LVM. |
| CCE-93787-0 |
Ensure /var/log/audit Located On Separate Partition |
Audit logs are stored in the /var/log/audit directory.
Ensure that /var/log/audit has its own partition or logical
volume at installation time, or migrate it using LVM.
Make absolutely certain that it is large enough to store all
audit logs that will be created by the auditing daemon. |
| CCE-93754-0 |
Disable GDM Unattended or Automatic Login |
The GNOME Display Manager (GDM) can allow users to automatically login without
user interaction or credentials or unattended login. User should always be required to authenticate themselves
to the system that they are authorized to use. To disable user ability to automatically
login to the system, set the DISPLAYMANAGER_AUTOLOGIN=""
or DISPLAYMANAGER_PASSWORD_LESS_LOGIN="no" in the
/etc/sysconfig/displaymanager. For example:
DISPLAYMANAGER_AUTOLOGIN=""
DISPLAYMANAGER_PASSWORD_LESS_LOGIN="no"
|
| CCE-94075-9 |
Install sudo Package |
The sudo package can be installed with the following command:
$ sudo zypper install sudo
|
| CCE-94074-2 |
Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty |
The sudo use_pty tag, when specified, will only execute sudo
commands from users logged in to a real tty.
This should be enabled by making sure that the use_pty tag exists in
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. |
| CCE-94073-4 |
Ensure Sudo Logfile Exists - sudo logfile |
A custom log sudo file can be configured with the 'logfile' tag. This rule configures
a sudo custom logfile at the default location suggested by CIS, which uses
/var/log/sudo.log. |
| CCE-93715-1 |
Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate |
The sudo !authenticate option, when specified, allows a user to execute commands using
sudo without having to authenticate. This should be disabled by making sure that the
!authenticate option does not exist in /etc/sudoers configuration file or
any sudo configuration snippets in /etc/sudoers.d/. |
| CCE-93714-4 |
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD |
The sudo NOPASSWD tag, when specified, allows a user to execute
commands using sudo without having to authenticate. This should be disabled
by making sure that the NOPASSWD tag does not exist in
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. |
| CCE-93713-6 |
Ensure Users Re-Authenticate for Privilege Escalation - sudo |
The sudo NOPASSWD and !authenticate option, when
specified, allows a user to execute commands using sudo without having to
authenticate. This should be disabled by making sure that
NOPASSWD and/or !authenticate do not exist in
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/." |
| CCE-93716-9 |
Require Re-Authentication When Using the sudo Command |
The sudo timestamp_timeout tag sets the amount of time sudo password prompt waits.
The default timestamp_timeout value is 5 minutes.
The timestamp_timeout should be configured by making sure that the
timestamp_timeout tag exists in
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/.
If the value is set to an integer less than 0, the user's time stamp will not expire
and the user will not have to re-authenticate for privileged actions until the user's session is terminated. |
| CCE-93786-2 |
The operating system must restrict privilege elevation to authorized personnel |
The sudo command allows a user to execute programs with elevated
(administrator) privileges. It prompts the user for their password
and confirms your request to execute a command by checking a file,
called sudoers.
Restrict privileged actions by removing the following entries from the sudoers file:
ALL ALL=(ALL) ALL
ALL ALL=(ALL:ALL) ALL
|
| CCE-93733-4 |
Ensure sudo only includes the default configuration directory |
Administrators can configure authorized sudo users via drop-in files, and it is possible to include
other directories and configuration files from the file currently being parsed.
Make sure that /etc/sudoers only includes drop-in configuration files from /etc/sudoers.d,
or that no drop-in file is included.
Either the /etc/sudoers should contain only one #includedir directive pointing to
/etc/sudoers.d, and no file in /etc/sudoers.d/ should include other files or directories;
Or the /etc/sudoers should not contain any #include,
@include, #includedir or @includedir directives.
Note that the '#' character doesn't denote a comment in the configuration file. |
| CCE-93735-9 |
Ensure invoking users password for privilege escalation when using sudo |
The sudoers security policy requires that users authenticate themselves before they can use sudo.
When sudoers requires authentication, it validates the invoking user's credentials.
The expected output for:
sudo cvtsudoers -f sudoers /etc/sudoers | grep -E '^Defaults !?(rootpw|targetpw|runaspw)$'
Defaults !targetpw
Defaults !rootpw
Defaults !runaspw
or if cvtsudoers not supported:
sudo find /etc/sudoers /etc/sudoers.d \( \! -name '*~' -a \! -name '*.*' \) -exec grep -E --with-filename '^[[:blank:]]*Defaults[[:blank:]](.*[[:blank:]])?!?\b(rootpw|targetpw|runaspw)' -- {} \;
/etc/sudoers:Defaults !targetpw
/etc/sudoers:Defaults !rootpw
/etc/sudoers:Defaults !runaspw
|
| CCE-93720-1 |
Ensure zypper Removes Previous Package Versions |
zypper should be configured to remove previous software components after
new versions have been installed. To configure zypper to remove the
previous software components after updating, set the solver.upgradeRemoveDroppedPackages
to 1 in /etc/zypp/zypp.conf. |
| CCE-94072-6 |
Ensure GPG keys are configured |
The operation system or installed application can be successfully bootstrapped
without the GPG key being trusted. However, you cannot install new packages or
update them until the keys are trusted.
Most packages managers implement GPG key signing to verify package integrity
during installation.
To verify GPG keys are configured correctly for your package manager,
one of the following command groups may provide the needed information
depending on the package manager in use.
In SUSE Linux distributions, the administrators have to follow the next steps:
1. Log on to the system as a user with administrator rights.
2. Locate and download package, for example zoom_x86_64.rpm
3. Locate and download the public key (GPG) from the software download site, for
example the key for zoom package is package-signing-key-5-12-6.pub
4. Import the key public key:
$ sudo rpm --import package-signing-key-5-12-6.pub
5. List the keys, for example the command:
$ sudo rpm -qa gpg-pubkey*
will provide:
gpg-pubkey-dd79b481-62fe7502
6. Get more details about the key, via the command:
$ sudo rpm -qa gpg-pubkey-dd79b481-62fe7502
7. Check the GPG key, for example the command:
$ sudo rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'
will provide:
gpg-pubkey-dd79b481-62fe7502 --> gpg(Zoom Video Communications, Inc. <CryptoOpsCodeSignProd@zoom.us>)
|
| CCE-93712-8 |
Ensure gpgcheck Enabled In Main zypper Configuration |
The gpgcheck option controls whether
RPM packages' signatures are always checked prior to installation.
To configure zypper to check package signatures before installing
them, ensure the following line appears in /etc/zypp/zypp.conf in
the [main] section:
gpgcheck=1
|
| CCE-94070-0 |
Ensure gpgcheck Enabled for All zypper Package Repositories |
To ensure signature checking is not disabled for
any repos, remove any lines from files in /etc/zypp/repos.d of the form:
gpgcheck=0
|
| CCE-94063-5 |
Ensure package manager repositories are configured |
Systems need to have package manager repositories configured to ensure they receive the
latest patches and updates. |
| CCE-93804-3 |
Ensure Software Patches Installed |
If the system is configured for online updates, invoking the following command will list available
security updates:
$ sudo zypper refresh && sudo zypper list-patches -g security
NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy
dictates. |
| CCE-93802-7 |
Modify the System Login Banner |
To configure the system login banner edit /etc/issue. Replace the
default text with a message compliant with the local site policy or a legal
disclaimer.
The DoD required text is either:
You are accessing a U.S. Government (USG) Information System (IS) that
is provided for USG-authorized use only. By using this IS (which includes
any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS
for purposes including, but not limited to, penetration testing, COMSEC
monitoring, network operations and defense, personnel misconduct (PM), law
enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private,
are subject to routine monitoring, interception, and search, and may be
disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access
controls) to protect USG interests -- not for your personal benefit or
privacy.
-Notwithstanding the above, using this IS does not constitute consent
to PM, LE or CI investigative searching or monitoring of the content of
privileged communications, or work product, related to personal
representation or services by attorneys, psychotherapists, or clergy, and
their assistants. Such communications and work product are private and
confidential. See User Agreement for details.
OR:
I've read & consent to terms in IS user agreem't.
|
| CCE-94062-7 |
Modify the System Login Banner for Remote Connections |
To configure the system login banner edit /etc/issue.net. Replace the
default text with a message compliant with the local site policy or a legal
disclaimer.
The DoD required text is either:
You are accessing a U.S. Government (USG) Information System (IS) that
is provided for USG-authorized use only. By using this IS (which includes
any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS
for purposes including, but not limited to, penetration testing, COMSEC
monitoring, network operations and defense, personnel misconduct (PM), law
enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private,
are subject to routine monitoring, interception, and search, and may be
disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access
controls) to protect USG interests -- not for your personal benefit or
privacy.
-Notwithstanding the above, using this IS does not constitute consent
to PM, LE or CI investigative searching or monitoring of the content of
privileged communications, or work product, related to personal
representation or services by attorneys, psychotherapists, or clergy, and
their assistants. Such communications and work product are private and
confidential. See User Agreement for details.
OR:
I've read & consent to terms in IS user agreem't.
|
| CCE-94061-9 |
Modify the System Message of the Day Banner |
To configure the system message banner edit /etc/motd. Replace the
default text with a message compliant with the local site policy or a legal
disclaimer.
The DoD required text is either:
You are accessing a U.S. Government (USG) Information System (IS) that
is provided for USG-authorized use only. By using this IS (which includes
any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS
for purposes including, but not limited to, penetration testing, COMSEC
monitoring, network operations and defense, personnel misconduct (PM), law
enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private,
are subject to routine monitoring, interception, and search, and may be
disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access
controls) to protect USG interests -- not for your personal benefit or
privacy.
-Notwithstanding the above, using this IS does not constitute consent
to PM, LE or CI investigative searching or monitoring of the content of
privileged communications, or work product, related to personal
representation or services by attorneys, psychotherapists, or clergy, and
their assistants. Such communications and work product are private and
confidential. See User Agreement for details.
OR:
I've read & consent to terms in IS user agreem't.
|
| CCE-94060-1 |
Verify Group Ownership of System Login Banner |
To properly set the group owner of /etc/issue, run the command:
$ sudo chgrp root /etc/issue
|
| CCE-94059-3 |
Verify Group Ownership of System Login Banner for Remote Connections |
To properly set the group owner of /etc/issue.net, run the command:
$ sudo chgrp root /etc/issue.net
|
| CCE-94058-5 |
Verify Group Ownership of Message of the Day Banner |
To properly set the group owner of /etc/motd, run the command:
$ sudo chgrp root /etc/motd
|
| CCE-94057-7 |
Verify ownership of System Login Banner |
To properly set the owner of /etc/issue, run the command:
$ sudo chown root /etc/issue
|
| CCE-94056-9 |
Verify ownership of System Login Banner for Remote Connections |
To properly set the owner of /etc/issue.net, run the command:
$ sudo chown root /etc/issue.net
|
| CCE-94055-1 |
Verify ownership of Message of the Day Banner |
To properly set the owner of /etc/motd, run the command:
$ sudo chown root /etc/motd
|
| CCE-94054-4 |
Verify permissions on System Login Banner |
To properly set the permissions of /etc/issue, run the command:
$ sudo chmod 0644 /etc/issue
|
| CCE-94053-6 |
Verify permissions on System Login Banner for Remote Connections |
To properly set the permissions of /etc/issue.net, run the command:
$ sudo chmod 0644 /etc/issue.net
|
| CCE-94052-8 |
Verify permissions on Message of the Day Banner |
To properly set the permissions of /etc/motd, run the command:
$ sudo chmod 0644 /etc/motd
|
| CCE-93730-0 |
Ensure PAM Displays Last Logon/Access Notification |
To configure the system to notify users of last logon/access using pam_lastlog,
add or correct the pam_lastlog settings in /etc/pam.d/login
to include showfailed option, such as:
session required pam_lastlog.so showfailed
And make sure that the silent option is not set for this specific line. |
| CCE-93750-8 |
The PAM configuration should not be changed automatically |
Verify the SUSE operating system is configured to not overwrite Pluggable
Authentication Modules (PAM) configuration on package changes. |
| CCE-94082-5 |
Limit Password Reuse |
Do not allow users to reuse recent passwords. This can be
accomplished by using the remember option for the
pam_pwhistory PAM modules.
In the file /etc/pam.d/common-password, make sure the parameters
remember and use_authtok are present, and that the value
for the remember parameter is or greater. For example:
password requisite pam_pwhistory.so ...existing_options... remember= use_authtok
The DoD STIG requirement is 5 passwords. |
| CCE-94092-4 |
Enforce Delay After Failed Logon Attempts |
To configure the system to introduce a delay after failed logon attempts,
add or correct the pam_faildelay settings in
/etc/pam.d/common-auth to make sure its delay parameter
is at least or greater. For example:
auth required pam_faildelay.so delay=
|
| CCE-93775-5 |
Set Deny For Failed Password Attempts |
The SUSE Linux Enterprise Micro 5 operating system must lock an account after - at most -
consecutive invalid access attempts. |
| CCE-94051-0 |
Configure the root Account lock for Failed Password Attempts via pam_tally2 |
This rule configures the system to lock out the root account after a number of
incorrect login attempts using pam_tally2.so. |
| CCE-94089-0 |
SLEM 5 must use the default pam_tally2 tally directory. |
This rule configures the system to use default pam_tally2 tally directory |
| CCE-94088-2 |
An SELinux Context must be configured for default pam_tally2 file option |
The file configuration option in PAM pam_tally2.so module defines where to keep counts.
Default is /var/log/tallylog. The configured directory must have the correct SELinux context. |
| CCE-94050-2 |
Set Lockout Time for Failed Password Attempts using pam_tally2 |
This rule configures the system to lock out accounts during a specified time period after a
number of incorrect login attempts using pam_tally2.so. |
| CCE-93764-9 |
Set Password Strength Minimum Digit Characters |
The pam_cracklib module's dcredit parameter controls requirements
for usage of digits in a password. When set to a negative number, any
password will be required to contain that many digits. When set to a
positive number, pam_cracklib will grant +1 additional length credit for
each digit. Add dcredit=-1 after pam_cracklib.so to require use of
a digit in passwords. |
| CCE-93765-6 |
Set Password Strength Minimum Different Characters |
The pam_cracklib module's difok parameter controls requirements for
usage of different characters during a password change. The number of
changed characters refers to the number of changes required with respect to
the total number of positions in the current password. In other words,
characters may be the same within the two passwords; however, the positions
of the like characters must be different.
Make sure the difok parameter for the pam_cracklib module is
configured to greater than or equal to |
| CCE-93763-1 |
Set Password Strength Minimum Lowercase Characters |
The pam_cracklib module's lcredit= parameter controls requirements
for usage of lowercase letters in a password. When set to a negative
number, any password will be required to contain that many lowercase
characters. When set to a positive number, pam_cracklib will grant +1
additional length credit for each lowercase character.
