A SLEM 5 release is considered supported if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.

Verify that the version of SLEM 5 is vendor supported with the following command:

     > cat /etc/os-release
     NAME="SLE Micro"
     VERSION="5.2"
     ...

If the installed version of SLEM 5 is not supported, this is a finding.

Upgrade SLEM 5 to a version supported by the vendor. If the system is not registered with the SUSE Customer Center, register the system against the correct subscription.

If the system requires Long-Term Service Pack Support (LTSS), obtain the correct LTSS subscription for the system.

Adding endpoint security tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime.

Verify that SLEM 5 has implemented an endpoint security tool.

If no endpoint security tool is present and enabled on the system, this is a finding.

Install and enable an endpoint security tool.

Display of a standardized and approved use notification before granting access to SLEM 5 ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.

The banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for SLEM 5 that can accommodate banners of 1300 characters:

"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.

By using this IS (which includes any device attached to this IS), you consent to the following conditions:

-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.

-At any time, the USG may inspect and seize data stored on this IS.

-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.

-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.

-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

Verify SLEM 5 displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via SSH.

Check the issue file to verify it contains one of the DOD required banners. If it does not, this is a finding.

     > more /etc/issue
     The output must display the following DOD-required banner text: 

     "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.

     By using this IS (which includes any device attached to this IS), you consent to the following conditions:

     -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.

     -At any time, the USG may inspect and seize data stored on this IS.

     -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.

     -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.

     -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

If the output does not display the correct banner text, this is a finding.

Configure SLEM 5 to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system by running the following commands:

To configure the system logon banner, edit the "/etc/issue" file. Replace the default text inside with the Standard Mandatory DOD banner text:

"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.

By using this IS (which includes any device attached to this IS), you consent to the following conditions:

-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.

-At any time, the USG may inspect and seize data stored on this IS.

-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.

-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.

-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the graphical user interface environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.

Verify SLEM 5 is not configured to reboot the system when Ctrl-Alt-Delete is pressed with the following command:

     > systemctl status ctrl-alt-del.target
     ctrl-alt-del.target
          Loaded: masked (Reason: Unit ctrl-alt-del.target is masked.)
          Active: inactive (dead)

If ctrl-alt-del.target is not masked, this is a finding.

Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following commands:

     > sudo systemctl disable ctrl-alt-del.target

     > sudo systemctl mask ctrl-alt-del.target

Then, reload the daemon to take effect:

     > sudo systemctl daemon-reload

To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.

Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system.

Note: If the system does not use a BIOS, this requirement is not applicable.

Verify that SLEM 5 has set an encrypted root password with the following command:

     > sudo cat /boot/grub2/grub.cfg | grep -i password 
     password_pbkdf2 root grub.pbkdf2.sha512.10000.03255F190F0E2F7B4F0D1C3216012309162F022A7A636771

If the root password entry does not begin with "password_pbkdf2", this is a finding.

Note: If the system does not use a BIOS, this requirement is not applicable.

Configure SLEM 5 to encrypt the boot password.

Generate an encrypted GRUB bootloader password for root with the following command:

     > grub2-mkpasswd-pbkdf2
     Enter Password:
     Reenter Password:
     PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.03255F190F0E2F7B4F0D1C3216012309162F022A7A636771

Using the hash from the output, modify the "/etc/grub.d/40_custom" file and add the following two lines to add a boot password for the root entry:

     set superusers="root"
     password_pbkdf2 root grub.pbkdf2.sha512.03255F190F0E2F7B4F0D1C3216012309162F022A7A636771

Generate an updated "grub.conf" file with the new password using the following commands:

     > sudo grub2-mkconfig --output=/tmp/grub2.cfg

     > sudo mv /tmp/grub2.cfg /boot/grub2/grub.cfg

If the system allows a user to boot into single-user or maintenance mode without authentication, any user that invokes single-user or maintenance mode is granted privileged access to all system information.

Note: If the system does not use UEFI, this requirement is not applicable.

Verify that SLEM 5 has set an encrypted root password with the following command:

     > sudo cat /boot/efi/EFI/BOOT/grub.cfg | grep -i password 
     password_pbkdf2 root grub.pbkdf2.sha512.10000.03255F190F0E2F7B4F0D1C3216012309162F022A7A636771

If the root password entry does not begin with "password_pbkdf2", this is a finding.

Note: If the system does not use UEFI, this requirement is not applicable.

Configure SLEM 5 to encrypt the boot password.

Generate an encrypted GRUB bootloader password for root with the following command:

     > grub2-mkpasswd-pbkdf2
     Enter Password:
     Reenter Password:
     PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.03255F190F0E2F7B4F0D1C3216012309162F022A7A636771

Using the hash from the output, modify the "/etc/grub.d/40_custom" file and add the following two lines to add a boot password for the root entry:

     set superusers="rooty"
     password_pbkdf2 root grub.pbkdf2.sha512.03255F190F0E2F7B4F0D1C3216012309162F022A7A636771

Generate an updated "grub.conf" file with the new password using the following commands:

     > sudo grub2-mkconfig --output=/tmp/grub2.cfg

     > sudo mv /tmp/grub2.cfg /boot/efi/EFI/BOOT/grub.cfg

Restricting access to the kernel message buffer limits access only to root. This prevents attackers from gaining additional system information as a nonprivileged user.

Verify SLEM 5 is configured to restrict access to the kernel message buffer with the following commands:

     > sudo sysctl kernel.dmesg_restrict
     kernel.dmesg_restrict = 1

If "kernel.dmesg_restrict" is not set to "1" or is missing, this is a finding.

Check that the configuration files are present to enable this kernel parameter:

     > sudo grep -r kernel.dmesg_restrict /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null

     /etc/sysctl.conf:kernel.dmesg_restrict = 1
     /etc/sysctl.d/99-sysctl.conf:kernel.dmesg_restrict = 1

If "kernel.dmesg_restrict" is not set to "1", is missing or commented out, this is a finding.

If conflicting results are returned, this is a finding.

Configure SLEM 5 to restrict access to the kernel message buffer.

Set the system to the required kernel parameter by adding or modifying the following line in /etc/sysctl.conf or a config file in the /etc/sysctl.d/ directory:

kernel.dmesg_restrict = 1

Remove any configurations that conflict with the above from the following locations: 

/run/sysctl.d/
/etc/sysctl.d/
/usr/local/lib/sysctl.d/
/usr/lib/sysctl.d/
/lib/sysctl.d/
/etc/sysctl.conf

Reload settings from all system configuration files with the following command:

     $ sudo sysctl --system

Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service (DoS) by exhausting the available space on the target file system partition.

Verify that SLEM 5 kernel core dumps are disabled unless needed with the following command:

     > systemctl status kdump.service
     kdump.service - Load kdump kernel and initrd
          Loaded: loaded (/usr/lib/systemd/system/kdump.service; disabled; vendor preset: disabled)
          Active: inactive (dead)

If "kdump.service" is active, ask the system administrator if the use of the service is required and documented with the information system security officer (ISSO).

If the service is active and is not documented, this is a finding.

If SLEM 5 kernel core dumps are not required, disable the "kdump" service with the following command:

     > sudo systemctl disable kdump.service

If kernel core dumps are required, document the need with the ISSO.

Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware enforced or software enforced, with hardware providing the greater strength of mechanism.

Examples of attacks are buffer overflow attacks.

Verify SLEM 5 implements Address space layout randomization (ASLR) with the following command:

     > sudo sysctl kernel.randomize_va_space
     kernel.randomize_va_space = 2

If the kernel parameter "randomize_va_space" is not equal to "2", or nothing is returned, this is a finding.

Configure SLEM 5 to implement ASLR by running the following command as an administrator:

     > sudo sysctl -w kernel.randomize_va_space=2

If "2" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf":

     > sudo sh -c 'echo "kernel.randomize_va_space=2" >> /etc/sysctl.d/99-stig.conf'

Reload settings from all system configuration files with the following command:

     > sudo sysctl --system

Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware enforced or software enforced, with hardware providing the greater strength of mechanism.

Examples of attacks are buffer overflow attacks.

Verify SLEM 5 prevents leaking of internal kernel addresses with the following command:

     > sudo sysctl kernel.kptr_restrict
     kernel.kptr_restrict = 1

If the kernel parameter "kptr_restrict" is not equal to "1", or nothing is returned, this is a finding.

Configure SLEM 5 to prevent leaking of internal kernel addresses by running the following command:

     > sudo sysctl -w kernel.kptr_restrict=1

If "1" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf":

     > sudo sh -c 'echo "kernel.kptr_restrict=1" >> /etc/sysctl.d/99-stig.conf'

Reload settings from all system configuration files with the following command:

     > sudo sysctl --system

Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep SLEM 5 and application software patched is a common mistake made by IT professionals. New patches are released frequently, and it is often difficult for even experienced system administrators (SAs) to keep up with of all the new patches. When new weaknesses in a SLEM 5 exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.

Verify SLEM 5 security patches and updates are installed and up to date.

Note: Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO).

Check for required SLEM 5 patches and updates with the following command:

     > sudo zypper patch-check
     0 patches needed (0 security patches)

If the patch repository data is corrupt, check that the available package security updates have been installed on the system with the following command:

     > sudo cut -d "|" -f 1-4 -s --output-delimiter " | " /var/log/zypp/history | grep -v " radd "
     2023-09-25 12:23:25 | install | cockpit-ws | 298-150500.1.4
     2023-09-25 12:23:26 | install | cockpit-storaged | 298-150500.1.4
     2023-09-25 12:23:26 | install | cockpit-selinux | 298-150500.1.4

If SLEM 5 has not been patched within the site or PMO frequency, this is a finding.

Install the applicable SLEM 5 patches available from SUSE by running the following command:

     > sudo transactional-update patch

     > sudo reboot

Changes to any software components can have significant effects on the overall security of SLEM 5. This requirement ensures the software has not been tampered with and has been provided by a trusted vendor.

Accordingly, patches, service packs, device drivers, or SLEM 5 components must be signed with a certificate recognized and approved by the organization.

Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. SLEM 5 should not have to verify the software again. This requirement does not mandate DOD certificates for this purpose; however, the certificate used to verify the software must be from an approved Certification Authority (CA).

Verify that SLEM 5 tool zypper has gpgcheck enabled with the following command: 

     > grep -i '^gpgcheck' /etc/zypp/zypp.conf
     gpgcheck = on

If "gpgcheck" is not set to "on", is commented out, or missing, this is a finding.

Configure that SLEM 5 tool zypper to enable gpgcheck.

Add or modify the following line in the "/etc/zypp/zypp.conf" file:

gpgcheck = on

Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.

Verify SLEM 5 removes all outdated software components after updated version have been installed by running the following command:

     > grep -i upgraderemovedroppedpackages /etc/zypp/zypp.conf 
     solver.upgradeRemoveDroppedPackages = true

If "solver.upgradeRemoveDroppedPackages" is not set to "true", is commented out, or missing, this is a finding.

Configure SLEM 5 to remove all outdated software components after an update.

Add or modify the following line in the "/etc/zypp/zypp.conf" file:

solver.upgradeRemoveDroppedPackages = true

A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.

The session lock is implemented at the point where session activity can be determined.

Regardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system.

Check that SLEM 5 has the "vlock" package installed with the following command: 

     > zypper search --installed-only --match-exact --provides vlock
     i | kbd | Keyboard and Font Utilities | package

If the command outputs "no matching items found", this is a finding.

Allow users to lock the console by installing the "kbd" package using zypper:

     > sudo transactional-update pkg install kbd

     > sudo reboot

It is detrimental for SLEM 5 to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked, and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.

SLEM 5 is capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions and functions).

Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but which cannot be disabled.

Verify the telnet-server package is not installed on SLEM 5.

Check that the telnet-server package is not installed on SLEM 5 by running the following command:

     > sudo zypper se telnet-server | grep Installed

If the telnet-server package is installed, this is a finding.

Remove the telnet-server package from SLEM 5 by running the following command:

     > sudo transactional-update pkg remove telnet-server

     > sudo reboot

The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.

Verify that a separate file system/partition has been created for SLEM 5 nonprivileged local interactive users (those with a UID greater than 1000) home directories with the following command:

     > awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6, $7}' /etc/passwd
     adamsj 1002 /home/adamsj /bin/bash
     jacksonm 1003 /home/jacksonm /bin/bash
     smithj 1001 /home/smithj /bin/bash

The output of the command will give the directory/partition that contains the home directories for the nonprivileged users on the system (in this example, /home) and user's shell. All accounts with a valid shell (such as /bin/bash) are considered interactive users.

Check that a file system/partition has been created for the nonprivileged interactive users with the following command:

Note: The partition of /home is used in the example.

     > grep /home /etc/fstab
     UUID=c4e898dd-6cd9-4091-a733-9435e505957a /home btrfs defaults,subvol=@/home 0 0

If a separate entry for the file system/partition that contains the nonprivileged interactive users' home directories does not exist, this is a finding.

Create a separate file system/partition for SLEM 5 nonprivileged local interactive user home directories.

Migrate the nonprivileged local interactive user home directories onto the separate file system/partition.

The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.

Verify that SLEM 5 has a separate file system/partition for "/var" with the following command:

     > grep /var /etc/fstab
     UUID=c4e898dd-6cd9-4091-a733-9435e505957a /var btrfs defaults,subvol=@/var,x-initrd.mount 0 0

If a separate entry for "/var" does not exist, this is a finding.

Create a separate file system/partition on SLEM 5 for "/var".

Migrate "/var" onto the separate file system/partition.

The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.

Verify that SLEM 5 has a separate file system/partition for the system audit data path with the following command:

Note: "/var/log/audit" is used as the example as it is a common location.

     > grep /var/log/audit /etc/fstab
     UUID=c4e898dd-6cd9-4091-a733-9435e505957a /var btrfs defaults,subvol=@/var/log/audit 0 0

If a separate entry for the system audit data path (in this example the "/var/log/audit" path) does not exist, ask the system administrator if the system audit logs are being written to a different file system/partition on the system and then grep for that file system/partition. 

If a separate file system/partition does not exist for the system audit data path, this is a finding.

Migrate SLEM 5 audit data path onto a separate file system or partition.

The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.

Verify SLEM 5 file systems that are being NFS exported are mounted with the "nosuid" option with the following command:

     > grep nfs /etc/fstab
     UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid 0 0

If a file system found in "/etc/fstab" refers to NFS and it does not have the "nosuid" option set, this is a finding.

Configure SLEM 5 "/etc/fstab" file to use the "nosuid" option on file systems that are being exported via NFS.

The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.

Verify SLEM 5 file systems that are being NFS exported are mounted with the "noexec" option with the following command:

     > grep nfs /etc/fstab
     UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,noexec 0 0

If a file system found in "/etc/fstab" refers to NFS and it does not have the "noexec" option set, and use of NFS exported binaries is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.

Configure SLEM 5 "/etc/fstab" file to use the "noexec" option on file systems that are being exported via NFS.

The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.

Verify SLEM 5 file systems used for removable media are mounted with the "nosuid" option with the following command:

     > more /etc/fstab
     UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid 0 0

If a file system found in "/etc/fstab" refers to removable media and does not have the "nosuid" option set, this is a finding.

Configure SLEM 5 "/etc/fstab" file to use the "nosuid" option on file systems that are associated with removable media.

SLEM 5 handling data requiring data-at-rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.

Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields).

Verify SLEM 5 prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption. 

Verify the system partitions are all encrypted with the following commands: 

     > sudo blkid
     /dev/sda1:  "UUID=26d4a101-7f48-4394-b730-56dc00e65f64" TYPE="crypto_LUKS"
     /dev/sda2:  "UUID=f5b8a790-14cb-4b82-882d-707d52f27765" TYPE="crypto_LUKS"
     /dev/sda3:  "UUID=f2d86128-f975-478d-a5b0-25806c900eac" TYPE="crypto_LUKS"

Every persistent disk partition present must be of type "crypto_LUKS". If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) or temporary file systems (that are tmpfs) are not type "crypto_LUKS", ask the administrator to indicate how the partitions are encrypted. If there is no evidence that these partitions are encrypted, this is a finding.