Add lcredit=-1 after pam_cracklib.so to require use of a
lowercase character in passwords. |
| CCE-93766-4 |
Set Password Minimum Length |
The pam_cracklib module's minlen parameter controls requirements for
minimum characters required in a password. Add minlen=
to set minimum password length requirements. |
| CCE-93767-2 |
Set Password Strength Minimum Special Characters |
The pam_cracklib module's ocredit= parameter controls requirements
for usage of special (or ``other'') characters in a password. When set to a
negative number, any password will be required to contain that many special
characters. When set to a positive number, pam_cracklib will grant +1
additional length credit for each special character.
Make sure the ocredit parameter for the pam_cracklib module is
set to less than or equal to ocredit=
. |
| CCE-93729-2 |
Set Password Retry Limit |
The pam_cracklib module's retry parameter controls the maximum
number of times to prompt the user for the password before returning
with error. Make sure it is configured with a value that is no more than
. For example, retry=1. |
| CCE-93762-3 |
Set Password Strength Minimum Uppercase Characters |
The pam_cracklib module's ucredit= parameter controls requirements
for usage of uppercase letters in a password. When set to a negative
number, any password will be required to contain that many uppercase
characters. When set to a positive number, pam_cracklib will grant +1
additional length credit for each uppercase character.
Add ucredit=-1 after pam_cracklib.so to require use of an upper
case character in passwords. |
| CCE-93689-8 |
Set Password Hashing Algorithm in /etc/login.defs |
In /etc/login.defs, add or update the following line to ensure the system will use
as the hashing algorithm:
ENCRYPT_METHOD
|
| CCE-93681-5 |
Set PAM''s Password Hashing Algorithm |
The PAM system service can be configured to only store encrypted representations of passwords.
In "/etc/pam.d/common-password", the password section of the file controls which
PAM modules to execute during a password change.
Set the pam_unix.so module in the password section to include the option
password required pam_unix.so
other arguments...
This will help ensure that new passwords for local users will be stored using the
algorithm. |
| CCE-93682-3 |
Set Password Hashing Rounds in /etc/login.defs |
In /etc/login.defs, ensure SHA_CRYPT_MIN_ROUNDS and
SHA_CRYPT_MAX_ROUNDS has the minimum value of SHA_CRYPT_MIN_ROUNDS
SHA_CRYPT_MAX_ROUNDS
Notice that if neither are set, they already have the default value of 5000.
If either is set, they must have the minimum value of . |
| CCE-93744-1 |
Disable Ctrl-Alt-Del Reboot Activation |
By default, SystemD will reboot the system if the Ctrl-Alt-Del
key sequence is pressed.
To configure the system to ignore the Ctrl-Alt-Del key sequence from the
command line instead of rebooting the system, do either of the following:
ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
or
systemctl mask ctrl-alt-del.target
Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file,
as this file may be restored during future system updates. |
| CCE-94049-4 |
Require Authentication for Emergency Systemd Target |
Emergency mode is intended as a system recovery
method, providing a single user root access to the system
during a failed boot sequence.
By default, Emergency mode is protected by requiring a password and is set
in /usr/lib/systemd/system/emergency.service. |
| CCE-94048-6 |
Require Authentication for Single User Mode |
Single-user mode is intended as a system recovery
method, providing a single user root access to the system by
providing a boot option at startup.
By default, single-user mode is protected by requiring a password and is set
in /usr/lib/systemd/system/rescue.service. |
| CCE-93755-7 |
Check that vlock is installed to allow session locking |
The SUSE Linux Enterprise Micro 5 operating system must have vlock installed to allow for session locking.
The kbd package can be installed with the following command:
$ sudo zypper install kbd
|
| CCE-93761-5 |
Install Smart Card Packages For Multifactor Authentication |
Configure the operating system to implement multifactor authentication by
installing the required package with the following command:
The pam_pkcs11 package can be installed with the following command:
$ sudo zypper install pam_pkcs11
The mozilla-nss package can be installed with the following command:
$ sudo zypper install mozilla-nss
The mozilla-nss-tools package can be installed with the following command:
$ sudo zypper install mozilla-nss-tools
The pcsc-ccid package can be installed with the following command:
$ sudo zypper install pcsc-ccid
The pcsc-lite package can be installed with the following command:
$ sudo zypper install pcsc-lite
The pcsc-tools package can be installed with the following command:
$ sudo zypper install pcsc-tools
The opensc package can be installed with the following command:
$ sudo zypper install opensc
The coolkey package can be installed with the following command:
$ sudo zypper install coolkey
|
| CCE-93680-7 |
Configure Smart Card Certificate Authority Validation |
Configure the operating system to do certificate status checking for PKI
authentication. Modify all of the cert_policy lines in
/etc/pam_pkcs11/pam_pkcs11.conf to include ca like so:
cert_policy = ca, ocsp_on, signature;
|
| CCE-93717-7 |
Configure Smart Card Certificate Status Checking |
Configure the operating system to do certificate status checking for PKI
authentication. Modify all of the cert_policy lines in
/etc/pam_pkcs11/pam_pkcs11.conf to include ocsp_on like so:
cert_policy = ca, ocsp_on, signature;
|
| CCE-93800-1 |
Enable Smart Card Logins in PAM |
This requirement only applies to components where this is specific to the
function of the device or has the concept of an organizational user (e.g.,
VPN, proxy capability). This does not apply to authentication for the
purpose of configuring the device itself (management).
Check that the pam_pkcs11.so option is configured in the
etc/pam.d/common-auth file with the following command:
# grep pam_pkcs11.so /etc/pam.d/common-auth
auth sufficient pam_pkcs11.so
For general information about enabling smart card authentication, consult
the documentation at:
|
| CCE-93780-5 |
Ensure All Accounts on the System Have Unique User IDs |
Change user IDs (UIDs), or delete accounts, so each has a unique name. |
| CCE-93731-8 |
Only Authorized Local User Accounts Exist on Operating System |
Enterprise Application tends to use the server or virtual machine exclusively.
Besides the default operating system user, there should be only authorized local
users required by the installed software groups and applications that exist on
the operating system. The authorized user list can be customized in the refine
value variable var_accounts_authorized_local_users_regex.
OVAL regular expression is used for the user list.
Configure the system so all accounts on the system are assigned to an active system,
application, or user account. Remove accounts that do not support approved system
activities or that allow for a normal user to perform administrative-level actions.
To remove unauthorized system accounts, use the following command:
$ sudo userdel unauthorized_user
|
| CCE-94047-8 |
Ensure All Groups on the System Have Unique Group ID |
Change the group name or delete groups, so each has a unique id. |
| CCE-94046-0 |
Ensure All Groups on the System Have Unique Group Names |
Change the group name or delete groups, so each has a unique name. |
| CCE-93688-0 |
Set Account Expiration Following Inactivity |
To specify the number of days after a password expires (which
signifies inactivity) until an account is permanently disabled, add or correct
the following line in /etc/default/useradd:
INACTIVE=
If a password is currently on the verge of expiration, then
useradd man page for more information. |
| CCE-93781-3 |
Never Automatically Remove or Disable Emergency Administrator Accounts |
Emergency accounts are privileged accounts that are established in response
to crisis situations where the need for rapid account activation is
required. Therefore, emergency account activation may bypass normal account
authorization processes. If these accounts are automatically disabled,
system maintenance during emergencies may not be possible, thus adversely
affecting system availability.
Check to see if an emergency administrator account password or account expires with the following command:
# sudo chage -l [Emergency_Administrator]
Password expires:never
If Password expires or Account expires is set to anything other than never, this is a finding. |
| CCE-93782-1 |
Assign Expiration Date to Temporary Accounts |
Temporary accounts are established as part of normal account activation
procedures when there is a need for short-term accounts. In the event
temporary accounts are required, configure the system to
terminate them after a documented time period. For every temporary account, run the following command to set an expiration date on
it, substituting USER and YYYY-MM-DD
appropriately:
$ sudo chage -E YYYY-MM-DD USER
YYYY-MM-DD indicates the documented expiration date for the
account. For U.S. Government systems, the operating system must be
configured to automatically terminate these types of accounts after a
period of 72 hours. |
| CCE-94045-2 |
Ensure All Accounts on the System Have Unique Names |
Ensure accounts on the system have unique names.
To ensure all accounts have unique names, run the following command:
$ sudo getent passwd | awk -F: '{ print $1}' | uniq -d
If a username is returned, change or delete the username. |
| CCE-94044-5 |
Ensure shadow Group is Empty |
The shadow group allows system programs which require access the ability
to read the /etc/shadow file. No users should be assigned to the shadow group. |
| CCE-93685-6 |
Set Password Maximum Age |
To specify password maximum age for new accounts,
edit the file /etc/login.defs
and add or correct the following line:
PASS_MAX_DAYS
A value of 180 days is sufficient for many environments.
The DoD requirement is 60.
The profile requirement is |
| CCE-93683-1 |
Set Password Minimum Age |
To specify password minimum age for new accounts,
edit the file /etc/login.defs
and add or correct the following line:
PASS_MIN_DAYS
A value of 1 day is considered sufficient for many
environments. The DoD requirement is 1.
The profile requirement is |
| CCE-93686-4 |
Set Existing Passwords Maximum Age |
Configure non-compliant accounts to enforce a -day maximum password lifetime
restriction by running the following command:
$ sudo chage -M
USER
|
| CCE-93684-9 |
Set Existing Passwords Minimum Age |
Configure non-compliant accounts to enforce a 24 hours/1 day minimum password
lifetime by running the following command:
$ sudo chage -m 1 USER
|
| CCE-94043-7 |
Set Existing Passwords Warning Age |
To configure how many days prior to password expiration that a warning will be issued to
users, run the command:
$ sudo chage --warndays
USER
The DoD requirement is 7, and CIS recommendation is no less than 7 days.
This profile requirement is |
| CCE-94042-9 |
Set Password Warning Age |
To specify how many days prior to password
expiration that a warning will be issued to users,
edit the file /etc/login.defs and add or correct
the following line:
PASS_WARN_AGE
The DoD requirement is 7.
The profile requirement is |
| CCE-94041-1 |
Set existing passwords a period of inactivity before they been locked |
Configure user accounts that have been inactive for over a given period of time
to be automatically disabled by running the following command:
$ sudo chage --inactive 30USER
|
| CCE-94040-3 |
Verify All Account Password Hashes are Shadowed |
If any password hashes are stored in /etc/passwd (in the second field,
instead of an x or *), the cause of this misconfiguration should be
investigated. The account should have its password reset and the hash should be
properly stored, or the account should be deleted entirely. |
| CCE-93774-8 |
Verify All Account Password Hashes are Shadowed with SHA512 |
Verify the operating system requires the shadow password suite
configuration be set to encrypt interactive user passwords using a strong
cryptographic hash.
Check that the interactive user account passwords are using a strong
password hash with the following command:
$ sudo cut -d: -f2 /etc/shadow
$6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/
Password hashes ! or * indicate inactive accounts not
available for logon and are not evaluated.
If any interactive user password hash does not begin with $6,
this is a finding. |
| CCE-94039-5 |
Ensure all users last password change date is in the past |
All users should have a password change date in the past. |
| CCE-94038-7 |
All GIDs referenced in /etc/passwd must be defined in /etc/group |
Add a group to the system for each GID referenced without a corresponding group. |
| CCE-93738-3 |
Prevent Login to Accounts With Empty Password |
If an account is configured for password authentication
but does not have an assigned password, it may be possible to log
into the account without authentication. Remove any instances of the
nullok in
password authentication configurations in /etc/pam.d/
to prevent logins with empty passwords. |
| CCE-93737-5 |
Ensure There Are No Accounts With Blank or Null Passwords |
Check the "/etc/shadow" file for blank passwords with the
following command:
$ sudo awk -F: '!$2 {print $1}' /etc/shadow
If the command returns any results, this is a finding.
Configure all accounts on the system to have a password or lock
the account with the following commands:
Perform a password reset:
$ sudo passwd [username]
Lock an account:
$ sudo passwd -l [username]
|
| CCE-94037-9 |
Verify No .forward Files Exist |
The .forward file specifies an email address to forward the user's mail to. |
| CCE-94036-1 |
Ensure there are no legacy + NIS entries in /etc/passwd |
The + character in /etc/passwd file marks a place where
entries from a network information service (NIS) should be directly inserted. |
| CCE-94035-3 |
Ensure there are no legacy + NIS entries in /etc/shadow |
The + character in /etc/shadow file marks a place where
entries from a network information service (NIS) should be directly inserted. |
| CCE-94034-6 |
Verify No netrc Files Exist |
The .netrc files contain login information
used to auto-login into FTP servers and reside in the user's home
directory. These files may contain unencrypted passwords to
remote FTP servers making them susceptible to access by unauthorized
users and should not be used. Any .netrc files should be removed. |
| CCE-93734-2 |
Verify Only Root Has UID 0 |
If any account other than root has a UID of 0, this misconfiguration should
be investigated and the accounts other than root should be removed or have
their UID changed.
If the account is associated with system commands or applications the UID
should be changed to one greater than "0" but less than "1000."
Otherwise assign a UID greater than "1000" that has not already been
assigned. |
| CCE-94033-8 |
Verify Root Has A Primary GID 0 |
The root user should have a primary group of 0. |
| CCE-94032-0 |
Ensure the Group Used by pam_wheel.so Module Exists on System and is Empty |
Ensure that the group var_pam_wheel_group_for_su variable and used as value for the pam_wheel.so
group option exists and has no members. This empty group used by
pam_wheel.so in /etc/pam.d/su ensures that no user can run commands with
altered privileges through the su command. |
| CCE-94031-2 |
Direct root Logins Not Allowed |
To further limit access to the root account, administrators
can disable root logins at the console by editing the /etc/securetty file.
This file lists all devices the root user is allowed to login to. If the file does
not exist at all, the root user can login through any communication device on the
system, whether via the console or via a raw network interface. This is dangerous
as user can login to the system as root via Telnet, which sends the password in
plain text over the network. By default, SUSE Linux Enterprise Micro 5's
/etc/securetty file only allows the root user to login at the console
physically attached to the system. To prevent root from logging in, remove the
contents of this file. To prevent direct root logins, remove the contents of this
file by typing the following command:
$ sudo echo > /etc/securetty
|
| CCE-93732-6 |
Ensure that System Accounts Do Not Run a Shell Upon Login |
Some accounts are not associated with a human user of the system, and exist to perform some
administrative functions. Should an attacker be able to log into these accounts, they should
not be granted access to a shell.
The login shell for each local account is stored in the last field of each line in
/etc/passwd. System accounts are those user accounts with a user ID less than
1000. The user ID is stored in the third field. If any system account
other than root has a login shell, disable it with the command:
$ sudo usermod -s /sbin/nologin account
|
| CCE-94030-4 |
Restrict Virtual Console Root Logins |
To restrict root logins through the (deprecated) virtual console devices,
ensure lines of this form do not appear in /etc/securetty:
vc/1
vc/2
vc/3
vc/4
|
| CCE-94029-6 |
Enforce Usage of pam_wheel with Group Parameter for su Authentication |
To ensure that only users who are members of the group set in the group option of
pam_wheel.so module can run commands with altered privileges through the su
command, make sure that the following line exists in the file /etc/pam.d/su:
auth required pam_wheel.so use_uid group=
|
| CCE-93736-7 |
Ensure Home Directories are Created for New Users |
All local interactive user accounts, upon creation, should be assigned a home directory.
Configure the operating system to assign home directories to all new local interactive users by setting the CREATE_HOME
parameter in /etc/login.defs to yes as follows:
CREATE_HOME yes
|
| CCE-94093-2 |
Ensure the Logon Failure Delay is Set Correctly in login.defs |
To ensure the logon failure delay controlled by /etc/login.defs is set properly,
add or correct the FAIL_DELAY setting in /etc/login.defs to read as follows:
FAIL_DELAY
|
| CCE-93671-6 |
Limit the Number of Concurrent Login Sessions Allowed Per User |
Limiting the number of allowed users and sessions per user can limit risks related to Denial of
Service attacks. This addresses concurrent sessions for a single account and does not address
concurrent sessions by a single user via multiple accounts. To set the number of concurrent
sessions per user add the following line in /etc/security/limits.conf or
a file under /etc/security/limits.d/:
* hard maxlogins
|
| CCE-93805-0 |
Set Interactive Session Timeout |
Setting the TMOUT option in /etc/profile ensures that
all user sessions will terminate based on inactivity.
The value of TMOUT should be exported and read only.
The TMOUT
setting in /etc/profile.d/autologout.sh should read as follows:
TMOUT=
readonly TMOUT
export TMOUT |
| CCE-93790-4 |
User Initialization Files Must Not Run World-Writable Programs |
Set the mode on files being executed by the user initialization files with the
following command:
$ sudo chmod o-w FILE
|
| CCE-93789-6 |
Ensure that Users Path Contains Only Local Directories |
Ensure that all interactive user initialization files executable search
path statements do not contain statements that will reference a working
directory other than the users home directory. |
| CCE-93745-8 |
All Interactive Users Must Have A Home Directory Defined |
Assign home directories to all interactive users that currently do not
have a home directory assigned.
This rule checks if the home directory is properly defined in a folder which has
at least one parent folder, like "user" in "/home/user" or "/remote/users/user".
Therefore, this rule will report a finding for home directories like /users,
/tmp or /. |
| CCE-93746-6 |
All Interactive Users Home Directories Must Exist |
Create home directories to all local interactive users that currently do not
have a home directory assigned. Use the following commands to create the user
home directory assigned in /etc/passwd:
$ sudo mkdir /home/USER
|
| CCE-94028-8 |
All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive |
Set the mode on files and directories in the local interactive user home
directory with the following command:
$ sudo chmod 0750 /home/USER/FILE_DIR
Files that begin with a "." are excluded from this requirement. |
| CCE-94027-0 |
Ensure users' .netrc Files are not group or world accessible |
While the system administrator can establish secure permissions for users' .netrc files, the
users can easily override these.
This rule ensures every .netrc file or directory under the home directory related
to an interactive user is not group or world accessible |
| CCE-93748-2 |
All Interactive User Home Directories Must Be Group-Owned By The Primary Group |
Change the group owner of interactive users home directory to the
group found in /etc/passwd. To change the group owner of
interactive users home directory, use the following command:
$ sudo chgrp USER_GROUP /home/USER
This rule ensures every home directory related to an interactive user is
group-owned by an interactive user. It also ensures that interactive users
are group-owners of one and only one home directory. |
| CCE-93749-0 |
Ensure All User Initialization Files Have Mode 0740 Or Less Permissive |
Set the mode of the user initialization files to 0740 with the
following command:
$ sudo chmod 0740 /home/USER/.INIT_FILE
|
| CCE-93747-4 |
All Interactive User Home Directories Must Have mode 0750 Or Less Permissive |
Change the mode of interactive users home directories to 0750. To
change the mode of interactive users home directory, use the
following command:
$ sudo chmod 0750 /home/USER
|
| CCE-94026-2 |
Ensure that Root's Path Does Not Include World or Group-Writable Directories |
For each element in root's path, run:
# ls -ld DIR
and ensure that write permissions are disabled for group and
other. |
| CCE-94025-4 |
Ensure that Root's Path Does Not Include Relative Paths or Null Directories |
Ensure that none of the directories in root's path is equal to a single
. character, or
that it contains any instances that lead to relative path traversal, such as
.. or beginning a path without the slash (/) character.
Also ensure that there are no "empty" elements in the path, such as in these examples:
PATH=:/bin
PATH=/bin:
PATH=/bin::/sbin
These empty elements have the same effect as a single . character. |
| CCE-94023-9 |
Ensure the Default Bash Umask is Set Correctly |
To ensure the default umask for users of the Bash shell is set properly,
add or correct the umask setting in /etc/bash.bashrc to read
as follows:
umask
|
| CCE-93753-2 |
Ensure the Default Umask is Set Correctly in login.defs |
To ensure the default umask controlled by /etc/login.defs is set properly,
add or correct the UMASK setting in /etc/login.defs to read as follows:
UMASK
|
| CCE-94024-7 |
Ensure the Default Umask is Set Correctly in /etc/profile |
To ensure the default umask controlled by /etc/profile is set properly,
add or correct the umask setting in /etc/profile to read as follows:
umask
Note that /etc/profile also reads scrips within /etc/profile.d directory.
These scripts are also valid files to set umask value. Therefore, they should also be
considered during the check and properly remediated, if necessary. |
| CCE-94022-1 |
Install the pam_apparmor Package |
The pam_apparmor package can be installed with the following command:
$ sudo zypper install pam_apparmor
|
| CCE-94021-3 |
Verify /boot/grub2/grub.cfg Group Ownership |
The file /boot/grub2/grub.cfg should
be group-owned by the root group to prevent
destruction or modification of the file.
To properly set the group owner of /boot/grub2/grub.cfg, run the command:
$ sudo chgrp root /boot/grub2/grub.cfg
|
| CCE-94020-5 |
Verify /boot/grub2/grub.cfg User Ownership |
The file /boot/grub2/grub.cfg should
be owned by the root user to prevent destruction
or modification of the file.
To properly set the owner of /boot/grub2/grub.cfg, run the command:
$ sudo chown root /boot/grub2/grub.cfg
|
| CCE-94019-7 |
Verify /boot/grub2/grub.cfg Permissions |
File permissions for /boot/grub2/grub.cfg should be set to 600.
To properly set the permissions of /boot/grub2/grub.cfg, run the command:
$ sudo chmod 600 /boot/grub2/grub.cfg
|
| CCE-93778-9 |
Set Boot Loader Password in grub2 |
The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
Since plaintext passwords are a security risk, generate a hash for the password
by running the following command:
# grub2-mkpasswd-pbkdf2
When prompted, enter the password that was selected.
Using the hash from the output, modify the /etc/grub.d/40_custom
file with the following content:
set superusers="boot"
password_pbkdf2 boot grub.pbkdf2.sha512.VeryLongString
NOTE: the bootloader superuser account and password MUST differ from the
root account and password.
Once the superuser password has been added,
update the
grub.cfg file by running:
grubby --update-kernel=ALL
|
| CCE-93779-7 |
Set the UEFI Boot Loader Password |
The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
Since plaintext passwords are a security risk, generate a hash for the password
by running the following command:
# grub2-mkpasswd-pbkdf2
When prompted, enter the password that was selected.
Using the hash from the output, modify the /etc/grub.d/40_custom
file with the following content:
set superusers="boot"
password_pbkdf2 boot grub.pbkdf2.sha512.VeryLongString
NOTE: the bootloader superuser account and password MUST differ from the
root account and password.
Once the superuser password has been added,
update the
grub.cfg file by running:
grubby --update-kernel=ALL
|
| CCE-94085-8 |
Install systemd-journal-remote Package |
Journald (via systemd-journal-remote ) supports the ability to send
log events it gathers to a remote log host or to receive messages
from remote hosts, thus enabling centralised log management. |
| CCE-94084-1 |
Enable systemd-journal-upload Service |
SUSE Linux Enterprise Micro 5 must offload rsyslog messages for networked systems in real time and
offload standalone systems at least weekly.
The systemd-journal-upload service can be enabled with the following command:
$ sudo systemctl enable systemd-journal-upload.service
|
| CCE-94018-9 |
Ensure journald is configured to compress large log files |
The journald system can compress large log files to avoid fill the system disk. |
| CCE-94017-1 |
Ensure journald is configured to send logs to rsyslog |
Data from journald may be stored in volatile memory or persisted locally.
Utilities exist to accept remote export of journald logs. |
| CCE-94016-3 |
Ensure journald is configured to write log files to persistent disk |
The journald system may store log files in volatile memory or locally on disk.
If the logs are only stored in volatile memory they will we lost upon reboot. |
| CCE-94080-9 |
Configure systemd-journal-upload TLS parameters: ServerKeyFile, ServerCertificateFile and TrustedCertificateFile |
SUSE Linux Enterprise Micro 5 must offload rsyslog messages for networked systems in real time and
offload standalone systems at least weekly |
| CCE-94081-7 |
Configure systemd-journal-upload URL |
SUSE Linux Enterprise Micro 5 must offload rsyslog messages for networked systems in real time and
offload standalone systems at least weekly |
| CCE-94015-5 |
Ensure logrotate is Installed |
logrotate is installed by default. The logrotate package can be installed with the following command: $ sudo zypper install logrotate
|
| CCE-94014-8 |
Ensure Logrotate Runs Periodically |
The logrotate utility allows for the automatic rotation of
log files. The frequency of rotation is specified in /etc/logrotate.conf,
which triggers a cron task or a timer. To configure logrotate to run daily, add or correct
the following line in /etc/logrotate.conf:
# rotate log files frequency
daily
|
| CCE-94013-0 |
Enable logrotate Timer |
The logrotate timer can be enabled with the following command:
$ sudo systemctl enable logrotate.timer
|
| CCE-93752-4 |
Ensure System is Not Acting as a Network Sniffer |
The system should not be acting as a network sniffer, which can
capture all traffic on the network to which it is connected. Run the following
to determine if any interface is running in promiscuous mode:
$ ip link | grep PROMISC
Promiscuous mode of an interface can be disabled with the following command:
$ sudo ip link set dev device_name multicast off promisc off
|
| CCE-94012-2 |
Configure Firewalld to Use the Nftables Backend |
Firewalld can be configured with many backends, such as nftables. |
|
Ensure network interfaces are assigned to appropriate zone |
Firewall zones define the trust level of network connections or interfaces.
Note: Changing firewall settings while connected over network can result in
being locked out of the system. |
| CCE-94011-4 |
Ensure Unnecessary Services and Ports Are Not Accepted |
Services and ports can be accepted or explicitly rejected or dropped by a zone.
For every zone, a default behavior can be set that handles incoming traffic that
is not further specified. Such behavior is defined by setting the target of the zone.
The possible options are:
- ACCEPT - accepts all incoming packets except those disabled by a specific rule.
- REJECT - disables all incoming packets except those that have been allowed in
specific rules and the source machine is informed about the rejection.
- DROP - disables all incoming packets except those that have been allowed in
specific rules and no information sent to the source machine. |
| CCE-94010-6 |
Install firewalld Package |
The firewalld package can be installed with the following command:
$ sudo zypper install firewalld
|
| CCE-93769-8 |
Verify firewalld Enabled |
The firewalld service can be enabled with the following command:
$ sudo systemctl enable firewalld.service
|
|
Ensure firewall rules exist for all open ports |
Any ports that have been opened on non-loopback addresses need firewall rules to govern
traffic. |
| CCE-94009-8 |
Set Default firewalld Zone for Incoming Packets |
To set the default zone to drop for
the built-in default zone which processes incoming IPv4 and IPv6 packets,
modify the following line in
/etc/firewalld/firewalld.conf to be:
DefaultZone=drop
|
| CCE-94008-0 |
Uninstall firewalld Package |
firewalld (Dynamic Firewall Manager) provides a dynamically managed firewall with
support for network/firewall “zones” to assign a level of trust to a network and its
associated connections, interfaces or sources. It has support for IPv4, IPv6, Ethernet
bridges and also for IPSet firewall settings. There is a separation of the runtime and
permanent configuration options.
The firewalld package can be removed with the following command:
$ sudo zypper remove firewalld
|
| CCE-94007-2 |
Verify firewalld service disabled |
Firewalld (Dynamic Firewall Manager) provides a dynamically managed firewall with
support for network/firewall “zones” to assign a level of trust to a network and its
associated connections, interfaces or sources. It has support for IPv4, IPv6, Ethernet
bridges and also for IPSet firewall settings. There is a separation of the runtime and
permanent configuration options.
The firewalld service can be disabled with the following command:
$ sudo systemctl mask --now firewalld.service
|
| CCE-94006-4 |
Install iptables Package |
The iptables package can be installed with the following command:
$ sudo zypper install iptables
|
| CCE-94005-6 |
Ensure iptables are flushed |
nftables is a replacement for iptables, ip6tables, ebtables and arptables |
| CCE-94004-9 |
Verify iptables Enabled |
The iptables service can be enabled with the following command:
$ sudo systemctl enable iptables.service
|
| CCE-94003-1 |
Set Default ip6tables Policy for Incoming Packets |
To set the default policy to DROP (instead of ACCEPT) for
the built-in INPUT chain which processes incoming packets,
add or correct the following line in
/etc/sysconfig/ip6tables:
:INPUT DROP [0:0]
If changes were required, reload the ip6tables rules:
$ sudo service ip6tables reload
|
| CCE-94002-3 |
Set configuration for IPv6 loopback traffic |
Configure the loopback interface to accept traffic.
Configure all other interfaces to deny traffic to the loopback
network. |
| CCE-94001-5 |
Set configuration for loopback traffic |
Configure the loopback interface to accept traffic.
Configure all other interfaces to deny traffic to the loopback
network. |
| CCE-94000-7 |
Set Default iptables Policy for Incoming Packets |
To set the default policy to DROP (instead of ACCEPT) for
the built-in INPUT chain which processes incoming packets,
add or correct the following line in
/etc/sysconfig/iptables:
:INPUT DROP [0:0]
|
| CCE-93999-1 |
Set Default iptables Policy for Forwarded Packets |
To set the default policy to DROP (instead of ACCEPT) for
the built-in FORWARD chain which processes packets that will be forwarded from
one interface to another,
add or correct the following line in
/etc/sysconfig/iptables:
:FORWARD DROP [0:0]
|
| CCE-93998-3 |
Ensure Outbound and Established Connections are Configured |
Configure the firewall rules for new outbound and established connections. |
| CCE-93997-5 |
Ensure IPv6 is disabled through kernel boot parameter |
To disable IPv6 protocol support in the Linux kernel,
add the argument ipv6.disable=1 to the default
GRUB2 command line for the Linux operating system.