     > sudo more /etc/crypttab
     cr_root UUID=26d4a101-7f48-4394-b730-56dc00e65f64
     cr_home UUID=f5b8a790-14cb-4b82-882d-707d52f27765
     cr_swap UUID=f2d86128-f975-478d-a5b0-25806c900eac

Every persistent disk partition present on the system must have an entry in the /etc/crypttab file. 
If any partitions other than pseudo file systems (such as /proc or /sys) are not listed or "/etc/crypttab" does not exist, this is a finding.

Verify the system works in FIPS mode with the following command:

     > sudo sysctl - a | grep fips
     crypto.fips_enabled = 1

Configure SLEM 5 to prevent unauthorized modification of all information at rest by using disk encryption. 

Encrypting a partition in an already-installed system is more difficult because of the need to resize and change existing partitions. To encrypt an entire partition, dedicate a partition for encryption in the partition layout. The standard partitioning proposal as suggested by YaST (installation and configuration tool for Linux) does not include an encrypted partition by default. Add it manually in the partitioning dialog.

The following set of commands will switch SLEM 5 to work in FIPS mode:

     >sudo transactional-update pkg install -t pattern microos-fips

     >reboot

 Add of modify the following line in the "/etc/default/grub" file to include "fips=1":

GRUB_CMDLINE_LINUX_DEFAULT="splash=silent swapaccount=1 apparmor=0 mitigations=auto quiet crashkernel=195M,high crashkernel=72M,low fips=1"

     >sudo transactional-update grub.cfg

     >sudo reboot:

The "nosuid" mount option causes the system to not execute setuid and setgid files with owner privileges. This option must be used for mounting any file system not containing approved setuid and setguid files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.

Verify that SLEM 5 file systems that contain user home directories are mounted with the "nosuid" option.

Print the currently active file system mount options of the file system(s) that contain the user home directories with the following command:

     > for X in `awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd`; do findmnt -nkT $X; done | sort -r
     /home /dev/mapper/system-home ext4 rw,nosuid,realtime,data=ordered

If a file system containing user home directories is not mounted with the FSTYPE OPTION nosuid, this is a finding.

Note: If a separate file system has not been created for the user home directories (user home directories are mounted under "/"), this is not a finding as the "nosuid" option cannot be used on the "/" system.

Configure SLEM 5 "/etc/fstab" file to use the "nosuid" option on file systems that contain user home directories for interactive users.

Remount the filesystems.

     > sudo mount -o remount /home

Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.

Verify SLEM 5 disables the ability to automount devices.

Verify the automounter service is installed with the following command:

     > sudo zypper se autofs

If it is installed, verify the automounter service is active with the following command:

     > systemctl status autofs
     autofs.service - Automounts filesystems on demand
          Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled)
          Active: inactive (dead)

If the "autofs" status is set to "active" and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.

Configure SLEM 5 to disable the ability to automount devices.

Turn off the automount service with the following command:

     > sudo systemctl stop autofs

     > sudo systemctl disable autofs

If "autofs" is required for Network File System (NFS), it must be documented with the ISSO.

If SLEM 5 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.

This requirement applies to SLEM 5 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Verify that the system command directories have mode "755" or less permissive with the following command:

     > find -L  /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c "%n %a" '{}' \;

If any directories are found to be group-writable or world-writable, this is a finding.

Configure the system commands to be protected from unauthorized access. Run the following command:

     > sudo find -L  /usr/local/bin /usr/local/sbin -perm /022 -type f -exec chmod 755 '{}' \;
     > sudo transactional-update shell
     > sudo find -L  /bin /sbin /usr/bin /usr/sbin -perm /022 -type f -exec chmod 755 '{}' \;
     > exit
     > sudo reboot

If SLEM 5 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.

This requirement applies to SLEM 5 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Verify that the system command directories have mode "755" or less permissive with the following command:

     > find -L  /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c "%n %a" '{}' \;

If any directories are found to be group-writable or world-writable, this is a finding.

Configure the system commands to be protected from unauthorized access. Run the following command:

     > sudo find -L  /usr/local/bin /usr/local/sbin -perm /022 -type f -exec chmod 755 '{}' \;
     > sudo transactional-update shell
     > sudo find -L  /bin /sbin /usr/bin /usr/sbin -perm /022 -type f -exec chmod 755 '{}' \;
     > exit
     > sudo reboot

If SLEM 5 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.

This requirement applies to SLEM 5 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Verify the system-wide shared library directories "/lib", "/lib64", "/usr/lib" and "/usr/lib64" have mode "755" or less permissive with the following command:

     > sudo find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type d -exec stat -c "%n %a" '{}' \;

If any of the aforementioned directories are found to be group-writable or world-writable, this is a finding.

Configure the library files to be protected from unauthorized access. Run the following command:

     > sudo transactional-update shell
     > sudo find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f -exec chmod 755 '{}' \;
     > exit
     > sudo reboot

If SLEM 5 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.

This requirement applies to SLEM 5 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Verify the system-wide shared library files contained in the directories "/lib", "/lib64", "/usr/lib", and "/usr/lib64" have mode "755" or less permissive with the following command:

     > sudo find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f -exec stat -c "%n %a" '{}' \;

If any files are found to be group-writable or world-writable, this is a finding.

Configure the library files to be protected from unauthorized access. Run the following command:

     > sudo transactional-update shell
     > sudo find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f -exec chmod 755 '{}' \;
     > exit
     > sudo reboot

Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.

Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information.

Verify the assigned home directory of all SLEM 5 local interactive users has a mode of "750" or less permissive with the following command:

     > ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)
     -rwxr-x--- 1 smithj users 18 Mar 5 17:6 /home/smithj

If home directories referenced in "/etc/passwd" do not have a mode of "750" or less permissive, this is a finding.

Change the mode of SLEM 5 local interactive user's home directories to "750". To change the mode of a local interactive user's home directory, use the following command:

Note: The example will be for the user "smithj".

     > sudo chmod 750 /home/smithj

Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.

Verify that all SLEM 5 local initialization files have a mode of "740" or less permissive with the following command:

Note: The example will be for the user "smithj", who has a home directory of "/home/smithj".

     > sudo ls -al /home/smithj/.* | more
     -rw-r-x---- 1 smithj users 896 Mar 10 2011 .profile
     -rw-r-x---- 1 smithj users 497 Jan 6 27 .login
     -rw-r-x---- 1 smithj users 886 Jan 6 27 .something

If any local initialization files have a mode more permissive than "740", this is a finding.

Set the mode of SLEM 5 local initialization files to "740" with the following command:

Note: The example will be for the smithj user, who has a home directory of "/home/smithj".

     > sudo chmod 740 /home/smithj/.

If a public host key file is modified by an unauthorized user, the SSH service may be compromised.

Verify SLEM 5 SSH daemon public host key files have mode "644" or less permissive with the following command:

Note: SSH public key files may be found in other directories on the system depending on the installation.

     > find /etc/ssh -name 'ssh_host*key.pub' -exec stat -c "%a %n" {} \;
     644 /etc/ssh/ssh_host_rsa_key.pub
     644 /etc/ssh/ssh_host_dsa_key.pub
     644 /etc/ssh/ssh_host_ecdsa_key.pub
     644 /etc/ssh/ssh_host_ed25519_key.pub

If any file has a mode more permissive than "644", this is a finding.

Configure SLEM 5 SSH daemon public host key files have mode "644" or less permissive.

Note: SSH public key files may be found in other directories on the system depending on the installation.

Change the mode of public host key files under "/etc/ssh" to "644" with the following command:

     > sudo chmod 644 /etc/ssh/ssh_host*key.pub

If an unauthorized user obtains the private SSH host key file, the host could be impersonated.

Verify SLEM 5 SSH daemon private host key files have mode "640" or less permissive.

The following command will find all SSH private key files on the system with the following command:

     > sudo find / -name '*ssh_host*key' -exec ls -lL {} \;

Check the mode of the private host key files under "/etc/ssh" file with the following command:

     > find /etc/ssh -name 'ssh_host*key' -exec stat -c "%a %n" {} \;

     640 /etc/ssh/ssh_host_rsa_key
     640 /etc/ssh/ssh_host_dsa_key
     640 /etc/ssh/ssh_host_ecdsa_key
     640 /etc/ssh/ssh_host_ed25519_key

If any file has a mode more permissive than "640", this is a finding.

Configure the mode of SLEM 5 SSH daemon private host key files under "/etc/ssh" to "640" with the following command:

      > sudo chmod 640 /etc/ssh/ssh_host*key

If SLEM 5 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.

This requirement applies to SLEM 5 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Verify the system-wide shared library files contained in the directories "/lib", "/lib64", "/usr/lib" and "/usr/lib64" are owned by root with the following command:

     > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type f -exec stat -c "%n %U" '{}' \;

If any system wide library file is returned, this is a finding.

Configure the library files to be protected from unauthorized access. Run the following command:

     > sudo transactional-update shell
     > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type f -exec chown root '{}' \;
     > exit
     > sudo reboot

If SLEM 5 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.

This requirement applies to SLEM 5 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Verify the system-wide shared library files contained in the directories "/lib", "/lib64", "/usr/lib" and "/usr/lib64" are group-owned by root with the following command:

     > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type f -exec stat -c "%n %G" '{}' \;

If any system wide library file is returned, this is a finding.

Configure the library files to be protected from unauthorized access. Run the following command:

     > sudo transactional-update shell
     > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type f -exec chgrp root '{}' \;
     > exit
     > sudo reboot

If SLEM 5 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.

This requirement applies to SLEM 5 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Verify the system-wide shared library directories contained in the directories "/lib", "/lib64", "/usr/lib" and "/usr/lib64" are owned by root with the following command:

     > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d -exec stat -c "%n %U" '{}' \;

If any system wide library directory is returned, this is a finding.

Configure the library directories to be protected from unauthorized access. Run the following command:

     > sudo transactional-update shell
     > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d -exec chown root '{}' \;
     > exit
     > sudo reboot

If SLEM 5 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.

This requirement applies to SLEM 5 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Verify the system-wide shared library directories contained in the directories "/lib", "/lib64", "/usr/lib" and "/usr/lib64" are group-owned by root with the following command:

     > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec stat -c "%n %G" '{}' \;

If any system wide library directory is returned, this is a finding.

Configure the library directories to be protected from unauthorized access. Run the following command:

     > sudo transactional-update shell
     > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec chgrp root '{}' \;
     > exit
     > sudo reboot

If SLEM 5 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.

This requirement applies to SLEM 5 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Verify that the system commands are owned by root with the following command:

     > sudo find -L  /usr/local/bin /usr/local/sbin ! -user root -type f -exec stat -c "%n %U" '{}' \;

If any system commands are returned, this is a finding.

Configure the system commands to be protected from unauthorized access. Run the following command:

     > sudo transactional-update shell
     > sudo find -L  /bin /sbin /usr/bin /usr/sbin ! -user root -type f -exec chown root '{}' \;
     > exit
     > sudo reboot

If SLEM 5 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.

This requirement applies to SLEM 5 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Verify that the system commands are group-owned by root with the following command:

     > sudo find -L  /usr/local/bin /usr/local/sbin! -group root -type f -exec stat -c "%n %G" '{}' \;

If any system commands are returned, this is a finding.

Configure the system commands to be protected from unauthorized access. Run the following command:

     > sudo transactional-update shell
     > sudo find -L  /bin /sbin /usr/bin /usr/sbin ! -user root -type f -exec chown root '{}' \;
     > exit
     > sudo reboot

If SLEM 5 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.

This requirement applies to SLEM 5 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Verify that the system command directories are owned by root with the following command:

     > find -L  /usr/local/bin /usr/local/sbin ! -user root -type d -exec stat -c "%n %U" '{}' \;

If any system command directories are returned, this is a finding.

Configure the system commands to be protected from unauthorized access. Run the following command:

     > sudo transactional-update shell
     > sudo find -L  /bin /sbin /usr/bin /usr/sbin ! -user root -type d -exec chown root '{}' \;
     > exit
     > sudo reboot

If SLEM 5 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.

This requirement applies to SLEM 5 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Verify that the system command directories are group-owned by root with the following command:

     > find -L  /usr/local/bin /usr/local/sbin ! -group root -type d -exec stat -c "%n %G" '{}' \;

If any system command directories are returned, this is a finding.

Configure the system commands to be protected from unauthorized access. Run the following command:

     > sudo transactional-update shell
     > sudo find -L  /bin /sbin /usr/bin /usr/sbin ! -group root -type d -exec chgrp root '{}' \;
     > exit
     > sudo reboot

Unowned files and directories may be unintentionally inherited if a user is assigned the same User Identifier (UID) as the UID of the unowned files.

Verify that all SLEM 5 files and directories on the system have a valid owner with the following command:

Note: The value after -fstype must be replaced with the filesystem type. XFS is used as an example.

     > sudo find / -fstype xfs -nouser

If any files on the system do not have a valid owner, this is a finding.

Either remove all files and directories from SLEM 5 that do not have a valid user or assign a valid user to all unowned files and directories on the system with the "chown" command:

     > sudo chown  

Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group Identifier (GID) as the GID of the files without a valid group owner.

Verify all SLEM 5 files and directories on the system have a valid group with the following command:

Note: The value after -fstype must be replaced with the filesystem type. XFS is used as an example.

     > sudo find / -fstype xfs -nogroup

If any files on the system do not have a valid group, this is a finding.

Either remove all files and directories from SLEM 5 that do not have a valid group or assign a valid group to all files and directories on the system with the "chgrp" command:

     > sudo chgrp  

If the Group Identifier (GID) of a local interactive user's home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user's files, and users that share the same group may not be able to access files that they legitimately should.

Verify the assigned home directory of all SLEM 5 local interactive users is group-owned by that user's primary GID with the following command:

Note: This may miss local interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information. The returned directory "/home/smithj" is used as an example.

     > awk -F: '($3>=1000)&&($7 !~ /nologin/){print $4, $6}' /etc/passwd)
     250:/home/smithj

Check the user's primary group with the following command:

     > grep users /etc/group
     users:x:250:smithj,jonesj,jacksons

If the user home directory referenced in "/etc/passwd" is not group-owned by that user's primary GID, this is a finding.

Change the group owner of a SLEM 5 local interactive user's home directory to the group found in "/etc/passwd". To change the group owner of a local interactive user's home directory, use the following command:

Note: The example will be for the user "smithj", who has a home directory of "/home/smithj", and has a primary group of users.

     > sudo chgrp users /home/smithj

If a world-writable directory has the sticky bit set and is not group-owned by a privileged Group Identifier (GID), unauthorized users may be able to modify files created by others.

The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.

Verify all SLEM 5 world-writable directories are group-owned by root, sys, bin, or an application group with the following command:

     > sudo find / -perm -002 -type d -exec ls -lLd {} \;
     drwxrwxrwt. 2 root root 40 Aug 26 13:7 /dev/mqueue
     drwxrwxrwt. 2 root root 220 Aug 26 13:23 /dev/shm
     drwxrwxrwt. 14 root root 4096 Aug 26 13:29 /tmp

If any world-writable directories are not owned by root, sys, bin, or an application group associated with the directory, this is a finding.

Change the group of SLEM 5 world-writable directories to root with the following command:

     > sudo chgrp root 

Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, and hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.

This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DOD or other government agencies.

There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.

Verify SLEM 5 prevents unauthorized and unintended information transfer via the shared system resources with the following command:

     > sudo find / \( -path /.snapshots -o -path /sys -o -path /proc \) -prune -o -perm -002 -type d -exec ls -lLd {} \;
     256 0 drwxrwxrwt 1 root root 4096 Jun 14 06:45 /tmp

If any of the returned directories do not have the sticky bit set, or are not documented as having the write permission for the other class, this is a finding.

Configure SLEM 5 shared system resources to prevent any unauthorized and unintended information transfer by setting the sticky bit for all world-writable directories.