Configure the default Grub2 kernel command line to contain ipv6.disable=1 as follows:
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"
|
| CCE-93996-7 |
Disable IPv6 Addressing on All IPv6 Interfaces |
To disable support for (ipv6) addressing on all interface add the following line to
/etc/sysctl.d/ipv6.conf (or another file in /etc/sysctl.d):
net.ipv6.conf.all.disable_ipv6 = 1
This disables IPv6 on all network interfaces as other services and system
functionality require the IPv6 stack loaded to work. |
| CCE-93995-9 |
Configure Accepting Router Advertisements on All IPv6 Interfaces |
To set the runtime status of the net.ipv6.conf.all.accept_ra kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_ra=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_ra = 0
|
| CCE-93635-1 |
Disable Accepting ICMP Redirects for All IPv6 Interfaces |
To set the runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_redirects = 0
|
| CCE-93630-2 |
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces |
To set the runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_source_route = 0
|
| CCE-93640-1 |
Disable Kernel Parameter for IPv6 Forwarding |
To set the runtime status of the net.ipv6.conf.all.forwarding kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.forwarding=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.forwarding = 0
|
| CCE-93994-2 |
Disable Accepting Router Advertisements on all IPv6 Interfaces by Default |
To set the runtime status of the net.ipv6.conf.default.accept_ra kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_ra=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_ra = 0
|
| CCE-93636-9 |
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces |
To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_redirects = 0
|
| CCE-93632-8 |
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default |
To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_source_route = 0
|
| CCE-93641-9 |
Disable Kernel Parameter for IPv6 Forwarding by default |
To set the runtime status of the net.ipv6.conf.default.forwarding kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.forwarding=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.forwarding = 0
|
| CCE-93633-6 |
Disable Accepting ICMP Redirects for All IPv4 Interfaces |
To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.accept_redirects = 0
|
| CCE-93629-4 |
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces |
To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.accept_source_route = 0
|
| CCE-93993-4 |
Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces |
To set the runtime status of the net.ipv4.conf.all.log_martians kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.log_martians=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.log_martians = 1
|
| CCE-93992-6 |
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces |
To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.rp_filter = 1
|
| CCE-93991-8 |
Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces |
To set the runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.secure_redirects = 0
|
| CCE-93634-4 |
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces |
To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_redirects = 0
|
| CCE-93631-0 |
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default |
To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_source_route = 0
|
| CCE-93990-0 |
Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default |
To set the runtime status of the net.ipv4.conf.default.log_martians kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.log_martians=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.log_martians = 1
|
| CCE-93989-2 |
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default |
To set the runtime status of the net.ipv4.conf.default.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.rp_filter=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.rp_filter = 1
|
| CCE-93988-4 |
Configure Kernel Parameter for Accepting Secure Redirects By Default |
To set the runtime status of the net.ipv4.conf.default.secure_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.secure_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.secure_redirects = 0
|
| CCE-93987-6 |
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces |
To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.icmp_echo_ignore_broadcasts = 1
|
| CCE-93986-8 |
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces |
To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.icmp_ignore_bogus_error_responses = 1
|
| CCE-93626-0 |
Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces |
To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_syncookies=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.tcp_syncookies = 1
|
| CCE-93638-5 |
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces |
To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.send_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.send_redirects = 0
|
| CCE-93637-7 |
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default |
To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.send_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.send_redirects = 0
|
| CCE-93639-3 |
Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces |
To set the runtime status of the net.ipv4.ip_forward kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.ip_forward=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.ip_forward = 0
|
| CCE-93985-0 |
Install nftables Package |
nftables provides a new in-kernel packet classification framework that is based on a
network-specific Virtual Machine (VM) and a new nft userspace command line tool.
nftables reuses the existing Netfilter subsystems such as the existing hook infrastructure,
the connection tracking system, NAT, userspace queuing and logging subsystem.
The nftables package can be installed with the following command:
$ sudo zypper install nftables
|
| CCE-93984-3 |
Uninstall nftables package |
nftables is a subsystem of the Linux kernel providing filtering and classification of network
packets/datagrams/frames and is the successor to iptables.
The nftables package can be removed with the following command:
$ sudo zypper remove nftables
|
| CCE-93983-5 |
Verify nftables Service is Enabled |
The nftables service allows for the loading of nftables rulesets during boot,
or starting on the nftables service
The nftables service can be enabled with the following command:
$ sudo systemctl enable nftables.service
|
| CCE-93982-7 |
Verify nftables Service is Disabled |
nftables is a subsystem of the Linux kernel providing filtering and classification of network
packets/datagrams/frames and is the successor to iptables.
The nftables service can be disabled with the following command:
systemctl disable nftables
|
| CCE-93981-9 |
Ensure nftables Default Deny Firewall Policy |
Base chain policy is the default verdict that will be applied to packets reaching the end of
the chain. There are two policies: accept (Default) and drop. If the policy is set to accept,
the firewall will accept any packet that is not configured to be denied and the packet will
continue traversing the network stack.
{% if 'ubuntu' in product %}
Run the following commands and verify that base chains contain a policy of DROP.
$ nft list ruleset | grep 'hook input'
type filter hook input priority 0; policy drop;
$ nft list ruleset | grep 'hook forward'
type filter hook forward priority 0; policy drop;
$ nft list ruleset | grep 'hook output'
type filter hook output priority 0; policy drop;
|
| CCE-93980-1 |
Ensure nftables Rules are Permanent |
nftables is a subsystem of the Linux kernel providing filtering and classification of
network packets/datagrams/frames. The nftables service reads the
file for a nftables file or files to
include in the nftables ruleset. A nftables ruleset containing the input, forward, and output
base chains allow network traffic to be filtered. |
| CCE-93979-3 |
Ensure Base Chains Exist for Nftables |
Tables in nftables hold chains. Each table only has one address family and only applies
to packets of this family. Tables can have one of six families.
Chains are containers for rules. They exist in two kinds, base chains and regular chains.
A base chain is an entry point for packets from the networking stack, a regular chain may
be used as jump target and is used for better rule organization. |
| CCE-93978-5 |
Set nftables Configuration for Loopback Traffic |
Configure the loopback interface to accept traffic.
Configure all other interfaces to deny traffic to the loopback
network. |
| CCE-93977-7 |
Ensure all outbound and established connections are configured for nftables |
Configure the nftables firewall rules for new outbound and established connections |
| CCE-93976-9 |
Ensure a Table Exists for Nftables |
Tables in nftables hold chains. Each table only has one address family and only applies
to packets of this family. Tables can have one of six families. |
| CCE-93975-1 |
Disable DCCP Support |
The Datagram Congestion Control Protocol (DCCP) is a
relatively new transport layer protocol, designed to support
streaming media and telephony.
To configure the system to prevent the dccp
kernel module from being loaded, add the following line to the file /etc/modprobe.d/dccp.conf:
install dccp /bin/false
|
| CCE-93974-4 |
Disable SCTP Support |
The Stream Control Transmission Protocol (SCTP) is a
transport layer protocol, designed to support the idea of
message-oriented communication, with several streams of messages
within one connection.
To configure the system to prevent the sctp
kernel module from being loaded, add the following line to the file /etc/modprobe.d/sctp.conf:
install sctp /bin/false
|
| CCE-93704-5 |
Deactivate Wireless Network Interfaces |
Deactivating wireless network interfaces should prevent normal usage of the wireless
capability.
Configure the system to disable wireless network interfaces by issuing the following
command for every active <WIFI-INTERFACE> in the system:
$ sudo wicked ifdown <WIFI-INTERFACE>
Also remove the configuration files for every wifi adapter from
/etc/wicked/ifconfig/<WIFI-INTERFACE>.xml to prevent future
connections. |
| CCE-93693-0 |
Verify that All World-Writable Directories Have Sticky Bits Set |
When the so-called 'sticky bit' is set on a directory, only the owner of a given file may
remove that file from the directory. Without the sticky bit, any user with write access to a
directory may remove any file in the directory. Setting the sticky bit prevents users from
removing each other's files. In cases where there is no reason for a directory to be
world-writable, a better solution is to remove that permission rather than to set the sticky
bit. However, if a directory is used by a particular application, consult that application's
documentation instead of blindly changing modes.
To set the sticky bit on a world-writable directory DIR, run the following command:
$ sudo chmod +t DIR
|
| CCE-93795-3 |
Ensure All World-Writable Directories Are Group Owned by a System Account |
All directories in local partitions which are
world-writable should be group owned by root or another
system account. If any world-writable directories are not
group owned by a system account, this should be investigated.
Following this, the files should be deleted or assigned to an
appropriate group. |
| CCE-93702-9 |
Verify that system commands directories have root as a group owner |
System commands are stored in the following directories:
by default:
/bin
/sbin
/usr/bin
/usr/sbin
/usr/local/bin
/usr/local/sbin
All these directories should have root user as a group owner.
If any system command directory is not group owned by a user other than root
correct its ownership with the following command:
$ sudo chgrp root DIR
|
| CCE-93700-3 |
Verify that system commands directories have root ownership |
System commands are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/sbin
/usr/local/bin
/usr/local/sbin
All these directories should be owned by the root user.
If any system command directory is not owned by a user other than root
correct its ownership with the following command:
$ sudo chown root DIR
|
| CCE-93973-6 |
Ensure No World-Writable Files Exist |
It is generally a good idea to remove global (other) write access to a file when it is
discovered. However, check with documentation for specific applications before making changes.
Also, monitor for recurring world-writable files, as these may be symptoms of a misconfigured
application or user account. Finally, this applies to real files and not virtual files that
are a part of pseudo file systems such as sysfs or procfs. |
| CCE-93799-5 |
Ensure All Files Are Owned by a Group |
If any file is not group-owned by a valid defined group, the cause of the lack of
group-ownership must be investigated. Following this, those files should be deleted or
assigned to an appropriate group. The groups need to be defined in /etc/group
or in /usr/lib/group if nss-altfiles are configured to be used
in /etc/nsswitch.conf.
Locate the mount points related to local devices by the following command:
$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)
For all mount points listed by the previous command, it is necessary to search for files which
do not belong to a valid group using the following command:
$ sudo find MOUNTPOINT -xdev -nogroup 2>/dev/null
|
| CCE-93798-7 |
Ensure All Files Are Owned by a User |
If any files are not owned by a user, then the cause of their lack of ownership should be
investigated. Following this, the files should be deleted or assigned to an appropriate user.
Locate the mount points related to local devices by the following command:
$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)
For all mount points listed by the previous command, it is necessary to search for files which
do not belong to a valid user using the following command:
$ sudo find MOUNTPOINT -xdev -nouser 2>/dev/null
|
| CCE-93660-9 |
Verify permissions of log files |
Any operating system providing too much information in error messages
risks compromising the data and security of the structure, and content
of error messages needs to be carefully considered by the organization.
Organizations carefully consider the structure/content of error messages.
The extent to which information systems are able to identify and handle
error conditions is guided by organizational policy and operational
requirements. Information that could be exploited by adversaries includes,
for example, erroneous logon attempts with passwords entered by mistake
as the username, mission/business information that can be derived from
(if not stated explicitly by) information recorded, and personal
information, such as account numbers, social security numbers, and credit
card numbers. |
| CCE-93687-2 |
Verify Permissions and Ownership of Old Passwords File |
To properly set the owner of /etc/security/opasswd, run the command:
$ sudo chown root /etc/security/opasswd
To properly set the group owner of /etc/security/opasswd, run the command:
$ sudo chgrp root /etc/security/opasswd
To properly set the permissions of /etc/security/opasswd, run the command: $ sudo chmod 0600 /etc/security/opasswd
|
| CCE-93972-8 |
Verify Group Who Owns Backup group File |
To properly set the group owner of /etc/group-, run the command:
$ sudo chgrp root /etc/group-
|
| CCE-93971-0 |
Verify Group Who Owns Backup gshadow File |
To properly set the group owner of /etc/gshadow-, run the command:
$ sudo chgrp root /etc/gshadow-
|
| CCE-93970-2 |
Verify Group Who Owns Backup passwd File |
To properly set the group owner of /etc/passwd-, run the command:
$ sudo chgrp root /etc/passwd-
|
| CCE-93969-4 |
Verify User Who Owns Backup shadow File |
To properly set the group owner of /etc/shadow-, run the command:
$ sudo chgrp root /etc/shadow-
|
| CCE-93968-6 |
Verify Group Who Owns group File |
To properly set the group owner of /etc/group, run the command:
$ sudo chgrp root /etc/group
|
| CCE-93967-8 |
Verify Group Who Owns gshadow File |
To properly set the group owner of /etc/gshadow, run the command:
$ sudo chgrp root /etc/gshadow
|
| CCE-93966-0 |
Verify Group Who Owns passwd File |
To properly set the group owner of /etc/passwd, run the command:
$ sudo chgrp root /etc/passwd
|
| CCE-93965-2 |
Verify Group Who Owns shadow File |
To properly set the group owner of /etc/shadow, run the command:
$ sudo chgrp root /etc/shadow
|
| CCE-93964-5 |
Verify User Who Owns Backup group File |
To properly set the owner of /etc/group-, run the command:
$ sudo chown root /etc/group-
|
| CCE-93963-7 |
Verify User Who Owns Backup gshadow File |
To properly set the owner of /etc/gshadow-, run the command:
$ sudo chown root /etc/gshadow-
|
| CCE-93962-9 |
Verify User Who Owns Backup passwd File |
To properly set the owner of /etc/passwd-, run the command:
$ sudo chown root /etc/passwd-
|
| CCE-93961-1 |
Verify Group Who Owns Backup shadow File |
To properly set the owner of /etc/shadow-, run the command:
$ sudo chown root /etc/shadow-
|
| CCE-93960-3 |
Verify User Who Owns group File |
To properly set the owner of /etc/group, run the command:
$ sudo chown root /etc/group
|
| CCE-93959-5 |
Verify User Who Owns gshadow File |
To properly set the owner of /etc/gshadow, run the command:
$ sudo chown root /etc/gshadow
|
| CCE-93958-7 |
Verify User Who Owns passwd File |
To properly set the owner of /etc/passwd, run the command:
$ sudo chown root /etc/passwd
|
| CCE-93957-9 |
Verify User Who Owns shadow File |
To properly set the owner of /etc/shadow, run the command:
$ sudo chown root /etc/shadow
|
| CCE-93956-1 |
Verify Permissions on Backup group File |
To properly set the permissions of /etc/group-, run the command:
$ sudo chmod 0644 /etc/group-
|
| CCE-93955-3 |
Verify Permissions on Backup gshadow File |
To properly set the permissions of /etc/gshadow-, run the command:
$ sudo chmod 0000 /etc/gshadow-
|
| CCE-93954-6 |
Verify Permissions on Backup passwd File |
To properly set the permissions of /etc/passwd-, run the command:
$ sudo chmod 0644 /etc/passwd-
|
| CCE-93953-8 |
Verify Permissions on Backup shadow File |
To properly set the permissions of /etc/shadow-, run the command:
$ sudo chmod 0000 /etc/shadow-
|
| CCE-93952-0 |
Verify Permissions on group File |
To properly set the permissions of /etc/group, run the command:
$ sudo chmod 0644 /etc/group
|
| CCE-93951-2 |
Verify Permissions on gshadow File |
To properly set the permissions of /etc/gshadow, run the command:
$ sudo chmod 0000 /etc/gshadow
|
| CCE-93950-4 |
Verify Permissions on passwd File |
To properly set the permissions of /etc/passwd, run the command:
$ sudo chmod 0644 /etc/passwd
|
| CCE-93949-6 |
Verify Permissions on shadow File |
To properly set the permissions of /etc/shadow, run the command:
$ sudo chmod 0000 /etc/shadow
|
| CCE-94069-2 |
Verify that Shared Library Directories Have Root Group Ownership |
System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are also
stored in /lib/modules. All files in these directories should be
group-owned by the root user. If the directories, is found to be owned
by a user other than root correct its
ownership with the following command:
$ sudo chgrp root DIR
|
| CCE-94068-4 |
Verify that Shared Library Directories Have Root Ownership |
System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are also
stored in /lib/modules. All files in these directories should be
owned by the root user. If the directories, is found to be owned
by a user other than root correct its
ownership with the following command:
$ sudo chown root DIR
|
| CCE-93801-9 |
Verify that System Executable Directories Have Restrictive Permissions |
System executables are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/sbin
/usr/local/bin
/usr/local/sbin
These directories should not be group-writable or world-writable.
If any directory DIR in these directories is found to be
group-writable or world-writable, correct its permission with the
following command:
$ sudo chmod go-w DIR
|
| CCE-94067-6 |
Verify that Shared Library Directories Have Restrictive Permissions |
System-wide shared library directories, which contain are linked to executables
during process load time or run time, are stored in the following directories
by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are
stored in /lib/modules. All sub-directories in these directories
should not be group-writable or world-writable. If any file in these
directories is found to be group-writable or world-writable, correct
its permission with the following command:
$ sudo chmod go-w DIR
|
| CCE-93701-1 |
Verify that system commands files are group owned by root or a system account |
System commands files are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/sbin
/usr/local/bin
/usr/local/sbin
All files in these directories should be owned by the root group,
or a system account.
If the directory, or any file in these directories, is found to be owned
by a group other than root or a a system account correct its ownership
with the following command:
$ sudo chgrp root FILE
|
| CCE-93699-7 |
Verify that System Executables Have Root Ownership |
System executables are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin
All files in these directories should be owned by the root user.
If any file FILE in these directories is found
to be owned by a user other than root, correct its ownership with the
following command:
$ sudo chown root FILE
|
| CCE-94066-8 |
Verify that Shared Library Files Have Root Ownership |
System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are also
stored in /lib/modules. All files in these directories should be
owned by the root user. If the directory, or any file in these
directories, is found to be owned by a user other than root correct its
ownership with the following command:
$ sudo chown root FILE
|
| CCE-93698-9 |
Verify that System Executables Have Restrictive Permissions |
System executables are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin
All files in these directories should not be group-writable or world-writable.
If any file FILE in these directories is found
to be group-writable or world-writable, correct its permission with the
following command:
$ sudo chmod go-w FILE
|
| CCE-94065-0 |
Verify that Shared Library Files Have Restrictive Permissions |
System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are
stored in /lib/modules. All files in these directories
should not be group-writable or world-writable. If any file in these
directories is found to be group-writable or world-writable, correct
its permission with the following command:
$ sudo chmod go-w FILE
|
| CCE-94064-3 |
Verify the system-wide library files in directories
"/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root. |
System-wide library files are stored in the following directories
by default:
/lib
/lib64
/usr/lib
/usr/lib64
All system-wide shared library files should be protected from unauthorised
access. If any of these files is not group-owned by root, correct its group-owner with
the following command:
$ sudo chgrp root FILE
|
| CCE-93772-2 |
Disable the Automounter |
The autofs daemon mounts and unmounts filesystems, such as user
home directories shared via NFS, on demand. In addition, autofs can be used to handle
removable media, and the default configuration provides the cdrom device as /misc/cd.
However, this method of providing access to removable media is not common, so autofs
can almost always be disabled if NFS is not in use. Even if NFS is required, it may be
possible to configure filesystem mounts statically by editing /etc/fstab
rather than relying on the automounter.
The autofs service can be disabled with the following command:
$ sudo systemctl mask --now autofs.service
|
| CCE-93948-8 |
Disable Mounting of cramfs |
To configure the system to prevent the cramfs
kernel module from being loaded, add the following line to the file /etc/modprobe.d/cramfs.conf:
install cramfs /bin/false
This effectively prevents usage of this uncommon filesystem.
The cramfs filesystem type is a compressed read-only
Linux filesystem embedded in small footprint systems. A
cramfs image can be used without having to first
decompress the image. |
| CCE-93947-0 |
Disable Mounting of squashfs |
To configure the system to prevent the squashfs
kernel module from being loaded, add the following line to the file /etc/modprobe.d/squashfs.conf:
install squashfs /bin/false
This effectively prevents usage of this uncommon filesystem.
The squashfs filesystem type is a compressed read-only Linux
filesystem embedded in small footprint systems (similar to
cramfs). A squashfs image can be used without having
to first decompress the image. |
| CCE-93946-2 |
Disable Mounting of udf |
To configure the system to prevent the udf
kernel module from being loaded, add the following line to the file /etc/modprobe.d/udf.conf:
install udf /bin/false
This effectively prevents usage of this uncommon filesystem.
The udf filesystem type is the universal disk format
used to implement the ISO/IEC 13346 and ECMA-167 specifications.
This is an open vendor filesystem type for data storage on a broad
range of media. This filesystem type is neccessary to support
writing DVDs and newer optical disc formats. |
| CCE-93784-7 |
Disable Modprobe Loading of USB Storage Driver |
To prevent USB storage devices from being used, configure the kernel module loading system
to prevent automatic loading of the USB storage driver.
To configure the system to prevent the usb-storage
kernel module from being loaded, add the following line to the file /etc/modprobe.d/usb-storage.conf:
install usb-storage /bin/false
This will prevent the modprobe program from loading the usb-storage
module, but will not prevent an administrator (or another program) from using the
insmod program to load the module manually. |
| CCE-93945-4 |
Disable Mounting of vFAT filesystems |
To configure the system to prevent the vfat
kernel module from being loaded, add the following line to the file /etc/modprobe.d/vfat.conf:
install vfat /bin/false
This effectively prevents usage of this uncommon filesystem.
The vFAT filesystem format is primarily used on older
windows systems and portable USB drives or flash modules. It comes
in three types FAT12, FAT16, and FAT32
all of which are supported by the vfat kernel module. |
| CCE-93944-7 |
Add nodev Option to /dev/shm |
The nodev mount option can be used to prevent creation of device
files in /dev/shm. Legitimate character and block devices should
not exist within temporary directories like /dev/shm.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/dev/shm. |
| CCE-93943-9 |
Add noexec Option to /dev/shm |
The noexec mount option can be used to prevent binaries
from being executed out of /dev/shm.
It can be dangerous to allow the execution of binaries
from world-writable temporary storage directories such as /dev/shm.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/dev/shm. |
| CCE-93942-1 |
Add nosuid Option to /dev/shm |
The nosuid mount option can be used to prevent execution
of setuid programs in /dev/shm. The SUID and SGID permissions should not
be required in these world-writable directories.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/dev/shm. |
| CCE-93941-3 |
Add nodev Option to /home |
The nodev mount option can be used to prevent device files from
being created in /home.
Legitimate character and block devices should exist only in
the /dev directory on the root partition or within chroot
jails built for system services.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/home. |
| CCE-93791-2 |
Add nosuid Option to /home |
The nosuid mount option can be used to prevent
execution of setuid programs in /home. The SUID and SGID permissions
should not be required in these user data directories.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/home. |
| CCE-93940-5 |
Add nodev Option to Removable Media Partitions |
The nodev mount option prevents files from being
interpreted as character or block devices.
Legitimate character and block devices should exist only in
the /dev directory on the root partition or within chroot
jails built for system services.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
any removable media partitions. |
| CCE-93939-7 |
Add noexec Option to Removable Media Partitions |
The noexec mount option prevents the direct execution of binaries
on the mounted filesystem. Preventing the direct execution of binaries from
removable media (such as a USB key) provides a defense against malicious
software that may be present on such untrusted media.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
any removable media partitions. |
| CCE-93792-0 |
Add nosuid Option to Removable Media Partitions |
The nosuid mount option prevents set-user-identifier (SUID)
and set-group-identifier (SGID) permissions from taking effect. These permissions
allow users to execute binaries with the same permissions as the owner and group
of the file respectively. Users should not be allowed to introduce SUID and SGID
files into the system via partitions mounted from removeable media.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
any removable media partitions. |
| CCE-93695-5 |
Verify that local /var/log/messages is not world-readable |
Files containing sensitive informations should be protected by restrictive
permissions. Most of the time, there is no need that these files need to be read by any non-root user
To properly set the permissions of /var/log/messages, run the command:
$ sudo chmod 0640 /var/log/messages
Check that "permissions.local" file contains the correct permissions rules with the following command:
# grep -i messages /etc/permissions.local
/var/log/messages root:root 640
|
| CCE-93697-1 |
Verify Permissions of Local Logs of audit Tools |
The SUSE operating system audit tools must have the proper permissions
configured to protect against unauthorized access.
Check that "permissions.local" file contains the correct permissions rules
with the following command:
grep "^/usr/sbin/au" /etc/permissions.local
/usr/sbin/audispd root:root 0750
/usr/sbin/auditctl root:root 0750
/usr/sbin/auditd root:root 0750
/usr/sbin/ausearch root:root 0755
/usr/sbin/aureport root:root 0755
/usr/sbin/autrace root:root 0750
/usr/sbin/augenrules root:root 0750
Audit tools include but are not limited to vendor-provided and open-source
audit tools needed to successfully view and manipulate audit information
system activity and records. Audit tools include custom queries and report
generators. |
| CCE-93776-3 |
Verify that Local Logs of the audit Daemon are not World-Readable |
Files containing sensitive informations should be protected by restrictive
permissions. Most of the time, there is no need that these files need to be
read by any non-root user.
Check that "permissions.local" file contains the correct permissions rules with the following command:
# grep -i audit /etc/permissions.local
/var/log/audit/ root:root 600
/var/log/audit/audit.log root:root 600
/etc/audit/audit.rules root:root 640
/etc/audit/rules.d/audit.rules root:root 640
|
| CCE-93625-2 |
Restrict Access to Kernel Message Buffer |
To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command: $ sudo sysctl -w kernel.dmesg_restrict=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.dmesg_restrict = 1
|
| CCE-93938-9 |
Disable core dump backtraces |
The ProcessSizeMax option in [Coredump] section
of /etc/systemd/coredump.conf
specifies the maximum size in bytes of a core which will be processed.
Core dumps exceeding this size may be stored, but the backtrace will not
be generated. |
| CCE-93937-1 |
Disable storing core dump |
The Storage option in [Coredump] sectionof /etc/systemd/coredump.conf
can be set to none to disable storing core dumps permanently. |
| CCE-93936-3 |
Disable Core Dumps for All Users |
To disable core dumps for all users, add the following line to
/etc/security/limits.conf, or to a file within the
/etc/security/limits.d/ directory:
* hard core 0
|
| CCE-93935-5 |
Disable Core Dumps for SUID programs |
To set the runtime status of the fs.suid_dumpable kernel parameter, run the following command: $ sudo sysctl -w fs.suid_dumpable=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: fs.suid_dumpable = 0
|
| CCE-93627-8 |
Restrict Exposed Kernel Pointer Addresses Access |
To set the runtime status of the kernel.kptr_restrict kernel parameter, run the following command: $ sudo sysctl -w kernel.kptr_restrict=
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.kptr_restrict =
|
| CCE-93628-6 |
Enable Randomized Layout of Virtual Address Space |
To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command: $ sudo sysctl -w kernel.randomize_va_space=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.randomize_va_space = 2
|
| CCE-93934-8 |
Enable NX or XD Support in the BIOS |
Reboot the system and enter the BIOS or Setup configuration menu.
Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located
under a Security section. Look for Execute Disable (XD) on Intel-based systems and No Execute (NX)
on AMD-based systems. |
| CCE-93933-0 |
Install PAE Kernel on Supported 32-bit x86 Systems |
Systems that are using the 64-bit x86 kernel package
do not need to install the kernel-PAE package because the 64-bit
x86 kernel already includes this support. However, if the system is
32-bit and also supports the PAE and NX features as
determined in the previous section, the kernel-PAE package should
be installed to enable XD or NX support.
The kernel-PAE package can be installed with the following command:
$ sudo zypper install kernel-PAE
The installation process should also have configured the
bootloader to load the new kernel at boot. Verify this after reboot
and modify /etc/default/grub if necessary. |
| CCE-94091-6 |
Install policycoreutils-python-utils package |
The policycoreutils-python-utils package can be installed with the following command:
$ sudo zypper install policycoreutils-python-utils
|
| CCE-94097-3 |
Install policycoreutils Package |
The policycoreutils package can be installed with the following command:
$ sudo zypper install policycoreutils
|
| CCE-94095-7 |
Configure SELinux Policy |
The SELinux targeted policy is appropriate for
general-purpose desktops and servers, as well as systems in many other roles.
To configure the system to use this policy, add or correct the following line
in /etc/selinux/config:
SELINUXTYPE=
Other policies, such as mls, provide additional security labeling
and greater confinement but are not compatible with many general-purpose
use cases. |
| CCE-94094-0 |
Ensure SELinux State is Enforcing |
The SELinux state should be set to /etc/selinux/config, add or correct the
following line to configure the system to boot into enforcing mode:
SELINUX=
|
| CCE-94087-4 |
Map System Users To The Appropriate SELinux Role |
Configure the operating system to prevent non-privileged users from executing
privileged functions to include disabling, circumventing, or altering
implemented security safeguards/countermeasures. All administrators must be
mapped to the sysadm_u or staff_u users with the
appropriate domains (sysadm_t and staff_t).
$ sudo semanage login -m -s sysadm_u USER
or
$ sudo semanage login -m -s staff_u USER
All authorized non-administrative
users must be mapped to the user_u role or the appropriate domain
(user_t).