An example of a world-writable directory is "/tmp" directory. Set the sticky bit on all of the world-writable directories (using the "/tmp" directory as an example) with the following command:

     > sudo chmod 1777 /tmp

For every world-writable directory, replace "/tmp" in the command above with the world-writable directory that does not have the sticky bit set.

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify SLEM 5 or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.

The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.

Verify SLEM 5 prevents unauthorized users from accessing system error messages.

Check the "/var/log/messages" file permissions with the following command:

     > sudo stat -c "%n %U:%G %a" /var/log/messages
     /var/log/messages root:root 640

Check that "permissions.local" file contains the correct permissions rules with the following command:

     > grep -i messages /etc/permissions.local
     /var/log/messages root:root 640

If the effective permissions do not match the "permissions.local" file, the command does not return any output, or is commented out, this is a finding.

Configure SLEM 5 to prevent unauthorized users from accessing system error messages.

Add or update the following rules in "/etc/permissions.local":

/var/log/messages root:root 640

Set the correct permissions with the following command:

     > sudo chkstat --set --system

Any operating system providing too much information in error messages risks compromising the data and security of the structure, and content of error messages needs to be carefully considered by the organization.

Organizations carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers.

The /var/log/btmp, /var/log/wtmp, and /var/log/lastlog files have group write and global read permissions to allow for the lastlog function to perform. Limiting the permissions beyond this configuration will result in the failure of functions that rely on the lastlog database.

Verify SLEM 5 has all system log files under the /var/log directory with a permission set to "640", by using the following command:

Note: The btmp, wtmp, and lastlog files are excluded. Refer to the Vulnerability Discussion for details.

     > sudo find /var/log -perm /137 ! -name '*[bw]tmp' ! -name '*lastlog' -type f -exec stat -c "%n %a" {} \; 

If command displays any output, this is a finding.

Configure SLEM 5 to set permissions of all log files under /var/log directory to "640" or more restricted, by using the following command:

Note: The btmp, wtmp, and lastlog files are excluded. Refer to the Vulnerability Discussion for details.

     > sudo find /var/log -perm /137 ! -name '*[bw]tmp' ! -name '*lastlog' -type f -exec chmod 640 '{}' \;

To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.

Additionally, operating system remote access functionality must have the capability to immediately disconnect current users remotely accessing the information system and/or disable further remote access. The speed of disconnect or disablement varies based on the criticality of mission functions and the need to eliminate immediate or future remote access to organizational information systems.

Verify SLEM 5 "firewalld.service" is enabled and running with the following command:

     > systemctl status firewalld.service
          firewalld.service - firewalld - dynamic firewall daemon
               Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
               Active: active (running) since Wed 2023-11-29 08:12:35 MST

If the service is not enabled and active, this is a finding.

Check the firewall configuration for any unnecessary or prohibited functions, ports, protocols, and/or services by running the following command:

     > sudo firewall-cmd --list-all

Ask the system administrator for the site or program PPSM Component Local Services Assessment (Component Local Services Assessment (CLSA). Verify the services allowed by the firewall match the PPSM CLSA. 

If there are any additional ports, protocols, or services that are not included in the PPSM CLSA, this is a finding.

If there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.

Configure SLEM 5 is configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments.

Add/modify /etc/firewalld configuration files to comply with the PPSM CAL.

Enable and start the "firewalld.service" by running the following command:

     > sudo systemctl enable firewalld.service --now

To immediately disable remote access and disconnect all current remote connections, the firewall needs to be set into panic mode.

> sudo firewall-cmd --panic-on

To allow remote access, panic mode needs to be disabled.

> sudo firewall-cmd --panic-off

Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.

Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.

Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints).

Verify that SLEM 5 clock must be configured to synchronize to an authoritative DOD time source when the time difference is greater than one second with the following command:

     > sudo grep maxpoll /etc/chrony.conf
     server 0.us.pool.ntp.mil maxpoll 16

If the "server" parameter is not set to an authoritative DOD time source, "maxpoll" is greater than "16", the line is commented out, or the line is missing, this is a finding.

SLEM 5 clock must be configured to synchronize to an authoritative DOD time source when the time difference is greater than one second.

To configure the system clock to synchronize to an authoritative DOD time source at least every 24 hours, edit the file "/etc/chrony.conf". Add or correct the following lines by replacing "" with an authoritative DOD time source:

server  maxpoll 16

Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow then to collect information such as logon IDs, passwords, and key exchanges between systems.

If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the information system security officer (ISSO) and restricted to only authorized personnel.

Verify SLEM 5 network interfaces are not in promiscuous mode with the following command:

     > ip link | grep -i promisc

If network interfaces are found on the system in promiscuous mode and their use has not been approved by the ISSO and documented, this is a finding.

Configure SLEM 5 network interfaces to turn off promiscuous mode unless approved by the ISSO and documented.

Set the promiscuous mode of an interface to off with the following command:

     > sudo ip link set dev  promisc off

Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4/IPv6 forwarding is enabled and the system is functioning as a router.

Verify SLEM 5 does not accept IPv4 source-routed packets with the following command:

     > sudo sysctl net.ipv4.conf.all.accept_source_route
     net.ipv4.conf.all.accept_source_route = 0

If the network parameter "ipv4.conf.all.accept_source_route" is not equal to "0", or nothing is returned, this is a finding.

Configure SLEM 5 to disable IPv4 source routing by running the following command as an administrator:

     > sudo sysctl -w net.ipv4.conf.all.accept_source_route=0

If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf":

     > sudo sh -c 'echo "net.ipv4.conf.all.accept_source_route=0" >> /etc/sysctl.d/99-stig.conf'

     > sudo sysctl --system

Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.

Verify SLEM 5 does not accept IPv4 source-routed packets by default with the following command:

     > sudo sysctl net.ipv4.conf.default.accept_source_route
     net.ipv4.conf.default.accept_source_route = 0

If the network parameter "ipv4.conf.default.accept_source_route" is not equal to "0", or nothing is returned, this is a finding.

Configure SLEM 5 to disable IPv4 default source routing by running the following command as an administrator:

     > sudo sysctl -w net.ipv4.conf.default.accept_source_route=0

If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf":

     > sudo sh -c 'echo "net.ipv4.conf.default.accept_source_route=0" >> /etc/sysctl.d/99-stig.conf'

     > sudo sysctl --system

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.

Verify SLEM 5 does not accept IPv4 ICMP redirect messages with the following command:

     > sudo sysctl net.ipv4.conf.all.accept_redirects
     net.ipv4.conf.all.accept_redirects = 0

If the network parameter "ipv4.conf.all.accept_redirects" is not equal to "0", or nothing is returned, this is a finding.

Configure SLEM 5 to not accept IPv4 ICMP redirect messages by running the following command as an administrator:

     > sudo sysctl -w net.ipv4.conf.all.accept_redirects=0

If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf":

     > sudo sh -c 'echo "net.ipv4.conf.all.accept_redirects=0" >> /etc/sysctl.d/99-stig.conf'

     > sudo sysctl --system

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.

Verify SLEM 5 does not accept IPv4 ICMP redirect messages by default with the following command:

     > sudo sysctl net.ipv4.conf.default.accept_redirects
     net.ipv4.conf.default.accept_redirects = 0

If the network parameter "ipv4.conf.default.accept_redirects" is not equal to "0", or nothing is returned, this is a finding.

Configure SLEM 5 to not accept IPv4 ICMP redirect messages by default by running the following command as an administrator:

     > sudo sysctl -w net.ipv4.conf.default.accept_redirects=0

If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf":

     > sudo sh -c 'echo "net.ipv4.conf.default.accept_redirects=0" >> /etc/sysctl.d/99-stig.conf'

     > sudo sysctl --system

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.

Verify SLEM 5 does not allow interfaces to perform IPv4 ICMP redirects with the following command:

     > sudo sysctl net.ipv4.conf.all.send_redirects
     net.ipv4.conf.all.send_redirects = 0

If the network parameter "ipv4.conf.all.send_redirects" is not equal to "0", or nothing is returned, this is a finding.

Configure SLEM 5 to not allow interfaces to perform IPv4 ICMP redirects by running the following command as an administrator:

     > sudo sysctl -w net.ipv4.conf.all.send_redirects=0

If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf":

     > sudo sh -c 'echo "net.ipv4.conf.all.send_redirects=0" >> /etc/sysctl.d/99-stig.conf'

     > sudo sysctl --system

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.

Verify SLEM 5 does not allow interfaces to perform IPv4 ICMP redirects by default with the following command:

     > sudo sysctl net.ipv4.conf.default.send_redirects
     net.ipv4.conf.default.send_redirects = 0

If the network parameter "ipv4.conf.default.send_redirects" is not equal to "0", or nothing is returned, this is a finding.

Configure SLEM 5 to not allow interfaces to perform IPv4 ICMP redirects by default by running the following command as an administrator:

     > sudo sysctl -w net.ipv4.conf.default.send_redirects=0

If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf":

     > sudo sh -c 'echo "net.ipv4.conf.default.send_redirects=0" >> /etc/sysctl.d/99-stig.conf'

     > sudo sysctl --system

Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.

Verify SLEM 5 is not performing IPv4 packet forwarding, unless the system is a router with the following command:

     > sudo sysctl net.ipv4.ip_forward
     net.ipv4.ip_forward = 0

If the network parameter "ipv4.ip_forward" is not equal to "0", or nothing is returned, this is a finding.

Configure SLEM 5 to not performing IPv4 packet forwarding by running the following command as an administrator:

     > sudo sysctl -w net.ipv4.ip_forward=0

If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf":

     > sudo sh -c 'echo "net.ipv4.ip_forward=0" >> /etc/sysctl.d/99-stig.conf'

     > sudo sysctl --system

Denial of service (DoS) is a condition in which a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. 

Managing excess capacity ensures that sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning.

Verify SLEM 5 is configured to use IPv4 TCP syncookies with the following command:

     > sudo sysctl net.ipv4.tcp_syncookies
     net.ipv4.tcp_syncookies = 1

If the network parameter "ipv4.tcp_syncookies" is not equal to "1", or nothing is returned, this is a finding.

Configure SLEM 5 to use IPv4 TCP syncookies by running the following command as an administrator:

     > sudo sysctl -w net.ipv4.tcp_syncookies=1

If "1" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf":

     > sudo sh -c 'echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.d/99-stig.conf'

     > sudo sysctl --system

Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.

Verify SLEM 5 does not accept IPv6 source-routed packets with the following command:

     > sudo sysctl net.ipv6.conf.all.accept_source_route
     net.ipv6.conf.all.accept_source_route = 0

If the network parameter "ipv6.conf.all.accept_source_route" is not equal to "0" or nothing is returned, this is a finding.

Configure SLEM 5 to disable IPv6 source routing by running the following command as an administrator:

     > sudo sysctl -w net.ipv6.conf.all.accept_source_route=0

If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf":

     > sudo sh -c 'echo "net.ipv6.conf.all.accept_source_route=0" >> /etc/sysctl.d/99-stig.conf'

     > sudo sysctl --system

Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.

Verify SLEM 5 does not accept IPv6 source-routed packets by default with the following command:

     > sudo sysctl net.ipv6.conf.default.accept_source_route
     net.ipv6.conf.default.accept_source_route = 0

If the network parameter "ipv6.conf.default.accept_source_route" is not equal to "0", or nothing is returned, this is a finding.

Configure SLEM 5 to disable IPv6 default source routing by running the following command as an administrator:

     > sudo sysctl -w net.ipv6.conf.default.accept_source_route=0

If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf":

     > sudo sh -c 'echo "net.ipv6.conf.default.accept_source_route=0" >> /etc/sysctl.d/99-stig.conf'

     > sudo sysctl --system

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.

Verify SLEM 5 does not accept IPv6 ICMP redirect messages with the following command:

     > sudo sysctl net.ipv6.conf.all.accept_redirects
     net.ipv6.conf.all.accept_redirects = 0

If the network parameter "ipv6.conf.all.accept_redirects" is not equal to "0", or nothing is returned, this is a finding.

Configure SLEM 5 to not accept IPv6 ICMP redirect messages by running the following command as an administrator:

     > sudo sysctl -w net.ipv6.conf.all.accept_redirects=0

If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf":

     > sudo sh -c 'echo "net.ipv6.conf.all.accept_redirects=0" >> /etc/sysctl.d/99-stig.conf'

     > sudo sysctl --system

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.

Verify SLEM 5 does not allow IPv6 ICMP redirect messages by default with the following command:

     > sudo sysctl net.ipv6.conf.default.accept_redirects
     net.ipv6.conf.default.accept_redirects = 0

If the network parameter "ipv6.conf.default.accept_redirects" is not equal to "0", or nothing is returned, this is a finding.

Configure SLEM 5 to not accept IPv6 ICMP redirect messages by default by running the following command as an administrator:

     > sudo sysctl -w net.ipv6.conf.default.accept_redirects=0

If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf":

     > sudo sh -c 'echo "net.ipv6.conf.default.accept_redirects=0" >> /etc/sysctl.d/99-stig.conf'

     > sudo sysctl --system

Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.

Verify SLEM 5 is not performing IPv6 packet forwarding, unless the system is a router with the following command:

     > sudo sysctl net.ipv6.conf.all.forwarding
     net.ipv6.conf.all.forwarding = 0

If the network parameter "ipv6.conf.all.forwarding" is not equal to "0", or nothing is returned, this is a finding.

Configure SLEM 5 to not performing IPv6 packet forwarding by running the following command as an administrator:

     > sudo sysctl -w net.ipv6.conf.all.forwarding=0

If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf":

     > sudo sh -c 'echo "net.ipv6.conf.all.forwarding=0" >> /etc/sysctl.d/99-stig.conf'

     > sudo sysctl --system

Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.

Verify SLEM 5 is not performing IPv6 packet forwarding by default, unless the system is a router with the following command:

     > sudo sysctl net.ipv6.conf.default.forwarding
     net.ipv6.conf.default.forwarding = 0

If the network parameter "ipv6.conf.default.forwarding" is not equal to "0", or nothing is returned, this is a finding.

Configure SLEM 5 to not performing IPv6 packet forwarding by default by running the following command as an administrator:

     > sudo sysctl -w net.ipv6.conf.default.forwarding=0

If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf":

     > sudo sh -c 'echo "net.ipv6.conf.default.forwarding=0" >> /etc/sysctl.d/99-stig.conf'

     > sudo sysctl --system

Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. 

This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. 

Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, logical means (cryptography) do not have to be employed, and vice versa.

Verify the SSH package is installed by using the following command: 

     > zypper info openssh | grep -i installed
     Name           : openssh
     Version        : 8.4p1-3.9.1
     Arch           : X86_64
     Vendor         : SUSE LLC 
     Installed Size : 0 B
     Installed      : Yes 
     Status         : up-to-date

If the "openssh" package is not installed, this is a finding.

Install the "openssh" package on SLEM 5 with the following command:

     > sudo transactional-update pkg install openssh

Reboot the system for the changes to take effect:

     > sudo reboot

Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered.

This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification.

Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, logical means (cryptography) do not have to be employed, and vice versa.

Verify "sshd.service" is enabled and active by using the following command: 

     > systemctl status sshd.service | grep -i active
     Active: active (running) since Wed 2023-11-29 09:49:45 MST; 2 months 23 days ago

If "openssh.service" is not active, this is a finding.

Enable "openssh.service" to start automatically on reboot with the following command:

     > sudo systemctl enable sshd.service

For the changes to take effect immediately, start the service with the following command:

     > sudo systemctl restart sshd.service

Display of a standardized and approved use notification before granting access to SLEM 5 ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.

The banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for SLEM 5 that can accommodate banners of 1300 characters:

"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.

By using this IS (which includes any device attached to this IS), you consent to the following conditions:

-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.

-At any time, the USG may inspect and seize data stored on this IS.

-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.

-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.