$ sudo semanage login -m -s user_u USER
|
| CCE-93932-2 |
Uninstall avahi-autoipd Server Package |
If the system does not need to have an Avahi server which implements
the DNS Service Discovery and Multicast DNS protocols,
the avahi-autoipd and avahi packages can be uninstalled. |
| CCE-93931-4 |
Uninstall avahi Server Package |
If the system does not need to have an Avahi server which implements
the DNS Service Discovery and Multicast DNS protocols,
the avahi-autoipd and avahi packages can be uninstalled. |
| CCE-93930-6 |
Disable Avahi Server Software |
The avahi-daemon service can be disabled with the following command:
$ sudo systemctl mask --now avahi-daemon.service
|
| CCE-93773-0 |
Disable KDump Kernel Crash Analyzer (kdump) |
The kdump service provides a kernel crash dump analyzer. It uses the kexec
system call to boot a secondary kernel ("capture" kernel) following a system
crash, which can load information from the crashed kernel for analysis.
The kdump service can be disabled with the following command:
$ sudo systemctl mask --now kdump.service
|
| CCE-93929-8 |
Ensure that /etc/at.deny does not exist |
The file /etc/at.deny should not exist.
Use /etc/at.allow instead. |
| CCE-93928-0 |
Verify Group Who Owns /etc/at.allow file |
If /etc/at.allow exists, it must be group-owned by root.
To properly set the group owner of /etc/at.allow, run the command:
$ sudo chgrp root /etc/at.allow
|
| CCE-93927-2 |
Verify User Who Owns /etc/at.allow file |
If /etc/at.allow exists, it must be owned by root.
To properly set the owner of /etc/at.allow, run the command:
$ sudo chown root /etc/at.allow
|
| CCE-93926-4 |
Verify Permissions on /etc/at.allow file |
If /etc/at.allow exists, it must have permissions 0640
or more restrictive.
To properly set the permissions of /etc/at.allow, run the command:
$ sudo chmod 0640 /etc/at.allow
|
| CCE-93925-6 |
Uninstall DHCP Client Package |
If the system does not need to act as a DHCP client,
the dhcp-client package can be uninstalled.
The dhcp-client package can be removed with the following command:
$ sudo zypper remove dhcp-client
|
| CCE-93924-9 |
Uninstall DHCP Server Package |
If the system does not need to act as a DHCP server,
the dhcp package can be uninstalled.
The dhcp package can be removed with the following command:
$ sudo zypper remove dhcp
|
| CCE-93923-1 |
Disable DHCP Service |
The dhcpd service should be disabled on
any system that does not need to act as a DHCP server.
The dhcpd service can be disabled with the following command:
$ sudo systemctl mask --now dhcpd.service
|
| CCE-93922-3 |
Uninstall bind Package |
The named service is provided by the bind package.
The bind package can be removed with the following command:
$ sudo zypper remove bind
|
| CCE-93921-5 |
Disable named Service |
The named service can be disabled with the following command:
$ sudo systemctl mask --now named.service
|
| CCE-93920-7 |
Uninstall vsftpd Package |
The vsftpd package can be removed with the following command: $ sudo zypper remove vsftpd
|
| CCE-93919-9 |
Disable vsftpd Service |
The vsftpd service can be disabled with the following command:
$ sudo systemctl mask --now vsftpd.service
|
| CCE-93918-1 |
Uninstall httpd Package |
The httpd package can be removed with the following command:
$ sudo zypper remove httpd
|
| CCE-93917-3 |
Disable httpd Service |
The httpd service can be disabled with the following command:
$ sudo systemctl mask --now httpd.service
|
| CCE-93916-5 |
Uninstall dovecot Package |
The dovecot package can be removed with the following command:
$ sudo zypper remove dovecot
|
| CCE-93915-7 |
Disable Dovecot Service |
The dovecot service can be disabled with the following command:
$ sudo systemctl mask --now dovecot.service
|
| CCE-93914-0 |
Ensure LDAP client is not installed |
The Lightweight Directory Access Protocol (LDAP) is a service that provides
a method for looking up information from a central database.
The openldap-clients package can be removed with the following command:
$ sudo zypper remove openldap-clients
|
| CCE-93913-2 |
Uninstall openldap-servers Package |
The openldap-servers package is not installed by default on a SUSE Linux Enterprise Micro 5
system. It is needed only by the OpenLDAP server, not by the
clients which use LDAP for authentication. If the system is not
intended for use as an LDAP Server it should be removed. |
| CCE-93678-1 |
Configure System to Forward All Mail For The Root Account |
Make sure that mails delivered to root user are forwarded to a monitored
email address. Make sure that the address
is a valid email address
reachable from the system in question. Use the following command to
configure the alias:
$ sudo echo "root: " >> /etc/aliases
$ sudo newaliases
|
| CCE-93912-4 |
Disable Postfix Network Listening |
Edit the file /etc/postfix/main.cf to ensure that only the following
inet_interfaces line appears:
inet_interfaces =
|
| CCE-93911-6 |
Uninstall nfs-utils Package |
The nfs-utils package can be removed with the following command:
$ sudo zypper remove nfs-utils
|
| CCE-93910-8 |
Disable Network File System (nfs) |
The Network File System (NFS) service allows remote hosts to mount
and interact with shared filesystems on the local system. If the local system
is not designated as a NFS server then this service should be disabled.
The nfs-server service can be disabled with the following command:
$ sudo systemctl mask --now nfs-server.service
|
| CCE-93794-6 |
Mount Remote Filesystems with noexec |
Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of
any NFS mounts. |
| CCE-93793-8 |
Mount Remote Filesystems with nosuid |
Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of
any NFS mounts. |
| CCE-93909-0 |
The Chrony package is installed |
System time should be synchronized between all systems in an environment. This is
typically done by establishing an authoritative time server or set of servers and having all
systems synchronize their clocks to them.
The chrony package can be installed with the following command:
$ sudo zypper install chrony
|
| CCE-93803-5 |
A remote time server for Chrony is configured |
Chrony is a daemon which implements the Network Time Protocol (NTP). It is designed
to synchronize system clocks across a variety of systems and use a source that is highly
accurate. More information on chrony can be found at
https://chrony-project.org/.
Chrony can be configured to be a client and/or a server.
Add or edit server or pool lines to /etc/chrony.conf as appropriate:
server <remote-server>
Multiple servers may be configured. |
| CCE-93908-2 |
Chrony Configure Pool and Server |
Chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to
synchronize system clocks across a variety of systems and use a source that is highly
accurate. More information on chrony can be found at
https://chrony-project.org/.
Chrony can be configured to be a client and/or a server.
Add or edit server or pool lines to /etc/chrony.conf as appropriate:
server <remote-server>
Multiple servers may be configured. |
| CCE-93709-4 |
Configure Time Service Maxpoll Interval |
The maxpoll should be configured to
in /etc/ntp.conf or
/etc/chrony.conf (or /etc/chrony.d/) to continuously poll time servers. To configure
maxpoll in /etc/ntp.conf or /etc/chrony.conf (or /etc/chrony.d/)
add the following after each server, pool or peer entry:
maxpoll
to server directives. If using chrony, any pool directives
should be configured too. |
| CCE-93907-4 |
Ensure that chronyd is running under chrony user account |
chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to
synchronize system clocks across a variety of systems and use a source that is highly
accurate. More information on chrony can be found at
https://chrony-project.org/.
Chrony can be configured to be a client and/or a server.
To ensure that chronyd is running under chrony user account,
add or edit the
OPTIONS variable in /etc/sysconfig/chronyd to include -u chrony:
OPTIONS="-u chrony"
This recommendation only applies if chrony is in use on the system. |
| CCE-93906-6 |
Uninstall tcpd Package |
The tcpd package can be removed with the following command:
$ sudo zypper remove tcpd
|
| CCE-93905-8 |
Uninstall xinetd Package |
The xinetd package can be removed with the following command:
$ sudo zypper remove xinetd
|
| CCE-93904-1 |
Disable xinetd Service |
The xinetd service can be disabled with the following command:
$ sudo systemctl mask --now xinetd.service
|
| CCE-93903-3 |
Remove NIS Client |
The Network Information Service (NIS), formerly known as Yellow Pages,
is a client-server directory service protocol used to distribute system configuration
files. The NIS client (ypbind) was used to bind a system to an NIS server
and receive the distributed configuration files. |
| CCE-93902-5 |
Uninstall ypserv Package |
The ypserv package can be removed with the following command:
$ sudo zypper remove ypserv
|
| CCE-93901-7 |
Uninstall rsh Package |
The rsh package contains the client commands
for the rsh services |
| CCE-93741-7 |
Remove Host-Based Authentication Files |
The shosts.equiv file lists remote hosts and users that are trusted by the local
system. To remove these files, run the following command to delete them from any location:
$ sudo rm /[path]/[to]/[file]/shosts.equiv
|
| CCE-93740-9 |
Remove User Host-Based Authentication Files |
The ~/.shosts (in each user's home directory) files
list remote hosts and users that are trusted by the
local system. To remove these files, run the following command
to delete them from any location:
$ sudo find / -name '.shosts' -type f -delete
|
| CCE-93900-9 |
Uninstall talk Package |
The talk package contains the client program for the
Internet talk protocol, which allows the user to chat with other users on
different systems. Talk is a communication program which copies lines from one
terminal to the terminal of another user.
The talk package can be removed with the following command:
$ sudo zypper remove talk
|
| CCE-93899-3 |
Uninstall telnet-server Package |
The telnet-server package can be removed with the following command:
$ sudo zypper remove telnet-server
|
| CCE-93898-5 |
Remove telnet Clients |
The telnet client allows users to start connections to other systems via
the telnet protocol. |
| CCE-93897-7 |
Uninstall CUPS Package |
The cups package can be removed with the following command:
$ sudo zypper remove cups
|
| CCE-93896-9 |
Disable the CUPS Service |
The cups service can be disabled with the following command:
$ sudo systemctl mask --now cups.service
|
| CCE-93895-1 |
Uninstall squid Package |
The squid package can be removed with the following command: $ sudo zypper remove squid
|
| CCE-93894-4 |
Disable Squid |
The squid service can be disabled with the following command:
$ sudo systemctl mask --now squid.service
|
| CCE-93893-6 |
Uninstall Samba Package |
The samba package can be removed with the following command: $ sudo zypper remove samba
|
| CCE-93892-8 |
Disable Samba |
The smb service can be disabled with the following command:
$ sudo systemctl mask --now smb.service
|
| CCE-93891-0 |
Uninstall net-snmp Package |
The net-snmp package provides the snmpd service.
The net-snmp package can be removed with the following command:
$ sudo zypper remove net-snmp
|
| CCE-93890-2 |
Disable snmpd Service |
The snmpd service can be disabled with the following command:
$ sudo systemctl mask --now snmpd.service
|
| CCE-93770-6 |
Install the OpenSSH Server Package |
The openssh-server package should be installed.
The openssh-server package can be installed with the following command:
$ sudo zypper install openssh-server
|
| CCE-93771-4 |
Enable the OpenSSH Service |
The SSH server service, sshd, is commonly needed.
The sshd service can be enabled with the following command:
$ sudo systemctl enable sshd.service
|
| CCE-93889-4 |
Verify Group Who Owns SSH Server config file |
To properly set the group owner of /etc/ssh/sshd_config, run the command:
$ sudo chgrp root /etc/ssh/sshd_config
|
| CCE-93888-6 |
Verify Owner on SSH Server config file |
To properly set the owner of /etc/ssh/sshd_config, run the command:
$ sudo chown root /etc/ssh/sshd_config
|
| CCE-93887-8 |
Verify Permissions on SSH Server config file |
To properly set the permissions of /etc/ssh/sshd_config, run the command:
$ sudo chmod 0600 /etc/ssh/sshd_config
|
| CCE-93751-6 |
Verify Permissions on SSH Server Private *_key Key Files |
SSH server private keys - files that match the /etc/ssh/*_key glob, have to have restricted permissions.
If those files are owned by the root user and the root group, they have to have the 0640 permission or stricter. |
| CCE-93663-3 |
Verify Permissions on SSH Server Public *.pub Key Files |
To properly set the permissions of /etc/ssh/*.pub, run the command: $ sudo chmod 0644 /etc/ssh/*.pub
|
| CCE-94086-6 |
OpenSSH Service Must Use Passcode for Their Private Keys |
Verify the SSH private key files have a passcode.
For each private key stored on the system, use the following command:
$ sudo ssh-keygen -y -f /path/to/file
If the contents of the key are displayed, without asking a passphrase this is a finding. |
| CCE-93694-8 |
Set SSH Client Alive Count Max |
The SSH server sends at most ClientAliveCountMax messages
during a SSH session and waits for a response from the SSH client.
The option ClientAliveInterval configures timeout after
each ClientAliveCountMax message. If the SSH server does not
receive a response from the client, then the connection is considered unresponsive
and terminated.
For SSH earlier than v8.2, a ClientAliveCountMax value of 0
causes a timeout precisely when the ClientAliveInterval is set.
Starting with v8.2, a value of 0 disables the timeout functionality
completely. If the option is set to a number greater than 0, then
the session will be disconnected after
ClientAliveInterval * ClientAliveCountMax seconds without receiving
a keep alive message. |
| CCE-93692-2 |
Set SSH Client Alive Interval |
SSH allows administrators to set a network responsiveness timeout interval.
After this interval has passed, the unresponsive client will be automatically logged out.
To set this timeout interval, edit the following line in /etc/ssh/sshd_config as
follows:
ClientAliveInterval
The timeout interval is given in seconds. For example, have a timeout
of 10 minutes, set interval to 600.
If a shorter timeout has already been set for the login shell, that value will
preempt any SSH setting made in /etc/ssh/sshd_config. Keep in mind that
some processes may stop SSH from correctly detecting that the user is idle. |
| CCE-93886-0 |
Disable Host-Based Authentication |
SSH's cryptographic host-based authentication is
more secure than .rhosts authentication. However, it is
not recommended that hosts unilaterally trust one another, even
within an organization.
The default SSH configuration disables host-based authentication. The appropriate
configuration is used if no value is set for HostbasedAuthentication.
To explicitly disable host-based authentication, add or correct the
following line in
/etc/ssh/sshd_config:
HostbasedAuthentication no
|
| CCE-93650-0 |
Disable SSH Access via Empty Passwords |
Disallow SSH login with empty passwords.
The default SSH configuration disables logins with empty passwords. The appropriate
configuration is used if no value is set for PermitEmptyPasswords.
To explicitly disallow SSH login from accounts with empty passwords,
add or correct the following line in
/etc/ssh/sshd_config:
PermitEmptyPasswords no
Any accounts with empty passwords should be disabled immediately, and PAM configuration
should prevent users from being able to assign themselves empty passwords. |
| CCE-93885-2 |
Disable SSH Support for .rhosts Files |
SSH can emulate the behavior of the obsolete rsh
command in allowing users to enable insecure access to their
accounts via .rhosts files.
The default SSH configuration disables support for .rhosts. The appropriate
configuration is used if no value is set for IgnoreRhosts.
To explicitly disable support for .rhosts files, add or correct the following line in
/etc/ssh/sshd_config:
IgnoreRhosts yes
|
| CCE-93644-3 |
Disable SSH Root Login |
The root user should never be allowed to login to a
system directly over a network.