-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

Verify SLEM 5 displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via SSH with the following command:

     > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*banner'
     /etc/ssh/sshd_config:Banner /etc/issue

If "Banner" is not set to "/etc/issue", is commented out, missing, or conflicting results are returned, this is a finding.

Add or modify the following line in the "/etc/ssh/sshd_config" file: 

Banner /etc/issue/

Restart the "sshd.service":

     > sudo systemctl restart sshd.service

Failure to restrict system access via SSH to authenticated users negatively impacts SLEM 5 security.

Verify SLEM 5 disables unattended or automatic logon via SSH with the following command:

     > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iEH '^\s*(permit(.*?)(passwords|environment))'
     /etc/ssh/sshd_config:PermitEmptyPasswords no
     /etc/ssh/sshd_config:PermitUserEnvironment no

If "PermitEmptyPasswords" or "PermitUserEnvironment" keywords are not set to "no", are commented out, or are missing completely, this is a finding.

Configure SLEM 5 disables unattended or automatic logon via SSH.

Add or modify the following lines in the "/etc/ssh/sshd_config" file:

PermitEmptyPasswords no
PermitUserEnvironment no

Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.

Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session.

Verify the SSH server automatically terminates a user session after the SSH client has become unresponsive by using the following command:  

     > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*clientalivecountmax'
     /etc/ssh/sshd_config:ClientAliveCountMax 1

If "ClientAliveCountMax" is not set to "1", is commented out, missing, or conflicting results are returned, this is a finding.

Add or modify the following line in the "/etc/ssh/sshd_config" file:

ClientAliveCountMax 1

Restart the SSH daemon for the changes to take effect: 

     > sudo systemctl restart sshd.service

Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. 
 
Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session.

Verify the SSH server automatically terminates a user session after the SSH client has been unresponsive for 10 minutes by using the following command: 

     > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*clientaliveinterval'
     /etc/ssh/sshd_config:ClientAliveInterval 600

If "ClientAliveInterval" is not set to "600" or less, is commented out, missing, or conflicting results are returned, this is a finding.

Configure the SSH server to terminate a user session automatically after the SSH client has been unresponsive for 10 minutes. 

Add or modify the following line in the "/etc/ssh/sshd_config" file: 

ClientAliveInterval 600

The SSH daemon must be restarted for any changes to take effect:

     > systemctl restart sshd.service

The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a ''no'' setting.

X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also enabled.

If X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system's needs.

Verify SLEM 5 SSH daemon remote X forwarded connections for interactive users are disabled with the following command:

     > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*x11forwarding'
     /etc/ssh/sshd_config:X11Forwarding no

If the "X11Forwarding" keyword is set to "yes" and is not documented with the information system security officer (ISSO) as an operational requirement, is commented out, or the line is missing, this is a finding.

Configure SLEM 5 SSH daemon to disable forwarded X connections for interactive users.

Add or modify the following line in the "/etc/ssh/sshd_config" file: 

X11Forwarding no

Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.

Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.

Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., RDP), thereby providing a degree of confidentiality. The encryption strength of a mechanism is selected based on the security categorization of the information.

The system will attempt to use the first cipher presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest cipher available to secure the SSH connection.

Verify that SLEM 5 implements DOD-approved encryption to protect the confidentiality of SSH remote connections with the following command:

     > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*ciphers'
     /etc/ssh/sshd_config:Ciphers aes256-ctr,aes192-ctr,aes128-ctr

If any ciphers other than "aes256-ctr", "aes192-ctr", or "aes128-ctr" are listed, the order differs from the example above, the line is commented out, or the "Ciphers" keyword is missing, or conflicting results are returned, this is a finding.

Configure the SSH server to only implement FIPS 140-2/140-3 approved ciphers.
  
Add or modify the following line in the "/etc/ssh/sshd_config" file:

Ciphers aes256-ctr,aes192-ctr,aes128-ctr

Restart the SSH daemon:

     > sudo systemctl restart sshd.service

Without cryptographic integrity protections, information can be altered by unauthorized users without detection.

Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.

Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.

The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection.

Verify SLEM 5 SSH daemon is configured to only use MACs that employ FIPS 140-2/140-3 approved hashes with the following command:

     > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*macs'
     /etc/ssh/sshd_config:MACs hmac-sha2-512,hmac-sha2-256

If any ciphers other than "hmac-sha2-512" or "hmac-sha2-256" are listed, the order differs from the example above, is commented out, missing, or conflicting results are returned, this is a finding.

Configure SLEM 5 SSH daemon to only use MACs that employ FIPS 140-2/140-3 approved hashes.

Add or modify the following line in the "/etc/ssh/sshd_config" file:

MACs hmac-sha2-512,hmac-sha2-256

Without cryptographic integrity protections provided by FIPS 140-2/140-3 validated cryptographic algorithms, information can be viewed and altered by unauthorized users without detection.

The system will attempt to use the first algorithm presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest algorithm available to secure the SSH connection.

Verify that the SSH server is configured to use only FIPS 140-2/140-3 validated key exchange algorithms with the following command:

     > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*kexalgorithms'
     KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
 
If "KexAlgorithms" does not contain the list of algorithms in the exact order, is commented out, missing, or conflicting results are returned, this is a finding.

Configure the SSH server to use only FIPS 140-2/140-3 validated key exchange algorithms.

Add or modify the following line in the "/etc/ssh/sshd_config" file:

KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256

Restart the SSH daemon for changes to take effect:

     > sudo systemctl restart sshd.service

To ensure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated.

A group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does not uniquely identify individual users. Examples of the group authenticator is the Unix OS "root" user account, the Windows "Administrator" account, the "sa" account, or a "helpdesk" account.

For example, the Unix and Windows SLEM 5 offer a "switch user" capability, allowing users to authenticate with their individual credentials and, when needed, "switch" to the administrator role. This method provides for unique individual authentication prior to using a group authenticator.

Users (and any processes acting on behalf of users) need to be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization, which outlines specific user actions that can be performed on SLEM 5 without identification or authentication.

Requiring individuals to be authenticated with an individual authenticator prior to using a group authenticator allows for traceability of actions, as well as adding an additional level of protection of the actions that can be taken with group account knowledge.

Verify SLEM 5 denies direct logons to the root account using remote access via SSH with the following command:

     > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*permitrootlogin'
     /etc/ssh/sshd_config:PermitRootLogin no

If the "PermitRootLogin" keyword is set to "yes", is commented out, missing, or conflicting results are returned, this is a finding.

Configure SLEM 5 to deny direct logons to the root account using remote access via SSH.

Add or modify the following line in the "/etc/ssh/sshd_config" file:

PermitRootLogin no

Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best.

Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.

Automated monitoring of remote access sessions allows organizations to detect cyberattacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).

Verify SSH is configured to verbosely log connection attempts and failed logon attempts to SLEM 5 with the following command:

     > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*loglevel'
     /etc/ssh/sshd_config:LogLevel VERBOSE

If "LogLevel" is not set to "VERBOSE", is commented out, missing, or conflicting results are returned, this is a finding.

Configure SSH to verbosely log connection attempts and failed logon attempts to SLEM 5.

Add or modify the following line in the "/etc/ssh/sshd_config" file:

LogLevel VERBOSE

Restart the SSH daemon in order for the changes to take effect:

     > sudo systemctl restart sshd.service

Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use.

Verify all remote connections via SSH to SLEM 5 display feedback on when account accesses last occurred with the following command:

     > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*printlastlog'
     /etc/ssh/sshd_config:PrintLastLog yes

If the "PrintLastLog" is not set to "yes", is commented out, missing, or conflicting results are returned, this is a finding.

Configure SLEM 5 to provide users with feedback on when account accesses last occurred.

Add or modify the following lines in the "/etc/ssh/sshd_config" file:

PrintLastLog yes

Restart the SSH daemon in order for the changes to take effect:

     > sudo systemctl restart sshd.service

Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.

Verify SLEM 5 SSH daemon is configured to not allow authentication using "known hosts" authentication with the following command:

     > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*ignoreuserknownhosts'
     /etc/ssh/sshd_config:IgnoreUserKnownHosts yes

If "IgnoreUserKnownHosts" is not set to "no", is commented out, missing, or conflicting results are returned, this is a finding.

Configure SLEM 5 SSH daemon to not allow authentication using "known hosts" authentication.

Add or modify the following line in the "/etc/ssh/sshd_config" file:

IgnoreUserKnownHosts yes

Restart the SSH daemon in order for the changes to take effect:

     > sudo systemctl restart sshd.service

If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.

Verify SLEM 5 SSH daemon performs strict mode checking of home directory configuration files with the following command:

     > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*strictmodes'
     /etc/ssh/sshd_config:StrictModes yes

If "StrictModes" is not set to "yes", is commented out, missing, or conflicting results are returned, this is a finding.

Configure SLEM 5 SSH daemon performs strict mode checking of home directory configuration files.

Add or modify the following line in the "/etc/ssh/sshd_config" file:

StrictModes yes

Restart the SSH daemon in order for the changes to take effect:

     > sudo systemctl restart sshd.service

If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure.

The cornerstone of the PKI is the private key used to encrypt or digitally sign information.

If the private key is stolen, this will lead to the compromise of the authentication and nonrepudiation gained through PKI because the attacker can use the private key to digitally sign documents and pretend to be the authorized user.

Both the holders of a digital certificate and the issuing authority must protect the computers, storage devices, or whatever they use to keep the private keys.

Verify the SSH private key files have a passcode.

For each private key stored on the system, use the following command (with the example of "/etc/ssh/ssh_host_dsa_key"):

     > ssh-keygen -y -f /etc/ssh/ssh_host_dsa_key
     Load key "/etc/ssh/ssh_host_dsa_key": Permission denied

If the contents of any key are displayed, this is a finding.

Create a new private and public key pair that uses a passcode with the following command:

     > sudo ssh-keygen -n 

The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system as it does not require interactive identification and authentication of a connection request or for the use of two-factor authentication.

Verify there are no ".shosts" files on SLEM 5 with the following command:

     > sudo find / \( -path /.snapshots -o -path /sys -o -path /proc \) -prune -o -name '.shosts' -print

If any ".shosts" files are found on the system, this is a finding.

Remove any ".shosts" files found on SLEM 5.

     > sudo rm //.shosts

The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.

Verify there are no "shosts.equiv" files on SLEM 5 with the following command:

     > sudo find /etc -name shosts.equiv

If any "shosts.equiv" files are found on the system, this is a finding.

Remove any "shosts.equiv" files found on SLEM 5.

     > sudo rm //shosts.equiv

Failure to restrict system access to authenticated users negatively impacts SLEM 5 security.

Note: If a graphical user interface is not installed, this requirement is not applicable.

Verify SLEM 5 does not allow unattended or automatic logon via the GUI.

Check that unattended or automatic login is disabled with the following commands:

     > grep -i ^DISPLAYMANAGER_AUTOLOGIN /etc/sysconfig/displaymanager
     DISPLAYMANAGER_AUTOLOGIN=""

     > grep -i ^DISPLAYMANAGER_PASSWORD_LESS_LOGIN /etc/sysconfig/displaymanager
     DISPLAYMANAGER_PASSWORD_LESS_LOGIN="no"

If the "DISPLAYMANAGER_AUTOLOGIN" parameter includes a username or the "DISPLAYMANAGER_PASSWORD_LESS_LOGIN" is not set to "no", this is a finding.

Note: If a graphical user interface is not installed, this requirement is not applicable.

Configure SLEM 5 GUI to not allow unattended or automatic logon to the system.

Add or modify the following lines in the "/etc/sysconfig/displaymanager" file:

DISPLAYMANAGER_AUTOLOGIN=""
DISPLAYMANAGER_PASSWORD_LESS_LOGIN="no"

Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise SLEM 5.

This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with a SLEM 5. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR keyboards, mice, pointing devices, and Near Field Communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DOD requirements for wireless data transmission and be approved for use by the AO. Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise SLEM 5. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification.

Protecting the confidentiality and integrity of communications with wireless peripherals can be accomplished by physical means (e.g., employing physical barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only passing telemetry data, encryption of the data may not be required.

Verify that SLEM 5 has no wireless network adapters enabled with the following command:

     > sudo wicked show all
     ...
     wlan0 up
     link: #3, state up, mtu 1500
     type: wireless, hwaddr 06:00:00:00:00:02
     config: wicked:xml:/etc/wicked/ifconfig/wlan0.xml
     leases: ipv4 dhcp granted
     addr: ipv4 10.0.0.101/16 [dhcp]
     route: ipv4 default via 10.0.0.1 proto dhcp

If a wireless interface is configured and has not been documented and approved by the AO, this is a finding.

Configure SLEM 5 to disable all wireless network interfaces with the following command:

For each interface of type wireless, bring the interface into "down" state:

     > sudo wicked ifdown wlan0

For each interface of type wireless with a configuration type of "compat:suse:", remove the associated file:

     > sudo rm /etc/sysconfig/network/ifcfg-wlan0

For each interface of type wireless, for each configuration of type "wicked:xml:", remove the associated file or remove the interface configuration from the file.

     > sudo rm /etc/wicked/ifconfig/wlan0.xml

Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.

Peripherals include but are not limited to such devices as flash drives, external storage, and printers.

Verify SLEM 5 does not automount USB mass storage devices when connected to the host with the following command:

     > grep usb-storage /etc/modprobe.d/50-blacklist.conf
     blacklist usb-storage

If the line is commented out or the line is missing, this is a finding.

Configure SLEM 5 to prevent USB mass storage devices from automounting when connected to the host.

Add or modify the following line in the "/etc/modprobe.d/50-blacklist.conf" file:

blacklist usb-storage

If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.

Verify all SLEM 5 local interactive users on the system are assigned a home directory upon creation with the following command:

     > grep -i create_home /etc/login.defs
     CREATE_HOME yes

If the "CREATE_HOME" parameter is not set to "yes", the line is commented out, or the line is missing, this is a finding.

Configure SLEM 5 to assign home directories to all new local interactive users.

Add or modify the following line in the "/etc/login.defs" file:

CREATE_HOME yes

Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.

Verify SLEM 5 defines default permissions for all authenticated users in such a way that the users can only read and modify their own files with the following command:
 
     > grep -i "^umask" /etc/login.defs
     UMASK 077

If the "UMASK" variable is set to "000", the severity is raised to a CAT I and this is a finding.

If the value of "UMASK" is not set to "077", the line is commented out, or the line is missing, this is a finding.

Configure SLEM 5 to define the default permissions for all authenticated users in such a way that the users can only read and modify their own files.

Add or modify the following line in the "/etc/login.defs" file:

UMASK 077

Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.

Verify SLEM 5 enforces a delay of at least five seconds between logon prompts following a failed logon attempt with the following command:

     > grep -i fail_delay /etc/login.defs
     FAIL_DELAY 5

If the value of "FAIL_DELAY" is not set to "5" or greater, the line is commented out, or the line is missing, this is a finding.

Configure SLEM 5 to enforce a delay of at least five seconds between logon prompts following a failed logon attempt.

Add or modify the following line in the "/etc/login.defs" file:

FAIL_DELAY 5

If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.

Verify SLEM 5 local interactive users on the system have a home directory assigned with the following command:

     > sudo pwck -r
     user 'smithj': directory '/home/smithj' does not exist

Ask the system administrator (SA) if any users found without home directories are local interactive users. If the SA is unable to provide a response, check for users with a User Identifier (UID) of 1000 or greater with the following command:

     > awk -F: '($3>=1000)&&($1!="nobody"){print $1 ":" $3}' /etc/passwd

If any interactive users do not have a home directory assigned, this is a finding.

Assign home directories to all SLEM 5 local interactive users that currently do not have a home directory assigned.

Assign a home directory to users via the usermod command:

     > sudo usermod -d /home/smithj smithj

If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a denial of service (DoS) because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access.

Verify the assigned home directory of all SLEM 5 local interactive users on the system exists.

Check the home directory assignment for all local interactive nonprivileged users on the system with the following command:

     > awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $6}' /etc/passwd
     smithj /home/smithj

Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information.