To disable root login via SSH, add or correct the following line in
/etc/ssh/sshd_config:
PermitRootLogin no
|
| CCE-93884-5 |
Disable SSH TCP Forwarding |
The AllowTcpForwarding parameter specifies whether TCP forwarding is permitted.
To disable TCP forwarding, add or correct the following line in
/etc/ssh/sshd_config:
AllowTcpForwarding no
|
| CCE-93646-8 |
Disable SSH Support for User Known Hosts |
SSH can allow system users to connect to systems if a cache of the remote
systems public keys is available. This should be disabled.
To ensure this behavior is disabled, add or correct the following line in
/etc/ssh/sshd_config:
IgnoreUserKnownHosts yes
|
| CCE-93648-4 |
Disable X11 Forwarding |
The X11Forwarding parameter provides the ability to tunnel X11 traffic
through the connection to enable remote graphic connections.
SSH has the capability to encrypt remote X11 connections when SSH's
X11Forwarding option is enabled.
The default SSH configuration disables X11Forwarding. The appropriate
configuration is used if no value is set for X11Forwarding.
To explicitly disable X11 Forwarding, add or correct the following line in
/etc/ssh/sshd_config:
X11Forwarding no
|
| CCE-93649-2 |
Do Not Allow SSH Environment Options |
Ensure that users are not able to override environment variables of the SSH daemon.
The default SSH configuration disables environment processing. The appropriate
configuration is used if no value is set for PermitUserEnvironment.
To explicitly disable Environment options, add or correct the following
/etc/ssh/sshd_config:
PermitUserEnvironment no
|
| CCE-93883-7 |
Enable PAM |
UsePAM Enables the Pluggable Authentication Module interface. If set to “yes” this will
enable PAM authentication using ChallengeResponseAuthentication and
PasswordAuthentication in addition to PAM account and session module processing for all
authentication types.
To enable PAM authentication, add or correct the following line in
/etc/ssh/sshd_config:
UsePAM yes
|
| CCE-93647-6 |
Enable Use of Strict Mode Checking |
SSHs StrictModes option checks file and ownership permissions in
the user's home directory .ssh folder before accepting login. If world-
writable permissions are found, logon is rejected.
The default SSH configuration has StrictModes enabled. The appropriate
configuration is used if no value is set for StrictModes.
To explicitly enable StrictModes in SSH, add or correct the following line in
/etc/ssh/sshd_config:
StrictModes yes
|
| CCE-93642-7 |
Enable SSH Warning Banner |
To enable the warning banner and ensure it is consistent
across the system, add or correct the following line in
/etc/ssh/sshd_config:
Banner /etc/issue
Another section contains information on how to create an
appropriate system-wide warning banner. |
| CCE-93882-9 |
Limit Users' SSH Access |
By default, the SSH configuration allows any user with an account
to access the system. There are several options available to limit
which users and group can access the system via SSH. It is
recommended that at least one of the following options be leveraged:
- AllowUsers variable gives the system administrator the option of
allowing specific users to ssh into the system. The list consists of
space separated user names. Numeric user IDs are not recognized with
this variable. If a system administrator wants to restrict user
access further by specifically allowing a user's access only from a
particular host, the entry can be specified in the form of user@host.
- AllowGroups variable gives the system administrator the option of
allowing specific groups of users to ssh into the system. The list
consists of space separated group names. Numeric group IDs are not
recognized with this variable.
- DenyUsers variable gives the system administrator the option of
denying specific users to ssh into the system. The list consists of
space separated user names. Numeric user IDs are not recognized with
this variable. If a system administrator wants to restrict user
access further by specifically denying a user's access from a
particular host, the entry can be specified in the form of user@host.
- DenyGroups variable gives the system administrator the option of
denying specific groups of users to ssh into the system. The list
consists of space separated group names. Numeric group IDs are not
recognized with this variable. |
| CCE-93645-0 |
Enable SSH Print Last Log |
Ensure that SSH will display the date and time of the last successful account logon.
The default SSH configuration enables print of the date and time of the last login.
The appropriate configuration is used if no value is set for PrintLastLog.
To explicitly enable LastLog in SSH, add or correct the following line in
/etc/ssh/sshd_config:
PrintLastLog yes
|
| CCE-93881-1 |
Ensure SSH LoginGraceTime is configured |
The LoginGraceTime parameter to the SSH server specifies the time allowed for successful authentication to
the SSH server. The longer the Grace period is the more open unauthenticated connections
can exist. Like other session controls in this session the Grace Period should be limited to
appropriate limits to ensure the service is available for needed access. |
| CCE-93643-5 |
Set SSH Daemon LogLevel to VERBOSE |
The VERBOSE parameter configures the SSH daemon to record login and logout activity.
To specify the log level in
SSH, add or correct the following line in
/etc/ssh/sshd_config:
LogLevel VERBOSE
|
| CCE-93880-3 |
Set SSH authentication attempt limit |
The MaxAuthTries parameter specifies the maximum number of authentication attempts
permitted per connection. Once the number of failures reaches half this value, additional failures are logged.
to set MaxAUthTries edit /etc/ssh/sshd_config as follows:
MaxAuthTries
|
| CCE-93879-5 |
Set SSH MaxSessions limit |
The MaxSessions parameter specifies the maximum number of open sessions permitted
from a given connection. To set MaxSessions edit
/etc/ssh/sshd_config as follows: MaxSessions
|
| CCE-93878-7 |
Ensure SSH MaxStartups is configured |
The MaxStartups parameter specifies the maximum number of concurrent unauthenticated
connections to the SSH daemon. Additional connections will be dropped until authentication
succeeds or the LoginGraceTime expires for a connection. To configure MaxStartups, you should
add or edit the following line in the /etc/ssh/sshd_config file:
MaxStartups
|
| CCE-93673-2 |
Use Only FIPS 140-2 Validated Ciphers |
Limit the ciphers to those algorithms which are FIPS-approved.
Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode.
The following line in /etc/ssh/sshd_config
demonstrates use of FIPS-approved ciphers:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
The man page sshd_config(5) contains a list of supported ciphers.
The rule is parametrized to use the following ciphers: |
| CCE-93672-4 |
Use Only FIPS 140-2 Validated Ciphers |
Limit the ciphers to those algorithms which are FIPS-approved.
The following line in /etc/ssh/sshd_config
demonstrates use of FIPS-approved ciphers:
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
This rule ensures that there are configured ciphers mentioned
above (or their subset), keeping the given order of algorithms. |
| CCE-93696-3 |
Use Only FIPS 140-2 Validated Key Exchange Algorithms |
Limit the key exchange algorithms to those which are FIPS-approved.
Add or modify the following line in /etc/ssh/sshd_config
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
This rule ensures that only the key exchange algorithms mentioned
above (or their subset) are configured for use, keeping the given
order of algorithms. |
| CCE-93691-4 |
Use Only FIPS 140-2 Validated MACs |
Limit the MACs to those hash algorithms which are FIPS-approved.
The following line in /etc/ssh/sshd_config
demonstrates use of FIPS-approved MACs:
MACs hmac-sha2-512,hmac-sha2-256
The man page sshd_config(5) contains a list of supported MACs.
The rule is parametrized to use the following MACs: |
| CCE-93690-6 |
Use Only FIPS 140-2 Validated MACs |
Limit the MACs to those hash algorithms which are FIPS-approved.
The following line in /etc/ssh/sshd_config
demonstrates use of FIPS-approved MACs:
MACs hmac-sha2-512,hmac-sha2-256
This rule ensures that there are configured MACs mentioned
above (or their subset), keeping the given order of algorithms. |
| CCE-93877-9 |
Use Only Strong Ciphers |
Limit the ciphers to strong algorithms.
Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode.
The following line in /etc/ssh/sshd_config
demonstrates use of those ciphers:
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
The man page sshd_config(5) contains a list of supported ciphers. |
| CCE-93876-1 |
Use Only Strong Key Exchange algorithms |
Limit the Key Exchange to strong algorithms.
The following line in /etc/ssh/sshd_config demonstrates use
of those:
KexAlgorithms
|
| CCE-93875-3 |
Use Only Strong MACs |
Limit the MACs to strong hash algorithms.
The following line in /etc/ssh/sshd_config demonstrates use
of those MACs:
MACs
|
| CCE-93718-5 |
Configure SSSD's Memory Cache to Expire |
SSSD's memory cache should be configured to set to expire records after
memcache_timeout to
[nss] section in /etc/sssd/sssd.conf.
For example:
[nss]
memcache_timeout =
|
| CCE-93719-3 |
Configure SSSD to Expire Offline Credentials |
SSSD should be configured to expire offline credentials after 1 day.
To configure SSSD to expire offline credentials, set
offline_credentials_expiration to 1 under the [pam]
section in /etc/sssd/sssd.conf. For example:
[pam]
offline_credentials_expiration = 1
|
| CCE-93874-6 |
Remove the X Windows Package Group |
By removing the xorg-x11-server-common package, the system no longer has X Windows
installed. If X Windows is not installed then the system cannot boot into graphical user mode.
This prevents the system from being accidentally or maliciously booted into a graphical.target
mode. To do so, run the following command:
$ sudo zypper groupremove "X Window System"
$ sudo zypper remove xorg-x11-server-common
|
| CCE-94096-5 |
Ensure the default plugins for the audit dispatcher are Installed |
The audit-audispd-plugins package should be installed. |
| CCE-93872-0 |
Ensure the audit-libs package as a part of audit Subsystem is Installed |
The audit-libs package should be installed. |
| CCE-93756-5 |
Ensure the audit Subsystem is Installed |
The audit package should be installed. |
| CCE-93768-0 |
Enable auditd Service |
The auditd service is an essential userspace component of
the Linux Auditing System, as it is responsible for writing audit records to
disk.
The auditd service can be enabled with the following command:
$ sudo systemctl enable auditd.service
|
| CCE-93871-2 |
Enable Auditing for Processes Which Start Prior to the Audit Daemon |
To ensure all processes can be audited, even those which start
prior to the audit daemon, add the argument audit=1 to the default
GRUB 2 command line for the Linux operating system.
Configure the default Grub2 kernel command line to contain audit=1 as follows:
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit=1"
|
| CCE-93870-4 |
Extend Audit Backlog Limit for the Audit Daemon |
To improve the kernel capacity to queue all log events, even those which occurred
prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default
GRUB 2 command line for the Linux operating system.
Configure the default Grub2 kernel command line to contain audit_backlog_limit=8192 as follows:
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit_backlog_limit=8192"
|
| CCE-93739-1 |
Remove Default Configuration to Disable Syscall Auditing |
By default, SUSE Linux Enterprise Micro 5 ships an audit rule to disable syscall
auditing for performance reasons.
To make sure that syscall auditing works, this line must be removed from
/etc/audit/rules.d/audit.rules and /etc/audit/audit.rules:
-a task,never
|
| CCE-93869-6 |
Make the auditd Configuration Immutable |
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d in order to make the auditd configuration
immutable:
-e 2
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file in order to make the auditd configuration
immutable:
-e 2
With this setting, a reboot will be required to change any audit rules. |
| CCE-93868-8 |
Record Events that Modify the System's Mandatory Access Controls |
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /etc/selinux/ -p wa -k MAC-policy
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-w /etc/selinux/ -p wa -k MAC-policy
|
| CCE-93867-0 |
Record Events that Modify the System's Mandatory Access Controls in usr/share |
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /usr/share/selinux/ -p wa -k MAC-policy
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-w /usr/share/selinux/ -p wa -k MAC-policy
|
| CCE-93654-2 |
Ensure auditd Collects Information on Exporting to Media (successful) |
At a minimum, the audit system should collect media exportation
events for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
|
| CCE-93866-2 |
Record Events that Modify the System's Network Environment |
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
|
| CCE-93865-4 |
Record Attempts to Alter Process and Session Initiation Information |
The audit system already collects process information for all
users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing such process information:
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for attempted manual
edits of files involved in storing such process information:
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session
|
| CCE-93725-0 |
Record Attempts to Alter Process and Session Initiation Information btmp |
The audit system already collects process information for all
users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing such process information:
-w /var/log/btmp -p wa -k session
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for attempted manual
edits of files involved in storing such process information:
-w /var/log/btmp -p wa -k session
|
| CCE-93723-5 |
Record Attempts to Alter Process and Session Initiation Information utmp |
The audit system already collects process information for all
users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing such process information:
-w /run/utmp -p wa -k session
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for attempted manual
edits of files involved in storing such process information:
-w /run/utmp -p wa -k session
|
| CCE-93724-3 |
Record Attempts to Alter Process and Session Initiation Information wtmp |
The audit system already collects process information for all
users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing such process information:
-w /var/log/wtmp -p wa -k session
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for attempted manual
edits of files involved in storing such process information:
-w /var/log/wtmp -p wa -k session
|
| CCE-93705-2 |
Record Events When Privileged Executables Are Run |
Verify the system generates an audit record when privileged functions are executed.
If audit is using the "auditctl" tool to load the rules, run the following command:
$ sudo grep execve /etc/audit/audit.rules
If audit is using the "augenrules" tool to load the rules, run the following command:
$ sudo grep -r execve /etc/audit/rules.d
-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid
-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid
If both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding.
If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding. |
| CCE-93674-0 |
Ensure auditd Collects System Administrator Actions |
At a minimum, the audit system should collect administrator actions
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the default),
add the following line to a file with suffix .rules in the directory
/etc/audit/rules.d:
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions
|
| CCE-93657-5 |
Record Events that Modify User/Group Information - /etc/group |
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, in order to capture events that modify
account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification
|
| CCE-93864-7 |
Record Events that Modify User/Group Information - /etc/gshadow |
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, in order to capture events that modify
account changes:
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
|
| CCE-93659-1 |
Record Events that Modify User/Group Information - /etc/security/opasswd |
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, in order to capture events that modify
account changes:
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
|
| CCE-93656-7 |
Record Events that Modify User/Group Information - /etc/passwd |
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, in order to capture events that modify
account changes:
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
|
| CCE-93658-3 |
Record Events that Modify User/Group Information - /etc/shadow |
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, in order to capture events that modify
account changes:
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
|
| CCE-93863-9 |
Record Attempts to perform maintenance activities |
The SUSE Linux Enterprise Micro 5 operating system must generate audit records for
privileged activities, nonlocal maintenance, diagnostic sessions and
other system-level access.