Check that all referenced home directories exist with the following command:

     > sudo pwck -r
     user 'smithj': directory '/home/smithj' does not exist

If any home directories referenced in "/etc/passwd" are returned as not defined, this is a finding.

Create home directories to all SLEM 5 local interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in "/etc/ passwd":

Note: The example will be for the user smithj, who has a home directory of "/home/smithj", a UID of "smithj", and a Group Identifier (GID) of "users assigned" in "/etc/passwd".

     > sudo mkdir /home/smithj 
     > sudo chown smithj /home/smithj
     > sudo chgrp users /home/smithj
     > sudo chmod 0750 /home/smithj

The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the user's home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the information system security officer (ISSO).

Verify that all SLEM 5 local interactive user initialization files executable search path statements do not contain statements that will reference a working directory other than the user's home directory with the following command:

Note: The example will be for the user "smithj", who has a home directory of "/home/smithj".

     > sudo grep -i path= /home/smithj/.*

/home/smithj/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin

If any local interactive user initialization files have executable search path statements that include directories outside of their home directory, and the additional path statements are not documented with the ISSO as an operational requirement, this is a finding.

Edit SLEM 5 local interactive user initialization files to change any PATH variable statements for executables that reference directories other than their home directory. If a local interactive user requires path variables to reference a directory owned by the application, it must be documented with the ISSO.

If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level.

Verify that SLEM 5 local initialization files do not execute world-writable programs with the following command:

     > sudo find / -xdev -perm -002 -type f -exec ls -ld {} \;

For all files listed, check for their presence in the local initialization files with the following command:

Note: The example will be for a system that is configured to create users' home directories in the "/home" directory.

     > sudo find /home/* -maxdepth 1 -type f -name \.\* -exec grep -H  {} \;

If any local initialization files are found to reference world-writable files, this is a finding.

Remove the references to these files in the local initialization scripts or remove the world-writable permission of files referenced by SLEM 5 local initialization scripts with the following command:

     > sudo chmod 755 

Temporary accounts are privileged or nonprivileged accounts established during pressing circumstances, such as new software or hardware configuration or an incident response, where the need for prompt account activation requires bypassing normal account authorization procedures. If any inactive temporary accounts are left enabled on the system and are not either manually removed or automatically expired within 72 hours, the security posture of the system will be degraded and exposed to exploitation by unauthorized users or insider threat actors. 
 
Temporary accounts are different from emergency accounts. Emergency accounts, also known as "last resort" or "break glass" accounts, are local logon accounts enabled on the system for emergency use by authorized system administrators to manage a system when standard logon methods are failing or not available. Emergency accounts are not subject to manual removal or scheduled expiration requirements.
 
The automatic expiration of temporary accounts may be extended as needed by the circumstances, but it must not be extended indefinitely. A documented permanent account should be established for privileged users who need long-term maintenance accounts.

Verify temporary accounts have been provisioned with an expiration date of 72 hours with the following command:

     > sudo chage -l  | grep -E '(Password|Account) expires' 

If any temporary accounts have no expiration date set or do not expire within 72 hours, this is a finding.

Configure SLEM 5 to expire temporary accounts after 72 hours with the following command:

      >sudo chage -E $(date -d +3days +%Y-%m-%d) 

Emergency administrator accounts, also known as "last resort" or "break glass" accounts, are local logon accounts enabled on the system for emergency use by authorized system administrators to manage a system when standard logon methods are failing or not available. Emergency accounts are not subject to manual removal or scheduled expiration requirements.

Verify SLEM 5 is configured such that emergency administrator accounts are never automatically removed or disabled with the following command:

Note: Root is typically the "account of last resort" on a system and is also used as the example emergency administrator account. If another account is being used as the emergency administrator account, the command should be used against that account.

     > sudo chage -l  | grep -E '(Password|Account) expires' 
     Password expires: never
     Account expires: never

If "Password expires" or "Account expires" is set to anything other than "never", this is a finding.

Configure SLEM 5 to never automatically remove or disable emergency administrator accounts.

     > sudo chage -I -1 -M 99999 

Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system.

Verify all SLEM 5 accounts are assigned to an active system, application, or user account with the following command:

     > more /etc/passwd
     root:x:0:0:root:/root:/bin/bash
     ...
     games:x:12:100:Games account:/var/games:/bin/bash

Obtain the list of authorized system accounts from the information system security officer (ISSO).

If the accounts on the system do not match the provided documentation, this is a finding.

Configure SLEM 5 so all accounts on the system are assigned to an active system, application, or user account.

Remove accounts that do not support approved system activities or that allow for a normal user to perform administrative-level actions.

Document all authorized accounts on the system.

Accounts providing no operational purpose provide additional opportunities for system compromise. Therefore all necessary noninteractive accounts should not have an interactive shell assigned to them.

Verify all noninteractive SLEM 5 accounts do not have an interactive shell assigned to them with the following command:

Check the system accounts on the system.

     > awk -F: '($7 !~ "/sbin/nologin" && $7 !~ "/bin/false"){print $1 ":" $3 ":" $7}' /etc/passwd
     root:0:/bin/bash
     nobody:65534:/bin/bash

Obtain the list of authorized system accounts from the information system security officer (ISSO).

If noninteractive accounts such as "games" or "nobody" are listed with an interactive shell, this is a finding.

Configure SLEM 5 so that all noninteractive accounts on the system have no interactive shell assigned to them.

Run the following command to disable the interactive shell for a specific noninteractive user account:

     > sudo usermod --shell /sbin/nologin nobody

If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricted access to the entire SLEM 5. Multiple accounts with a UID of "0" afford an opportunity for potential intruders to guess a password for a privileged account.

Verify that SLEM 5 root account is the only account with unrestricted access to the system with the following command:

     > awk -F: '$3 == 0 {print $1}' /etc/passwd
     root

If any accounts other than root are listed, this is a finding.

Change the UID of any account on SLEM 5, other than the root account, that has a UID of "0". 

If the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "1000". 

If the account is not associated with system commands or applications, assign a UID of greater than "1000" that has not already been assigned.

Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.

SLEM 5 must track periods of inactivity and disable application identifiers after 35 days of inactivity.

Verify SLEM 5 disables account identifiers after 35 days of inactivity after the password expiration with the following command:

     > sudo grep -i '^inactive' /etc/default/useradd
     INACTIVE=35

If the value for "INACTIVE" is not set to a value greater than "0" and less than or equal to "35", if the line is commented out, or the line is missing, this is a finding.

Configure SLEM 5 to disable account identifiers after 35 days of inactivity after the password expiration.

Run the following command to change the configuration for "useradd" to disable the account identifier after "35" days:

     > sudo useradd -D -f 35

DOD recommendation is "35" days, but a lower value greater than "0" is acceptable.

To ensure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system.

Interactive users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Interactive users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: 

1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and

2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.

Verify SLEM 5 contains no duplicate UIDs for interactive users with the following command:

     > awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd

If output is produced, this is a finding.

Configure SLEM 5 to contain no duplicate UIDs for interactive users.

Edit the file "/etc/passwd" and provide each interactive user account that has a duplicate UID with a unique UID.

Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.

Verify SLEM 5 users are provided with feedback on when account accesses last occurred with the following command:

     > grep pam_lastlog /etc/pam.d/login
     session required pam_lastlog.so showfailed 

If "pam_lastlog" is missing from "/etc/pam.d/login" file, the "silent" option is present, the second column value different from "requisite", or the returned line is commented out, this is a finding.

Configure SLEM 5 to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/login".

Add the following line to the top of "/etc/pam.d/login":

session required pam_lastlog.so showfailed

A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence.

Rather than relying on the users to manually lock their SLEM 5 session prior to vacating the vicinity, SLEM 5 needs to be able to identify when a user's session has idled and take action to initiate the session lock.

The session lock is implemented at the point where session activity can be determined and/or controlled.

Verify SLEM 5 must initiate a session logout after a 15-minute period of inactivity for all connection type with the following command:

     > cat /etc/profile.d/autologout.sh
     TMOUT=900
     readonly TMOUT
     export TMOUT

If the file "/etc/profile.d/autologout.sh" does not exist or the output from the function call is not exactly the same, this is a finding.

Configure SLEM 5 to initiate a session lock after a 15-minute period of inactivity.

Create or edit the "/etc/profile.d/autologout.sh" file and add or modify the following lines:

TMOUT=900
readonly TMOUT
export TMOUT

Set the proper permissions for the "/etc/profile.d/autologout.sh" file with the following command:

     > sudo chmod +x /etc/profile.d/autologout.sh

By limiting the number of failed access attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.

The pam_tally2.so module maintains a count of attempted accesses. This includes username entry into a logon field as well as password entry. With counting access attempts, it is possible to lock an account without presenting a password into the password field. This should be taken into consideration as it poses as an avenue for denial of service (DoS).

Verify SLEM 5 locks a user account after three consecutive failed access attempts until the locked account is released by an administrator with the following command:

     > grep pam_tally2.so /etc/pam.d/common-auth 
     auth required pam_tally2.so onerr=fail deny=3 

If "deny" set to a value other than "1", "2", or "3", if "onerr=fail" is missing, if the line is commented out, or the line is missing, this is a finding.

Configure SLEM 5 to lock an account when three unsuccessful access attempts occur.

Note: Manual changes to the listed files may be overwritten by the "pam-config" program. The "pam-config" program should not be used to update the configurations listed in this requirement.

Add or modify the first line of the auth section in the "/etc/pam.d/common-auth" file to match the following line:

auth required pam_tally2.so onerr=fail silent audit deny=3

Add or modify the following line in the "/etc/pam.d/common-account" file:

account required pam_tally2.so

Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.

Verify SLEM 5 enforces a delay of at least five seconds between logon prompts following a failed logon attempt with the following command:

     > grep pam_faildelay /etc/pam.d/common-auth
     auth required pam_faildelay.so delay=5000000

If the value of "delay" is not set to "5000000" or greater, "delay" is missing, the line is commented out, or the "pam_faildelay" line is missing completely, this is a finding.

Configure SLEM 5 to enforce a delay of at least five seconds between logon prompts following a failed logon attempt.

Add or modify the following line in the "/etc/pam.d/common-auth" file:

auth required pam_faildelay.so delay=5000000

By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.

SELinux, enforcing a targeted policy, will be required to match the default directory's security context type.

Verify the location of the default tallylog file for the pam_tally2 module with the following command:

Note: If the system does not have SELinux enabled and enforcing a targeted policy, or if the pam_tally2 module is not configured for use, this requirement is not applicable.

     > sudo  grep -R pam_tally2 /etc/pam.d/login | grep "file=" | grep -v "^#"

If the command returns any information, this is a finding.

Check the security context type of the default tally2 directory with the following command:

     > sudo ls -Z /var/log/tallylog
 
system_u:object_r:tallylog_t:s0 /var/log/tallylog

If the security context type of the tally directory is not "tallylog_t", this is a finding.

Configure SLEM 5 to use the default pam_tally2 tally directory while SELinux enforces a targeted policy.

Remove the pam_tallly nondefault tally directory if any, by removing "file=[directory-name]" configuration part from /etc/pam.d/login:

     > sudo sed -ri 's/\s+file=\S+\s+/ /g' /etc/pam.d/login 

Update the /etc/selinux/targeted/contexts/files/file_contexts.local with "tallylog_t" context type for the default pam_tally2 tally directory with the following command:

     > sudo semanage fcontext -a -t tallylog_t "/var/log/tallylog" 

Next, update the context type of the default tallylog directory/subdirectories and files with the following command: 

     > sudo restorecon -R -v /var/log/tallylog

SLEM 5 management includes the ability to control the number of users and user sessions that use a SLEM 5. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to denial-of-service (DoS) attacks.

This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system.

Verify SLEM 5 limits the number of concurrent sessions to 10 for all accounts and/or account types with the following command:

     > grep "maxlogins" /etc/security/limits.conf
     * hard maxlogins 10

If the "maxlogins" does not have a value of "10" or less, is commented out, or is missing, this is a finding.

Configure SLEM 5 to limit the number of concurrent sessions to "10" or less for all accounts and/or account types.

Add or modify the following line to the file "/etc/security/limits.conf":

* hard maxlogins 10

Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.

Policycoreutils contains the policy core utilities that are required for basic operation of an SELinux-enabled system. These utilities include load_policy to load SELinux policies, setfile to label filesystems, newrole to switch roles, and run_init to run /etc/init.d scripts in the proper context.

Verify SLEM 5 has the policycoreutils package installed with the following command:

     > sudo zypper search -i policycoreutils
     I | policycoreutils | SELinux policy core utilities | package

If the policycoreutils package is not installed, this is a finding.

Configure SLEM 5 to have the policycoreutils package installed with the following command:

     > sudo transactional-update pkg install policycoreutils

     > sudo reboot

Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.

This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.

Verify "SELinux" is active and in "Enforcing" mode with the following command:

     > sudo getenforce
     Enforcing

If "SELinux" is not  in "Enforcing" mode, this is a finding.

Configure SLEM 5 to verify correct operation of all security functions.

Add or modify the following line in the "/etc/selinux/config" file:

SELINUX=enforcing

A reboot is required for the changes to take effect.

Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.

This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.

Verify "SELinux" is active and enforcing the targeted policy with the following command:

     > sudo sestatus
     SELinux status: enabled
     SELinuxfs mount: /sys/fs/selinux
     SELinux root directory: /etc/selinux
     Loaded policy name: targeted
     Current mode: enforcing
     Mode from config file: enforcing
     Policy MLS status: enabled
     Policy deny_unknown status: allowed
     Memory protection checking: actual (secure)
     Max kernel policy version: 33

If the "Loaded policy name" is not set to "targeted", this is a finding.

Configure SLEM 5 to verify correct operation of all security functions.

Add or modify the following line in the "/etc/selinux/config" file:

SELINUXTYPE=targeted

A reboot is required for the changes to take effect.

Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.

Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users.

Verify SLEM 5 prevents nonprivileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures.

Obtain a list of authorized users (other than system administrator and guest accounts) for the system.

Check the list against the system with the following command: 

     > sudo semanage login -l | more 
     Login Name SELinux User MLS/MCS Range Service 
     __default__ user_u s0-s0:c0.c1023 * 
     root unconfined_u s0-s0:c0.c1023 * 
     system_u system_u s0-s0:c0.c1023 * 
     joe staff_u s0-s0:c0.c1023 * 

All administrators must be mapped to the "sysadm_u", "staff_u", or an appropriately tailored confined role as defined by the organization.

All authorized nonadministrative users must be mapped to the "user_u" role.

If any interactive users are not mapped in this way, this is a finding.

Configure SLEM 5 to prevent nonprivileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures.
 
Use the following command to map a new user to the "sysadm_u" role: 
 
     > sudo semanage login -a -s sysadm_u  
 
Use the following command to map an existing user to the "sysadm_u" role: 
 
     > sudo semanage login -m -s sysadm_u  
 
Use the following command to map a new user to the "staff_u" role: 
 
     > sudo semanage login -a -s staff_u  
 
Use the following command to map an existing user to the "staff_u" role: 
 
     > sudo semanage login -m -s staff_u  
 
Use the following command to map a new user to the "user_u" role: 
 
     > sudo  semanage login -a -s user_u  
 
Use the following command to map an existing user to the "user_u" role: 
 
     > sudo semanage login -m -s user_u 

The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password.

For more information on each of the listed configurations, reference the sudoers(5) manual page.

Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation with the following command:

     > sudo egrep -ir '(rootpw|targetpw|runaspw)' /etc/sudoers /etc/sudoers.d* | grep -v '#'
     /etc/sudoers:Defaults !targetpw
     /etc/sudoers:Defaults !rootpw
     /etc/sudoers:Defaults !runaspw

If "Defaults" types are not defined for "!targetpw", "!rootpw", and "!runaspw", there are conflicting results between files, this is a finding.

Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory:

Defaults !targetpw
Defaults !rootpw
Defaults !runaspw

Without reauthentication, users may access resources or perform tasks for which they do not have authorization.

When SLEM 5 provides the capability to change user authenticators, change security roles, or escalate a functional capability, it is critical the user reauthenticate.

Verify that SLEM 5 requires reauthentication when changing authenticators, roles, or escalating privileges with the following command:

     > sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers

If any uncommented lines containing "!authenticate", or "NOPASSWD" are returned and active accounts on the system have valid passwords, this is a finding.

Configure SLEM 5 to remove any occurrence of "NOPASSWD" or "!authenticate" found in the "/etc/sudoers" file. If the system does not use passwords for authentication, the "NOPASSWD" tag may exist in the file.

Without reauthentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to reauthenticate when using the "sudo" command.

If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to reauthenticate for privileged actions until the user's session is terminated.

Verify SLEM 5 requires reauthentication when using the "sudo" command to elevate privileges with the following command:

     > sudo grep -ir 'timestamp_timeout' /etc/sudoers /etc/sudoers.d
     /etc/sudoers:Defaults timestamp_timeout=0

If "timestamp_timeout" is set to a negative number, is commented out, conflicting results are returned, or no results are returned, this is a finding.

Configure the "sudo" command to require reauthentication.

Add or modify the following line in the "/etc/sudoers" file:

Defaults timestamp_timeout=

Note: The "" must be a number that is greater than or equal to "0".

The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms the request to execute a command by checking a file, called sudoers. If the "sudoers" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system.

Verify the "sudoers" file restricts sudo access to authorized personnel with the following command:

     > sudo grep -iw 'ALL' /etc/sudoers /etc/sudoers.d/*
     root ALL=(ALL) ALL

If "ALL     ALL=(ALL) ALL" or "ALL     ALL=(ALL:ALL) ALL" entries are returned, this is a finding.

Remove the following entries from the "/etc/sudoers" file:

ALL     ALL=(ALL) ALL
ALL     ALL=(ALL:ALL) ALL

The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" file allow configured users to run programs without reauthenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts.

It is possible to include other sudoers files from within the sudoers file currently being parsed using the @include and @includedir directives. For compatibility with sudo versions prior to 1.9.1, #include and #includedir are also accepted. When sudo reaches this line it will suspend processing of the current file (/etc/sudoers) and switch to the specified file/directory. Once the end of the included file(s) is reached, the rest of /etc/sudoers will be processed. Files that are included may themselves include other files. A hard limit of 128 nested include files is enforced to prevent include file loops.

Verify SLEM 5 specifies only the default "include" directory for the /etc/sudoers file, and does not have nested "include" files or directories within the /etc/sudoers.d directory with the following command:

Note: If the "include" and "includedir" directives are not present in the /etc/sudoers file, this requirement is not applicable.

     > sudo find /etc/sudoers /etc/sudoers.d -type f -exec grep -H "[#@]include" {} +
     /etc/sudoers:@includedir /etc/sudoers.d

If the results are not "/etc/sudoers.d" or additional files or directories are specified, this is a finding.

Configure the "/etc/sudoers" file to only include the "/etc/sudoers.d" directory.

Add or modify the following line:

@includedir /etc/sudoers.d

Remove any nested includes under the "/etc/sudoers.d" directory.

Use of a complex password helps increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Verify SLEM 5 enforces password complexity by requiring at least one uppercase character with the following command:

     > grep pam_cracklib.so /etc/pam.d/common-password
     password requisite pam_cracklib.so ucredit=-1

If the value for "ucredit" is not "-1", if "ucredit" is missing from the line, the second column value different from "requisite", the line is commented out, or the line is missing, this is a finding.

Configure SLEM 5 to enforce password complexity by requiring at least one uppercase character.

Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "ucredit=-1" after the third column.

Use of a complex password helps increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Verify SLEM 5 enforces password complexity by requiring at least one lower character with the following command:

     > grep pam_cracklib.so /etc/pam.d/common-password
     password requisite pam_cracklib.so lcredit=-1

If the value for "lcredit" is not "-1", if "lcredit" is missing from the line, the second column value different from "requisite", the line is commented out, or the line is missing, this is a finding.

Configure SLEM 5 to enforce password complexity by requiring at least one lowercase character.

Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "lcredit=-1" after the third column.

Use of a complex password helps increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Verify SLEM 5 enforces password complexity by requiring at least one numeric character with the following command:

     > grep pam_cracklib.so /etc/pam.d/common-password
     password requisite pam_cracklib.so dcredit=-1

If the value for "dcredit" is not "-1", if "dcredit" is missing from the line, the second column value different from "requisite", the line is commented out, or the line is missing, this is a finding.

Configure SLEM 5 to enforce password complexity by requiring at least one numeric character.

Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "dcredit=-1" after the third column.

Use of a complex password helps increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor in determining how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Special characters are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.

Verify SLEM 5 enforces password complexity by requiring at least one special character with the following command:

     > grep pam_cracklib.so /etc/pam.d/common-password
     password requisite pam_cracklib.so ocredit=-1

If the value for "ocredit" is not "-1", if "ucredit" is missing from the line, the second column value different from "requisite", the line is commented out, or the line is missing, this is a finding.

Configure SLEM 5 to enforce password complexity by requiring at least one special character.

Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "ocredit=-1" after the third column.

If SLEM 5 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks.

Verify SLEM 5 prevents the use of dictionary words for passwords with the following command:

     > grep pam_cracklib.so /etc/pam.d/common-password
     password requisite pam_cracklib.so

If the second column value is different from "requisite", the line is commented out, or the line is missing, this is a finding.

Configure SLEM 5 to prevent the use of dictionary words for passwords.

Edit "/etc/pam.d/common-password" and add the following line:

password requisite pam_cracklib.so

The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.

Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps determine strength and how long it takes to crack a password. Use of more characters in a password helps exponentially increase the time and/or resources required to compromise the password.

Verify SLEM 5 enforces a minimum 15-character password length with the following command:

     > grep pam_cracklib.so /etc/pam.d/common-password
     password requisite pam_cracklib.so minlen=15

If the value for "minlen" is not "15" or greater, the "minlen" option is missing from the line, the second column has a value different from "requisite", the line is commented out, or the line is missing, this is a finding.

Configure SLEM 5 to enforce a minimum 15-character password length.

Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "minlen=15" after the third column.

The DOD standard requires a minimum 15-character password length.

If SLEM 5 allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks.

Verify SLEM 5 requires at least eight characters be changed between the old and new passwords during a password change with the following command:

     > grep pam_cracklib.so /etc/pam.d/common-password
     password requisite pam_cracklib.so difok=8

If the value for "difok" is not "8" or greater, if "difok" is missing from the line, the second column value different from "requisite", the line is commented out, or the line is missing, this is a finding.

Configure SLEM 5 to require at least eight characters be changed between the old and new passwords during a password change with the following command:

Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "difok=8" after the third column.

Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements.

Verify SLEM 5 prohibits the reuse of a password for a minimum of five generations with the following command:

     > grep pam_pwhistory.so /etc/pam.d/common-password
     password requisite pam_pwhistory.so remember=5 use_authtok

If the value for "remember" is not "5" or greater, if the "remember" option is missing from the line, if the "use_authtok" option is missing, if the second column has a value different from "requisite", if the line is commented out, or the line is missing, this is a finding.

Configure SLEM 5 password history to prohibit the reuse of a password for a minimum of five generations.

Edit "/etc/pam.d/common-password" and edit the line containing "pam_pwhistory.so" to contain the option "remember=5 use_authtok" after the third column.

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.

Verify SLEM 5 configures the Linux PAM to only store encrypted representations of passwords with the following command:

     > grep pam_unix.so /etc/pam.d/common-password
     password required pam_unix.so sha512

If the value "sha512" is not present in the line, the second column value is different from "requisite", the line is commented out, or the line is missing, this is a finding.

Configure SLEM 5 Linux PAM to only store encrypted representations of passwords. All account passwords must be hashed with SHA512 encryption strength.

Edit "/etc/pam.d/common-password" and edit the line containing "pam_unix.so" to contain the SHA512 keyword after third column. Remove the "nullok" option if it exists.

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.

Verify SLEM 5 is not configured to allow blank or null passwords with the following command:

     > grep pam_unix.so /etc/pam.d/* | grep nullok

If this produces any output, this is a finding.

Configure SLEM 5 to not allow blank or null passwords.

Remove any instances of the "nullok" option in "/etc/pam.d/common-auth" and "/etc/pam.d/common-password" to prevent logons with empty passwords.

If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.

Check the "/etc/shadow" file for blank passwords with the following command:

     > sudo awk -F: '!$2 {print $1}' /etc/shadow

If the command returns any results, this is a finding.

Configure all accounts on the system to have a password or lock the account with the following commands:

Perform a password reset:
     > sudo passwd 

Lock the account:
     > sudo passwd -l 

Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.

Verify SLEM 5 enforces a minimum time period between password changes for each user account of one day or greater with the following command:

     > sudo awk -F: '$4 < 1 {print $1 ":" $4}' /etc/shadow
     smithj:1

If any results are returned that are not associated with a system account, this is a finding.

Configure SLEM 5 to enforce 24 hours/one day or greater as the minimum password age for user accounts.

Change the minimum time period between password changes for each  account to "1" day with the command, replacing  with the user account that must be changed:

     > sudo passwd -n 1 

Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If SLEM 5 does not limit the lifetime of passwords and force users to change their passwords, there is the risk that SLEM 5 passwords could be compromised.

Verify that SLEM 5 enforces a maximum user password age of 60 days or less with the following command:

     > sudo awk -F: '$5 > 60 || $5 == "" {print $1 ":" $5}' /etc/shadow

If any results are returned that are not associated with a system account, this is a finding.

Configure SLEM 5 to enforce a maximum password age of each  account to 60 days. The command in the check text will give a list of users that need to be updated to be in compliance:

     > sudo passwd -x 60 

Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements.

Verify the password history file exists on SLEM 5 with the following command:

     > ls -al /etc/security/opasswd
     -rw------- 1 root root 82 Dec 7 19:41 /etc/security/opasswd

If the "/etc/security/opasswd" file does not exist, this is a finding.

Configure SLEM 5 to create the password history file with the following commands:

Create the file:
     > sudo touch /etc/security/opasswd

Set ownership permissions:
     > sudo chown root:root /etc/security/opasswd

Set access permissions:
     > sudo chmod 0600 /etc/security/opasswd

The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy.

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.

Verify SLEM 5 shadow password suite is configured to encrypt interactive user passwords using FIPS 140-2/140-3-approved cryptographic hash with the following command:

     > sudo cut -d: -f2 /etc/shadow
     $6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/

Password hashes "!" or "*" indicate inactive accounts not available for logon and are not evaluated.

If any interactive user password hash does not begin with "$6", this is a finding.

Configure SLEM 5 to encrypt all stored passwords with FIPS 140-2/140-3-approved cryptographic hash.

Add or modify the following line in the "/etc/login.defs" file:

ENCRYPT_METHOD SHA512

Lock all interactive user accounts not using SHA512 hashing until the passwords can be regenerated.

The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy.

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.

Verify SLEM 5 shadow password suite is configured to encrypt passwords using sufficient number of hashing rounds.

     > egrep "^SHA_CRYPT_" /etc/login.defs
     SHA_CRYPT_MIN_ROUNDS 5000
     SHA_CRYPT_MAX_ROUNDS 5000

If only one of "SHA_CRYPT_MIN_ROUNDS" or "SHA_CRYPT_MAX_ROUNDS" is set, and this value is below "5000", this is a finding.

If both "SHA_CRYPT_MIN_ROUNDS" and "SHA_CRYPT_MAX_ROUNDS" are set, and the highest value for either is below "5000", this is a finding.

Configure SLEM 5 shadow password suite is configured to encrypt passwords using sufficient number of hashing rounds.

Add or modify the following line in the "/etc/login.defs" file:

SHA_CRYPT_MIN_ROUNDS 5000

Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied on to provide confidentiality or integrity, and DOD data may be compromised.

SLEM 5 using encryption are required to use FIPS 140-2/140-3 compliant mechanisms for authenticating to cryptographic modules.

FIPS 140-2/140-3 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DOD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system.

Verify that the shadow password suite configuration is set to encrypt password with a FIPS 140-2/140-3 approved cryptographic hashing algorithm with the following command:

     > grep "^ENCRYPT_METHOD " /etc/login.defs
     ENCRYPT_METHOD SHA512

If "ENCRYPT_METHOD" is not set to "SHA512", if any values other that "SHA512" are configured, or if no output is produced, this is a finding.

Configure SLEM 5 to require "ENCRYPT_METHOD" of "SHA512".

Add or modify the following line in the "/etc/login.defs" file:

ENCRYPT_METHOD SHA512

Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.

Verify SLEM 5 creates or updates passwords with minimum password age of one day or greater with the following command:

     > grep '^PASS_MIN_DAYS' /etc/login.defs
     PASS_MIN_DAYS 1

If "PASS_MIN_DAYS" does not have a value of "1" or greater, the line is commented out, or no line is returned, this is a finding.

Configure SLEM 5 to enforce 24 hours/one day or greater as the minimum password age.

Add or modify the following line in the "/etc/login.defs" file:

PASS_MIN_DAYS 

The DOD requirement is "1", but a greater value is acceptable.

Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If SLEM 5 does not limit the lifetime of passwords and force users to change their passwords, there is the risk that SLEM 5 passwords could be compromised.

Verify that SLEM 5 is configured to create or update passwords with a maximum password age of 60 days or less with the following command:

     > grep '^PASS_MAX_DAYS' /etc/login.defs

If "PASS_MAX_DAYS" is not set to a value of "60" or less, but greater than "0", the line is commented out, or no line is returned, this is a finding.

Configure SLEM 5 to enforce a maximum password age of 60 days or less.

Add or modify the following line in the "/etc/login.defs" file:

PASS_MAX_DAYS 

The DOD requirement is 60 days or less (but greater than zero, as zero days will lock the account immediately).

Using an authentication device, such as a Common Access Card (CAC) or token separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.

Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DOD CAC.

A privileged account is defined as an information system account with authorizations of a privileged user.

Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.

This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).

Verify SLEM 5 has the packages required for multifactor authentication installed.

Check for the presence of the packages required to support multifactor authentication with the following commands:

     > zypper info pam_pkcs11 | grep -i installed
     Installed:    Yes

     > zypper info mozilla-nss | grep -i installed
     Installed:    Yes

     > zypper info mozilla-nss-tools | grep -i installed
     Installed:    Yes

     > zypper info pcsc-ccid | grep -i installed
     Installed:    Yes

     > zypper info pcsc-lite | grep -i installed
     Installed:    Yes

     > zypper info pcsc-tools | grep -i installed
     Installed:    Yes

     > zypper info opensc | grep -i installed
     Installed:    Yes

     > zypper info coolkey | grep -i installed
     Installed:    Yes

If any of the packages required for multifactor authentication are not installed, this is a finding.

Configure SLEM 5 to implement multifactor authentication by installing the required packages.

Install the packages required to support multifactor authentication with the following commands:

     > sudo transactional-update pkg install pam_pkcs11

     > sudo reboot

     > sudo transactional-update pkg install mozilla-nss

     > sudo reboot

     > sudo transactional-update pkg install mozilla-nss-tools

     > sudo reboot

     > sudo transactional-update pkg install pcsc-ccid

     > sudo reboot

     > sudo transactional-update pkg install pcsc-lite

     > sudo reboot

     > sudo transactional-update pkg install pcsc-tools

     > sudo reboot

     > sudo  transactional-update pkg install opensc

     > sudo reboot

     > sudo transactional-update pkg install  coolkey

     > sudo reboot

Additional information on the configuration of multifactor authentication on SLEM 5 can be found at https://www.suse.com/communities/blog/configuring-smart-card-authentication-suse-linux-enterprise/.

Using an authentication device, such as a Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.

Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DOD CAC.

A privileged account is defined as an information system account with authorizations of a privileged user.

Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.

This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).