Verify the operating system audits activities performed during nonlocal
maintenance and diagnostic sessions. Run the following command:
$ sudo auditctl -l | grep sudo.log
-w /var/log/sudo.log -p wa -k maintenance
|
| CCE-93862-1 |
Record Events that Modify the System's Discretionary Access Controls - chmod |
At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
|
| CCE-93861-3 |
Record Events that Modify the System's Discretionary Access Controls - chown |
At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
|
| CCE-93653-4 |
Record Events that Modify the System's Discretionary Access Controls - fchmod |
At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
|
| CCE-93860-5 |
Record Events that Modify the System's Discretionary Access Controls - fchmodat |
At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
|
| CCE-93859-7 |
Record Events that Modify the System's Discretionary Access Controls - fchown |
At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
|
| CCE-93858-9 |
Record Events that Modify the System's Discretionary Access Controls - fchownat |
At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
|
| CCE-93651-8 |
Record Events that Modify the System's Discretionary Access Controls - fremovexattr |
At a minimum, the audit system should collect file permission
changes for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
|
| CCE-93857-1 |
Record Events that Modify the System's Discretionary Access Controls - fsetxattr |
At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
|
| CCE-93652-6 |
Record Events that Modify the System's Discretionary Access Controls - lchown |
At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
|
| CCE-93856-3 |
Record Events that Modify the System's Discretionary Access Controls - lremovexattr |
At a minimum, the audit system should collect file permission
changes for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
|
| CCE-93855-5 |
Record Events that Modify the System's Discretionary Access Controls - lsetxattr |
At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
|
| CCE-93854-8 |
Record Events that Modify the System's Discretionary Access Controls - removexattr |
At a minimum, the audit system should collect file permission
changes for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
|
| CCE-93853-0 |
Record Events that Modify the System's Discretionary Access Controls - setxattr |
At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
|
| CCE-93655-9 |
Record Events that Modify the System's Discretionary Access Controls - umount2 |
At a minimum, the audit system should collect file system umount2
changes. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod
|
| CCE-93618-7 |
Record Any Attempts to Run chacl |
At a minimum, the audit system should collect any execution attempt
of the chacl command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| CCE-93616-1 |
Record Any Attempts to Run chmod |
At a minimum, the audit system should collect any execution attempt
of the chmod command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| CCE-93617-9 |
Record Any Attempts to Run setfacl |
At a minimum, the audit system should collect any execution attempt
of the setfacl command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| CCE-93619-5 |
Record Any Attempts to Run chcon |
At a minimum, the audit system should collect any execution attempt
of the chcon command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| CCE-93620-3 |
Record Any Attempts to Run rm |
At a minimum, the audit system should collect any execution attempt
of the rm command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| CCE-94098-1 |
Record Any Attempts to Run semanage |
At a minimum, the audit system should collect any execution attempt
of the semanage command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| CCE-94099-9 |
Record Any Attempts to Run setfiles |
At a minimum, the audit system should collect any execution attempt
of the setfiles command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| CCE-94100-5 |
Record Any Attempts to Run setsebool |
At a minimum, the audit system should collect any execution attempt
of the setsebool command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| CCE-93852-2 |
Ensure auditd Collects File Deletion Events by User - rename |
At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
|
| CCE-93851-4 |
Ensure auditd Collects File Deletion Events by User - renameat |
At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
|
| CCE-93849-8 |
Ensure auditd Collects File Deletion Events by User - unlink |
At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
|
| CCE-93850-6 |
Ensure auditd Collects File Deletion Events by User - unlinkat |
At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
|
| CCE-93848-0 |
Record Unsuccessful Access Attempts to Files - creat |
At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
|
| CCE-93847-2 |
Record Unsuccessful Access Attempts to Files - ftruncate |
At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
|
| CCE-93666-6 |
Record Unsuccessful Access Attempts to Files - open |
At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
|
| CCE-93845-6 |
Record Unsuccessful Access Attempts to Files - openat |
At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
|
| CCE-93667-4 |
Record Unsuccessful Delete Attempts to Files - rename |
The audit system should collect unsuccessful file deletion
attempts for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
|
| CCE-93844-9 |
Record Unsuccessful Access Attempts to Files - truncate |
At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
|
| CCE-93843-1 |
Ensure auditd Collects Information on Kernel Module Loading and Unloading |
To capture kernel module loading and unloading events, use following lines, setting ARCH to
either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S init_module,finit_module,delete_module -F key=modules
The place to add the lines depends on a way auditd daemon is configured. If it is configured
to use the augenrules program (the default), add the lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl utility,
add the lines to file /etc/audit/audit.rules. |
| CCE-93675-7 |
Ensure auditd Collects Information on Kernel Module Unloading - delete_module |
To capture kernel module unloading events, use following line, setting ARCH to
either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S delete_module -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured
to use the augenrules program (the default), add the line to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl utility,
add the line to file /etc/audit/audit.rules. |
| CCE-93676-5 |
Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module |
If the auditd daemon is configured to use the augenrules program
to read audit rules during daemon startup (the default), add the following lines to a file
with suffix .rules in the directory /etc/audit/rules.d to capture kernel module
loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S finit_module -F key=modules
If the auditd daemon is configured to use the auditctl utility to read audit
rules during daemon startup, add the following lines to /etc/audit/audit.rules file
in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S finit_module -F key=modules
|
| CCE-93842-3 |
Ensure auditd Collects Information on Kernel Module Loading - init_module |
To capture kernel module loading events, use following line, setting ARCH to
either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S init_module -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured
to use the augenrules program (the default), add the line to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl utility,
add the line to file /etc/audit/audit.rules. |
| CCE-93841-5 |
Record Attempts to Alter Logon and Logout Events - faillog |
The audit system already collects login information for all users
and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing logon events:
-w /var/log/faillog -p wa -k logins
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for unattempted manual
edits of files involved in storing logon events:
-w /var/log/faillog -p wa -k logins
|
| CCE-93665-8 |
Record Attempts to Alter Logon and Logout Events - lastlog |
The audit system already collects login information for all users
and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing logon events:
-w /var/log/lastlog -p wa -k logins
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for unattempted manual
edits of files involved in storing logon events:
-w /var/log/lastlog -p wa -k logins
|
| CCE-93664-1 |
Record Attempts to Alter Logon and Logout Events - tallylog |
The audit system already collects login information for all users
and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing logon events:
-w /var/log/tallylog -p wa -k logins
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for unattempted manual
edits of files involved in storing logon events:
-w /var/log/tallylog -p wa -k logins
|
| CCE-93607-0 |
Ensure auditd Collects Information on the Use of Privileged Commands - chage |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| CCE-93610-4 |
Ensure auditd Collects Information on the Use of Privileged Commands - chfn |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| CCE-93605-4 |
Ensure auditd Collects Information on the Use of Privileged Commands - chsh |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| CCE-93608-8 |
Ensure auditd Collects Information on the Use of Privileged Commands - crontab |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| CCE-93603-9 |
Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| CCE-93612-0 |
Ensure auditd Collects Information on the Use of Privileged Commands - insmod |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-w /sbin/insmod -p x -k modules
|
| CCE-93615-3 |
Ensure auditd Collects Information on the Use of Privileged Commands - kmod |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-w /usr/bin/kmod -p x -k modules
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-w /usr/bin/kmod -p x -k modules
|
| CCE-93614-6 |
Ensure auditd Collects Information on the Use of Privileged Commands - modprobe |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-w /sbin/modprobe -p x -k modules
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-w /sbin/modprobe -p x -k modules
|
| CCE-93604-7 |
Ensure auditd Collects Information on the Use of Privileged Commands - newgrp |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| CCE-93622-9 |
Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/sbin/pam_timestamp_check
-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/sbin/pam_timestamp_check
-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| CCE-93602-1 |
Ensure auditd Collects Information on the Use of Privileged Commands - passwd |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| CCE-93613-8 |
Ensure auditd Collects Information on the Use of Privileged Commands - rmmod |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-w /sbin/rmmod -p x -k modules
|
| CCE-93611-2 |
Record Any Attempts to Run ssh-agent |
At a minimum, the audit system should collect any execution attempt
of the ssh-agent command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
|
| CCE-94071-8 |
Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/lib/ssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/lib/ssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| CCE-93623-7 |
Ensure auditd Collects Information on the Use of Privileged Commands - su |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| CCE-93624-5 |
Ensure auditd Collects Information on the Use of Privileged Commands - sudo |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| CCE-93609-6 |
Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| CCE-93606-2 |
Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| CCE-93621-1 |
Ensure auditd Collects Information on the Use of Privileged Commands - usermod |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| CCE-93840-7 |
Record attempts to alter time through adjtimex |
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules
The -k option allows for the specification of a key in string form that can be
used for better reporting capability through ausearch and aureport. Multiple
system calls can be defined on the same line to save space if desired, but is
not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
|
| CCE-93839-9 |
Record attempts to alter time through settimeofday |
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
The -k option allows for the specification of a key in string form that can be
used for better reporting capability through ausearch and aureport. Multiple
system calls can be defined on the same line to save space if desired, but is
not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
|
| CCE-93838-1 |
Record Attempts to Alter Time Through stime |
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d for both 32 bit and 64 bit systems:
-a always,exit -F arch=b32 -S stime -F key=audit_time_rules
Since the 64 bit version of the "stime" system call is not defined in the audit
lookup table, the corresponding "-F arch=b64" form of this rule is not expected
to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule
form itself is sufficient for both 32 bit and 64 bit systems). If the
auditd daemon is configured to use the auditctl utility to
read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file for both 32 bit and 64 bit systems:
-a always,exit -F arch=b32 -S stime -F key=audit_time_rules
Since the 64 bit version of the "stime" system call is not defined in the audit
lookup table, the corresponding "-F arch=b64" form of this rule is not expected
to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule
form itself is sufficient for both 32 bit and 64 bit systems). The -k option
allows for the specification of a key in string form that can be used for
better reporting capability through ausearch and aureport. Multiple system
calls can be defined on the same line to save space if desired, but is not
required. See an example of multiple combined system calls:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
|
| CCE-93837-3 |
Record Attempts to Alter the localtime File |
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the default),
add the following line to a file with suffix .rules in the directory
/etc/audit/rules.d:
-w /etc/localtime -p wa -k audit_time_rules
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-w /etc/localtime -p wa -k audit_time_rules
The -k option allows for the specification of a key in string form that can
be used for better reporting capability through ausearch and aureport and
should always be used. |
| CCE-93707-8 |
Configure audispd Plugin To Send Logs To Remote Server |
Configure the audispd plugin to off-load audit records onto a different
system or media from the system being audited.
Set the remote_server option in /etc/audit/audisp-remote.conf
with an IP address or hostname of the system that the audispd plugin should
send audit records to. For example
remote_server =
|
| CCE-94090-8 |
Configure a Sufficiently Large Partition for Audit Logs |
The SUSE Linux Enterprise Micro 5 operating system must allocate audit record storage
capacity to store at least one weeks worth of audit records when audit
records are not immediately sent to a central audit record storage
facility.
The partition size needed to capture a week's worth of audit records is
based on the activity level of the system and the total storage capacity
available.
In normal circumstances, 10.0 GB of storage space for audit
records will be sufficient.
Determine which partition the audit records are being written to with the
following command:
$ sudo grep log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log
Check the size of the partition that audit records are written to with the
following command:
$ sudo df -h /var/log/audit/
/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit
|
| CCE-93728-4 |
Configure audispd's Plugin disk_full_action When Disk Is Full |
Configure the action the operating system takes if the disk the audit records
are written to becomes full. Edit the file /etc/audit/audisp-remote.conf.
Add or modify the following line, substituting ACTION appropriately:
disk_full_action = ACTION
Set this value to single to cause the system to switch to single user
mode for corrective action. Acceptable values also include syslog and
halt. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined. |
| CCE-93706-0 |
Encrypt Audit Records Sent With audispd Plugin |
Configure the operating system to encrypt the transfer of off-loaded audit
records onto a different system or media from the system being audited.
Uncomment the enable_krb5 option in /etc/audit/audisp-remote.conf ,
and set it with the following line:
enable_krb5 = yes
|
| CCE-93727-6 |
Configure audispd's Plugin network_failure_action On Network Failure |
Configure the action the operating system takes if there is an error sending
audit records to a remote system. Edit the file /etc/audit/audisp-remote.conf.
Add or modify the following line, substituting ACTION appropriately:
network_failure_action = ACTION
Set this value to single to cause the system to switch to single user
mode for corrective action. Acceptable values also include syslog and
halt. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined.
This profile configures the action to be |
| CCE-93679-9 |
Configure auditd Disk Full Action when Disk Space Is Full |
The auditd service can be configured to take an action
when disk space is running low but prior to running out of space completely.
Edit the file /etc/audit/auditd.conf. Add or modify the following line,
substituting ACTION appropriately:
disk_full_action = ACTION
Set this value to single to cause the system to switch to single-user
mode for corrective action. Acceptable values also include
syslog, exec, single, and halt
For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined. Details regarding all possible values for ACTION are described in the
auditd.conf man page. |
| CCE-93677-3 |
Configure auditd mail_acct Action on Low Disk Space |
The auditd service can be configured to send email to
a designated account in certain situations. Add or correct the following line
in /etc/audit/auditd.conf to ensure that administrators are notified
via email for those situations:
action_mail_acct =
|
| CCE-93836-5 |
Configure auditd admin_space_left Action on Low Disk Space |
The auditd service can be configured to take an action
when disk space is running low but prior to running out of space completely.
Edit the file /etc/audit/auditd.conf. Add or modify the following line,
substituting ACTION appropriately:
admin_space_left_action = ACTION
Set this value to single to cause the system to switch to single user
mode for corrective action. Acceptable values also include suspend and
halt. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined. Details regarding all possible values for ACTION are described in the
auditd.conf man page. |
| CCE-93835-7 |
Configure auditd Max Log File Size |
Determine the amount of audit data (in megabytes)
which should be retained in each log file. Edit the file
/etc/audit/auditd.conf. Add or modify the following line, substituting
the correct value of for STOREMB:
max_log_file = STOREMB
Set the value to 6 (MB) or higher for general-purpose systems.
Larger values, of course,
support retention of even more audit data. |
| CCE-93834-0 |
Configure auditd max_log_file_action Upon Reaching Maximum Log Size |
The default action to take when the logs reach their maximum size
is to rotate the log files, discarding the oldest one. To configure the action taken
by auditd, add or correct the line in /etc/audit/auditd.conf:
max_log_file_action = ACTION
Possible values for ACTION are described in the auditd.conf man
page. These include:
ignoresyslogsuspendrotatekeep_logs
Set the ACTION to |
| CCE-93788-8 |
Configure auditd space_left Action on Low Disk Space |
The auditd service can be configured to take an action
when disk space starts to run low.
Edit the file /etc/audit/auditd.conf. Modify the following line,
substituting ACTION appropriately:
space_left_action = ACTION
Possible values for ACTION are described in the auditd.conf man page.
These include:
syslogemailexecsuspendsinglehalt
Set this to email (instead of the default,
which is suspend) as it is more likely to get prompt attention. Acceptable values
also include suspend, single, and halt. |
| CCE-93708-6 |
Configure auditd space_left on Low Disk Space |
The auditd service can be configured to take an action
when disk space is running low but prior to running out of space completely.
Edit the file /etc/audit/auditd.conf. Add or modify the following line,
substituting PERCENTAGE appropriately:
space_left = PERCENTAGE%
Set this value to at least 25 to cause the system to
notify the user of an issue. |