Verify SLEM 5 implements multifactor authentication for remote access to privileged accounts via PAM with the following command:

     > grep pam_pkcs11.so /etc/pam.d/common-auth
     auth sufficient pam_pkcs11.so

If "pam_pkcs11.so" is not set in "/etc/pam.d/common-auth", or the line is commented out, this is a finding.

Configure SLEM 5 to implement multifactor authentication for remote access to privileged accounts via PAM.

Add or modify the following line in the "/etc/pam.d/common-auth" file:

auth sufficient pam_pkcs11.so

Using an authentication device, such as a Common Access Card (CAC) or token separate from the information system, ensures credentials stored on the authentication device will not be affected if the information system is compromised.

Multifactor solutions that require devices separate from information systems to gain access include hardware tokens providing time-based or challenge-response authenticators, and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DOD CAC.

A privileged account is defined as an information system account with authorizations of a privileged user.

Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.

This requirement only applies to components with device-specific functions, or for organizational users (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).

Verify SLEM 5 implements certificate status checking for multifactor authentication with the following command:

     > grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module coolkey {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy
     cert_policy = ca,ocsp_on,signature,crl_auto;

If "cert_policy" is not set to include "ocsp", this is a finding.

Configure SLEM 5 to certificate status checking for PKI authentication.

Modify all of the cert_policy lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "ocsp_on".

Note: OCSP allows sending request for certificate status information. Additional certificate validation polices are permitted.

Additional information on the configuration of multifactor authentication on SLEM 5 can be found at https://www.suse.com/communities/blog/configuring-smart-card-authentication-suse-linux-enterprise/.

If cached authentication information is out of date, the validity of the authentication information may be questionable.

If NSS is used by SLEM 5, verify it prohibits the use of cached authentications after one day with the following command:

Note: If NSS is not used on the operating system, this is not applicable.

     > sudo grep -i "memcache_timeout" /etc/sssd/sssd.conf
     memcache_timeout = 86400

If "memcache_timeout" has a value greater than "86400", the line is commented out, or the line is missing, this is a finding.

Configure NSS, if used by SLEM 5, to prohibit the use of cached authentications after one day.

Add or modify the following line in the "/etc/sssd/sssd.conf" file, below the line "[nss]":

memcache_timeout = 86400

If cached authentication information is out of date, the validity of the authentication information may be questionable.

Verify that SLEM 5 PAM prohibits the use of cached off line authentications after one day with the following command:

Note: If SSSD is not being used on the operating system, this is not applicable.

     > sudo grep "offline_credentials_expiration" /etc/sssd/sssd.conf
     offline_credentials_expiration = 1

If "offline_credentials_expiration" is not set to a value of "1", the line is commented out, or the line is missing, this is a finding.

Configure SLEM 5 PAM to prohibit the use of cached authentications after one day.

Add or modify the following line in the "/etc/sssd/sssd.conf" file, below the line "[pam]":

offline_credentials_expiration = 1

Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted.

A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC.

When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can be, for example, a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA.

This requirement verifies that a certification path to an accepted trust anchor is used for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement.

Verify SLEM 5 for PKI-based authentication had valid certificates by constructing a certification path (which includes status information) to an accepted trust anchor with the following command:

     > grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf
     cert_policy = ca,oscp_on,signature,crl_auto;

If "cert_policy" is not set to include "ca" on all returned lines, this is a finding.

Configure SLEM 5 for PKI-based authentication to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.

Modify all of the cert_policy lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "ca":

cert_policy = ca,signature,oscp_on;

Note: Additional certificate validation polices are permitted.

Additional information on the configuration of multifactor authentication on SLEM 5 can be found at https://www.suse.com/communities/blog/configuring-smart-card-authentication-suse-linux-enterprise/.

The "pam-config" command line utility automatically generates a system PAM configuration as packages are installed, updated, or removed from the system. "pam-config" removes configurations for PAM modules and parameters that it does not know about. It may render ineffective PAM configuration by the system administrator and thus impact system security.

Verify SLEM 5 is configured to not overwrite PAM configuration on package changes with the following command:

     > find /etc/pam.d/ -type l -iname "common-*"

If any results are returned, this is a finding.

Copy the PAM configuration files to their static locations and remove SLEM 5 soft links for the PAM configuration files with the following command:

     > sudo sh -c 'for X in /etc/pam.d/common-*-pc; do cp -ivp --remove-destination $X ${X:0:-3}; done'

Additional information on the configuration of multifactor authentication on SLEM 5 can be found at https://www.suse.com/communities/blog/configuring-smart-card-authentication-suse-linux-enterprise/.

Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.

This requirement applies to SLEM 5 performing security function verification/testing and/or systems and environments that require this functionality.

Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the correct operation of all security functions with the following command:

     > sudo zypper if aide | grep -i installed
     Installed: Yes

If AIDE is not installed, ask the system administrator how file integrity checks are performed on the system.

If there is no application installed to perform integrity checks, this is a finding.

If AIDE is installed, check if it has been initialized with the following command:
 
     > sudo aide --check

If the output is "Couldn't open file /var/lib/aide/aide.db for reading", this is a finding.

Install AIDE, initialize it, and perform a manual check by using the following commands:

Install AIDE:
     > sudo transactional-update pkg install aide
     > sudo reboot

Initialize AIDE (this may take a few minutes):
     > sudo aide -i

The new database will need to be renamed to be read by AIDE:
     > sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Perform a manual check:
     > sudo aide --check

Example output:
     Summary:
       Total number of files:        140621
       Added files:                         1
       Removed files:                    1
       Changed files:                     0

ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools.

Verify that SLEM 5 file integrity tool is configured to verify extended attributes.

     > sudo grep acl /etc/aide.conf
     All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux

If the "acl" rule is not being used on all selection lines in the "/etc/aide.conf" file, or extended attributes are not being checked by another file integrity tool, this is a finding.

Configure SLEM 5 file integrity tool to check file and directory ACLs.

If AIDE is installed, ensure the "acl" rule is present on all file and directory selection lists.

Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.

Verify that SLEM 5 file integrity tool is configured to verify extended attributes.

     > sudo grep xattrs /etc/aide.conf
     All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux

If the "xattrs" rule is not being used on all selection lines in the "/etc/aide.conf" file, or extended attributes are not being checked by another file integrity tool, this is a finding.

Configure SLEM 5 file integrity tool to check file and directory extended attributes.

If AIDE is installed, ensure the "xattrs" rule is present on all file and directory selection lists.

Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.

Audit tools include but are not limited to vendor-provided and open-source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.

It is not uncommon for attackers to replace the audit tools or inject code into the existing tools to provide the capability to hide or erase system activity from the audit logs.

To address this risk, audit tools must be cryptographically signed to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files.

Verify that SLEM 5 file integrity tool is configured to protect the integrity of the audit tools.

Check that AIDE is properly configured to protect the integrity of the audit tools by running the following command:

     > sudo grep /usr/sbin/au /etc/aide.conf
     /usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
     /usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
     /usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
     /usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
     /usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
     /usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
     /usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512

If any of the seven lines do not appear as shown, are commented out, or are missing, this is a finding.

Configure SLEM 5 file integrity tool to protect the integrity of the audit tools.

Add or modify the following lines in the "/etc/aide.conf" file:

# audit tools
/usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
/usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
/usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
/usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
/usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
/usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
/usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512

Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to SLEM 5. Changes to SLEM 5 configurations can have unintended side effects, some of which may be relevant to security.

Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of SLEM 5. SLEM 5's information system security manager (ISSM)/information system security officer (ISSO) and system administrator (SA) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.

Verify SLEM 5 checks the baseline configuration using AIDE for unauthorized changes at least once weekly with the following command:

Note: A file integrity tool other than AIDE may be used, but the tool must be executed at least once per week.

     > sudo grep -R aide /etc/crontab /etc/cron.*
     /etc/crontab: 30 04 * * * root /usr/sbin/aide

If the file integrity application does not exist, or a "crontab" file does not exist in "/etc/crontab", the "/etc/cron.daily" subdirectory, or "/etc/cron.weekly" subdirectory, this is a finding.

Configure SLEM 5 to check the baseline configuration for unauthorized changes at least once weekly.

Add or modify the following line in the "/etc/cron.weekly/aide" file:

0 0 * * * /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Weekly AIDE integrity check run" root@example_server_name.mil

If anomalies are not acted on, security functions may fail to secure the system.

Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.

Notifications provided by information systems include messages to local computer consoles and/or hardware indications, such as lights.

This capability must take into account operational requirements for availability for selecting an appropriate response. The organization may choose to shut down or restart the information system upon security function anomaly detection.

Verify SLEM 5 notifies the SA when AIDE discovers anomalies in the operation of any security functions.

Note: A file integrity tool other than AIDE may be used, but the tool must be configured to notify the system administrator and/or ISSO if there is an anomaly.

Verify the aide cron job sends an email when executed with the following command:

     > sudo grep -i "aide" /etc/cron.*/aide 

     0 0 * * * /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily AIDE integrity check run" root@example_server_name.mil

If the "aide" file does not exist under the "/etc/cron" directory structure or the cron job is not configured to execute a binary to send an email (such as "/bin/mail"), this is a finding.

Configure SLEM 5 to notify the SA when AIDE discovers anomalies in the operation of any security functions.

Add or modify the following line in the "/etc/cron.daily/aide" file:

0 0 * * * /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily AIDE integrity check run" root@example_server_name.mil

Information stored in one location is vulnerable to accidental or incidental deletion or alteration.

Offloading is a common process in information systems with limited audit storage capacity.

Verify that SLEM 5 must offload syslog-ng messages for networked systems in real time and offload standalone systems at least weekly.

For standalone hosts, verify with the system administrator that the log files are offloaded at least weekly.

For networked systems, check that syslog-ng is sending log messages to a remote server with the following command:

     > sudo egrep "^destination logserver"  /etc/syslog-ng/syslog-ng.conf
     syslog("10.10.10.10" transport("udp") port(514)); };

If any active message labels in the file do not have a line to send log messages to a remote server, this is a finding.

Configure SLEM 5 to offload syslog-ng messages for networked systems in real time.

For standalone systems establish a procedure to offload log messages at least once a week.

For networked systems add a "UDP_OR_TCP("IP_ADDRESS" port(514)); };"
"#log { source(src); destination(logserver); };" in "/etc/syslog-ng/syslog-ng.conf" that does not have one.

syslog("10.10.10.10" transport("udp") port(514)); };

Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.

Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.

Associating event types with detected events in SLEM 5 audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured SLEM 5.

Verify SLEM 5 auditing package is installed with the following command:

     > zypper info audit 
     Name           : audit
     Version        : 2.8.5-3.2
     Arch           : X86_64
     Vendor         : SUSE LLC 
     Installed Size : 646.2 KiB
     Installed      : Yes (automatically)
     Status         : up-to-date

If the package "audit" is not installed on the system, this is a finding.

Install SLEM 5 auditing package with the following commands:

     > sudo transactional-update pkg install audit
     > sudo reboot

Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.

Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.

Associating event types with detected events in SLEM 5 audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured SLEM 5.

Verify SLEM 5 produces audit records with the following commands:

     > systemctl is-active auditd.service
     active

     > systemctl is-enabled auditd.service
     enabled

If the service is not active or not enabled, this is a finding.

Enable SLEM 5 auditd service by using the following commands:

     > sudo systemctl enable auditd.service
     > sudo systemctl start auditd.service

Information stored in one location is vulnerable to accidental or incidental deletion or alteration.

Offloading is a common process in information systems with limited audit storage capacity.
 
The auditd service does not include the ability to send audit records to a centralized server for management directly. However, it can use a plug-in for audit event multiplexor to pass audit records to a remote server.

Verify that the "audit-audispd-plugins" package is installed on SLEM 5 with the following command:

     > zypper info audit-audispd-plugins | grep Installed
     Installed    : Yes

If the "audit-audispd-plugins" package is not installed, this is a finding.

Verify the "au-remote" plugin is enabled with the following command: 

     > sudo grep -i active /etc/audisp/plugins.d/au-remote.conf 
     active = yes

If "active" is not set to "yes", is commented out, or is missing, this is a finding.

Install the "audit-audispd-plugins" package on SLEM 5 by running the following command:

     > sudo transactional-update pkg install audit-audispd-plugins

Add or modify the following line in the "/etc/audisp/plugins.d/au-remote.conf" file:

active = yes

Reboot the system:

     > sudo reboot

To ensure SLEM 5 has a sufficient storage capacity in which to write the audit logs, SLEM 5 must be able to allocate audit record storage capacity.

The task of allocating audit record storage capacity is usually performed during initial installation of SLEM 5.

Verify SLEM 5 allocates audit record storage capacity to store at least one week of audit records when audit records are not immediately sent to a central audit record storage facility.

Determine which partition the audit records are being written to with the following command:

     > sudo grep -iw log_file /etc/audit/auditd.conf
     log_file = /var/log/audit/audit.log

Check the size of the partition that audit records are written to (with the example being /var/log/audit/) with the following command:

     > df -h /var/log/audit/
     Filesystem    Size    Used   Avail  Use%  Mounted on
     /dev/sda2     24G  10.4G 13.6G    43% /var

If the audit records are not written to a partition made specifically for audit records (/var/log/audit is a separate partition), determine the amount of space being used by other files in the partition with the following command:

     > sudo du -sh 
     1.8G /var/log/audit

The partition size needed to capture a week of audit records is based on the activity level of the system and the total storage capacity available.

If the audit record partition is not allocated sufficient storage capacity, this is a finding.

Allocate enough storage capacity for at least one week of SLEM 5 audit records when audit records are not immediately sent to a central audit record storage facility.

If audit records are stored on a partition made specifically for audit records, use the "YaST2 - Partitioner" program (installation and configuration tool for Linux) to resize the partition with sufficient space to contain one week of audit records.

If audit records are not stored on a partition made specifically for audit records, a new partition with sufficient amount of space will need be to be created. The new partition can be created using the "YaST2 - Partitioner" program on the system.

If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.

Determine if SLEM 5 auditd is configured to notify the SA and ISSO when the audit record storage volume reaches 75 percent of the storage capacity with the following command:

     > sudo grep -iw space_left /etc/audit/auditd.conf
     space_left = 25% 

If "space_left" is not set to "25%" or greater, this is a finding.

Configure SLEM 5 auditd service to notify the SA and ISSO immediately when audit storage capacity is 75 percent full.

Add or modify the following lines in the "/etc/audit/auditd.conf " file: 

space_left = 25%

It is critical that when SLEM 5 is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Responses to audit failure depend on the nature of the failure mode.

When availability is an overriding concern, other approved actions in response to an audit failure are as follows: 

1) If the failure was caused by the lack of audit record storage capacity, SLEM 5 must continue generating audit records if possible (automatically restarting the audit service if necessary), overwriting the oldest audit records in a first-in-first-out manner.

2) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, SLEM 5 must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server.

Verify SLEM 5 takes the appropriate action when the audit storage volume is full using the following command:

     > sudo grep disk_full_action /etc/audit/auditd.conf
     disk_full_action = HALT

If "disk_full_action" is not set to "HALT", "SYSLOG", or "SINGLE", is commented out, or is missing, this is a finding.

Configure SLEM 5 to shut down by default upon audit failure.

Add or modify the following line in the "/etc/audit/auditd.conf " file: 

disk_full_action = HALT  

Note: If system availability has been determined to be more important, and this decision is documented with the information system security officer (ISSO), configure SLEM 5 to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the "disk_full_action" to "SYSLOG" or "SINGLE".

Information stored in one location is vulnerable to accidental or incidental deletion or alteration.

Offloading is a common process in information systems with limited audit storage capacity.

Verify what action the audit system takes if it cannot offload audit records to a different system or storage media from SLEM 5 being audited.

Check the action that the audit system takes in the event of a network failure with the following command:

     > sudo grep -i "network_failure_action" /etc/audisp/audisp-remote.conf
     network_failure_action = syslog

If the "network_failure_action" option is not set to "syslog", "single", or "halt" or the line is commented out, this is a finding.

Configure SLEM 5 to take the appropriate action if it cannot offload audit records to a different system or storage media from the system being audited due to a network failure.

Add or modify the following line in the "/etc/audisp/audisp-remote.conf" file:

network_failure_action = syslog

Information stored in one location is vulnerable to accidental or incidental deletion or alteration.

Offloading is a common process in information systems with limited audit storage capacity.

Verify the audit system offloads audit records if SLEM 5 storage volume becomes full.

Check that the records are properly offloaded to a remote server with the following command:

     > sudo grep -i "disk_full_action" /etc/audisp/audisp-remote.conf
     disk_full_action = syslog

If "disk_full_action" is not set to "syslog", "single", or "halt" or the line is commented out, this is a finding.

Configure SLEM 5 to take the appropriate action if the audit storage is full.

Add or modify the following line in the "/etc/audisp/audisp-remote.conf" file:

disk_full_action = syslog

Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Verify that SLEM 5 protects audit rules from unauthorized modification with the following command:

     > grep -i audit /etc/permissions.local
     /var/log/audit root:root 600
     /var/log/audit/audit.log root:root 600
     /etc/audit/audit.rules root:root 640
     /etc/audit/rules.d/audit.rules root:root 640

If the command does not return any output or all four lines as shown, this is a finding.

Check that all of the audit information files and folders have the correct permissions with the following command:

     > sudo chkstat /etc/permissions.local

If the command returns any output, this is a finding.

Configure SLEM 5 to protect audit rules from unauthorized modification.

Add or modify the following lines in "/etc/permissions.local":

/var/log/audit root:root 600
/var/log/audit/audit.log root:root 600
/etc/audit/audit.rules root:root 640
/etc/audit/rules.d/audit.rules root:root 640

Set the correct permissions with the following command:

     > sudo chkstat --set /etc/permissions.local

Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Protecting audit tools is necessary to prevent unauthorized operation on audit information.

SLEM 5 providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools.

Audit tools include, but are not limited to, vendor-provided and open-source audit tools needed to view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.

To protect from unauthorized access verify that SLEM 5 audit tools have the proper permissions configured in the permissions profile by using the following command:

     > grep "^/usr/sbin/au" /etc/permissions.local
     /usr/sbin/audispd root:root 750
     /usr/sbin/auditctl root:root 750
     /usr/sbin/auditd root:root 750
     /usr/sbin/ausearch root:root 755
     /usr/sbin/aureport root:root 755
     /usr/sbin/autrace root:root 750
     /usr/sbin/augenrules root:root 750

If the command does not return any output, this is a finding.

Configure SLEM 5 audit tools to have proper permissions set in the permissions profile.

Add or modify the following lines in the "/etc/permissions.local" file:

/usr/sbin/audispd root:root 750
/usr/sbin/auditctl root:root 750
/usr/sbin/auditd root:root 750
/usr/sbin/ausearch root:root 755
/usr/sbin/aureport root:root 755
/usr/sbin/autrace root:root 750
/usr/sbin/augenrules root:root 750

Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Protecting audit tools is necessary to prevent unauthorized operation on audit information.

SLEM 5 providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools.

Audit tools include, but are not limited to, vendor-provided and open-source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.

To protect from unauthorized access verify that SLEM 5 audit tools have the proper permissions applied from the permissions profile by using the following command:

     > sudo chkstat /etc/permissions.local

If the command returns any output, this is a finding.

Configure SLEM 5 audit tools to have proper permissions applied from the permissions profile using the following command:

     > sudo chkstat --set /etc/permissions.local

Information stored in one location is vulnerable to accidental or incidental deletion or alteration.

Allowing devices and users to connect to or from the system without first authenticating them allows untrusted access and can lead to a compromise or attack. Audit events that may include sensitive data must be encrypted prior to transmission. Kerberos provides a mechanism to provide both authentication and encryption for audit event records.

Determine if SLEM 5 audit event multiplexor is configured to use Kerberos by running the following command:

     > sudo grep enable_krb5 /etc/audisp/audisp-remote.conf
     enable_krb5 = yes

If "enable_krb5" is not set to "yes", or is commented out, this is a finding.

Configure SLEM 5 audit event multiplexor to use Kerberos.

Add or modify the following line in the "/etc/audisp/audisp-remote.conf" file:

enable_krb5 = yes

Information stored in one location is vulnerable to accidental or incidental deletion or alteration.

Offloading is a common process in information systems with limited audit storage capacity.

Verify "audispd" offloads audit records onto a different system or media from SLEM 5 being audited with the following command:

     > sudo grep remote_server /etc/audisp/audisp-remote.conf
     remote_server = 240.9.19.81

If "remote_server" is not set to an external server or media, or is commented out, this is a finding.

Configure SLEM 5 to offload audit records onto a different system or media.

Add or modify the following line in the "/etc/audisp/audisp-remote.conf" file:

remote_server = 

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.

Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.

This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.

Verify the administrators are notified in the event of a SLEM 5 audit processing failure with the following commands:

     > grep -i "^postmaster:" /etc/aliases
     postmaster: root

If the above command does not return a value of "root", or the output is commented out, this is a finding.

Verify the alias for root forwards to a monitored e-mail account:

     > grep -i "^root:" /etc/aliases
     root: person@server.mil

If the alias for root does not forward to a monitored e-mail account, or the output is commented out, this is a finding.

Configure the auditd service to notify the administrators in the event of a SLEM 5 audit processing failure.

Configure an alias value for the postmaster with the following command:

     > sudo sh -c 'echo "postmaster: root" >> /etc/aliases' 

Configure an alias for root that forwards to a monitored email address with the following command:

     > sudo sh -c 'echo "root: box@server.mil" >> /etc/aliases'

The following command must be run to implement changes to the /etc/aliases file:

     > sudo newaliases

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.

Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.

This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.

Verify the system is configured to send email to an account when it needs to notify an administrator with the following command:

     > sudo grep action_mail /etc/audit/auditd.conf
     action_mail_acct = root

If the value of the "action_mail_acct" keyword is not set to "root" and/or other accounts for security personnel, the returned line is commented out, or the "action_mail_acct" keyword is missing, this is a finding.

Configure the auditd service to notify the administrators in the event of a SLEM 5 audit processing failure.

Add or modify the following lines in the "/etc/audit/auditd.conf " file:

action_mail_acct = root

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Audit records can be generated from various components within the information system (e.g., module or policy filter).

Verify SLEM 5 generates an audit record for all uses of the "chacl" command with the following command:

     > sudo auditctl -l | grep -w '/usr/bin/chacl'
     -a always,exit -S all -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=-1 -F key=prim_mod

If the command does not return a line that matches the example or the line is commented out, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Configure SLEM 5 to generate an audit record for all uses of the "chacl" command. 

Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file:

-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k prim_mod

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Note: The "-k " at the end of the line gives the rule a unique meaning to help during an audit investigation. The  does not need to match the example above.

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Audit records can be generated from various components within the information system (e.g., module or policy filter).

Verify SLEM 5 generates an audit record for any use of the "chage" command with the following command:

     > sudo auditctl -l | grep -w '/usr/bin/chage'
     -a always,exit -S all -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-chage

If the command does not return any output, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Configure SLEM 5 to generate an audit record for all uses of the "chage" command. 

Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file:

-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Audit records can be generated from various components within the information system (e.g., module or policy filter).

Verify SLEM 5 generates an audit record for all uses of the "chcon" command with the following command:

     > sudo auditctl -l | grep -w '/usr/bin/chcon'
     -a always,exit -S all -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -F key=prim_mod

If the command does not return any output, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Configure SLEM 5 to generate an audit record for all uses of the "chcon" command.

Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file:

-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k prim_mod

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.

At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.

Verify SLEM 5 generates an audit record for all uses of the "chfn" command with the following command:

     > sudo auditctl -l | grep -w '/usr/bin/chfn'
     -a always,exit -S all -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-chfn

If the command does not return any output or the returned line is commented out, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Configure SLEM 5 to generate an audit record for all uses of the "chfn" command.

Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file:

-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chfn

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Audit records can be generated from various components within the information system (e.g., module or policy filter).

Verify SLEM 5 generates an audit record for all uses of the "chmod" command with the following command:

     > sudo auditctl -l | grep -w '/usr/bin/chmod'
     -a always,exit -S all -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=-1 -F key=prim_mod

If the command does not return any output, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Configure SLEM 5 to generate an audit record for all uses of the "chmod" command. 

Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file:

-a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=unset -k prim_mod

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.

At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.

Verify SLEM 5 generates an audit record for all uses of the "chsh" command with the following command:

     > sudo auditctl -l | grep -w '/usr/bin/chsh'
     -a always,exit -S all -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-chsh

If the command does not return any output, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Configure SLEM 5 to generate an audit record for all uses of the "chsh" command.

Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file:

-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chsh

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Audit records can be generated from various components within the information system (e.g., module or policy filter).

Verify SLEM 5 generates an audit record for any use of the "crontab" command with the following command:

     > sudo auditctl -l | grep -w '/usr/bin/crontab'
     -a always,exit -S all -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-crontab

If the command does not return any output, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Configure SLEM 5 to generate an audit record for all uses of the "crontab" command.

Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file:

-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.

At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.

Verify SLEM 5 generates an audit record for all uses of the "gpasswd" command with the following command:

     > sudo auditctl -l | grep -w '/usr/bin/gpasswd'
     -a always,exit -S all -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-gpasswd

If the command does not return any output, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Configure SLEM 5 to generate an audit record for all uses of the "gpasswd" command.

Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file:

-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Audit records can be generated from various components within the information system (e.g., module or policy filter).

The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.

DOD has defined the following list of events for which SLEM 5 will provide an audit record generation capability: 

1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);

2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system;

3) All account creations, modifications, disabling, and terminations; and 

4) All kernel module load, unload, and restart actions.

Verify SLEM 5 is generates an audit record for all uses of the "insmod" command with the following command:

     > sudo auditctl -l | grep -w '/sbin/insmod'
     -w /sbin/insmod -p x -k modules

If the system is configured to audit the execution of the module management program "insmod", the command will return a line.

If the command does not return a line that matches the example or the line is commented out, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Configure SLEM 5 to audit the execution of the module management program "insmod".

Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file:

-w /sbin/insmod -p x -k modules 

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Audit records can be generated from various components within the information system (e.g., module or policy filter).

The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.

DOD has defined the following list of events for which SLEM 5 will provide an audit record generation capability: 

1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);

2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system;

3) All account creations, modifications, disabling, and terminations; and 

4) All kernel module load, unload, and restart actions.

Verify SLEM 5 generates an audit record for all uses of the "kmod" command with the following command:

     > sudo auditctl -l | grep -w '/usr/bin/kmod'
     -w /usr/bin/kmod -p x -k modules

If the system is configured to audit the execution of the module management program "kmod", the command will return a line.

If the command does not return a line that matches the example or the line is commented out, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Configure SLEM 5 to audit the execution of the module management program "kmod".

Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file:

-w /usr/bin/kmod -p x -k modules

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Audit records can be generated from various components within the information system (e.g., module or policy filter).

The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.

DOD has defined the following list of events for which SLEM 5 will provide an audit record generation capability: 

1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);

2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system;

3) All account creations, modifications, disabling, and terminations; and 

4) All kernel module load, unload, and restart actions.

Verify SLEM 5 generates an audit record for all uses of the "modprobe" command with the following command:

     > sudo auditctl -l | grep -w '/sbin/modprobe'
     -w /sbin/modprobe -p x -k modules

If the command does not return a line that matches the example or the line is commented out, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Configure SLEM 5 to audit the execution of the module management program "modprobe".

Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file:

-w /sbin/modprobe -p x -k modules 

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.

At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.

Verify SLEM 5 generates an audit record for all uses of the "newgrp" command with the following command:

     > sudo auditctl -l | grep -w '/usr/bin/newgrp'
     -a always,exit -S all -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-newgrp

If the command does not return any output, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Configure SLEM 5 to generate an audit record for all uses of the "newgrp" command.

Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file:

-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-newgrp

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Audit records can be generated from various components within the information system (e.g., module or policy filter).

Verify SLEM 5 generates an audit record for any use of the "pam_timestamp_check" command with the following command:

     > sudo auditctl -l | grep -w '/sbin/pam_timestamp_check'
     -a always,exit -S all -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-pam_timestamp_check

If the command does not return any output, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Configure SLEM 5 to generate an audit record for all uses of the "pam_timestamp_check" command. 

Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file:

-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.

At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.

Verify SLEM 5 generates an audit record for all uses of the "passwd" command with the following command:

     > sudo auditctl -l | grep -w '/usr/bin/passwd'
     -a always,exit -S all -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-passwd

If the command does not return any output, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Configure SLEM 5 to generate an audit record for all uses of the "passwd" command.

Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file:

-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Audit records can be generated from various components within the information system (e.g., module or policy filter).

Verify SLEM 5 generates an audit record for all uses of the "rm" command with the following command:

     > sudo auditctl -l | grep -w '/usr/bin/rm'
     -a always,exit -S all -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=-1 -F key=prim_mod

If the command does not return any output, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Configure SLEM 5 to generate an audit record for all uses of the "rm" command. 

Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file:

-a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=unset -k prim_mod

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Audit records can be generated from various components within the information system (e.g., module or policy filter).

The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.

DOD has defined the following list of events for which SLEM 5 will provide an audit record generation capability: 

1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);

2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system;

3) All account creations, modifications, disabling, and terminations; and 

4) All kernel module load, unload, and restart actions.

Verify SLEM 5 generates an audit record for all uses of the "rmmod" command with the following command:

     > sudo auditctl -l | grep -w '/sbin/rmmod'
     -w /sbin/rmmod -p x -k modules

If the system is configured to audit the execution of the module management program "rmmod", the command will return a line. 

If the command does not return a line that matches the example or the line is commented out, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Configure SLEM 5 to audit the execution of the module management program "rmmod".

Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file:

-w /sbin/rmmod -p x -k modules

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Audit records can be generated from various components within the information system (e.g., module or policy filter).

Verify SLEM 5 generates an audit record for all uses of the "setfacl" command with the following command:

     > sudo auditctl -l | grep -w '/usr/bin/setfacl'
     -a always,exit -S all -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -F key=prim_mod

If the command does not return any output, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Configure SLEM 5 to generate an audit record for all uses of the "setfacl" command. 

Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file:

-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k prim_mod

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.

At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.

Verify SLEM 5 generates an audit record for all uses of the "ssh-agent" command with the following command:

     > sudo auditctl -l | grep -w '/usr/bin/ssh-agent'
     -a always,exit -S all -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-ssh-agent

If the command does not return any output or the returned line is commented out, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Configure SLEM 5 to generate an audit record for all uses of the "ssh-agent" command.

Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file:

-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.

At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.

Verify SLEM 5 generates an audit record for all uses of the "ssh-keysign" command with the following command:

     > sudo auditctl -l | grep -w '/usr/lib/ssh/ssh-keysign'
     -a always,exit -S all -F path=/usr/lib/ssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-ssh-keysign

If the command does not return any output, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Configure SLEM 5 to generate an audit record for all uses of the "ssh-keysign" command.

Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file:

-a always,exit -F path=/usr/lib/ssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-keysign

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Audit records can be generated from various components within the information system (e.g., module or policy filter).

Verify SLEM 5 generates an audit record for any use of the "su" command with the following command:

     > sudo auditctl -l | grep -w '/usr/bin/su'
     -a always,exit -S all -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-priv_change

If the command does not return any output or the returned line is commented out, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Configure SLEM 5 to generate an audit record for all uses of the "su" command. 

Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file:

-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.

At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.

Verify SLEM 5 generates an audit record for any use of the "sudo" command with the following command:

     > sudo auditctl -l | grep -w '/usr/bin/sudo'
     -a always,exit -S all -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-sudo

If the command does not return any output, or the returned line is commented out, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Configure SLEM 5 to generate an audit record for all uses of the "sudo" command.

Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file:

-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-sudo

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Audit records can be generated from various components within the information system (e.g., module or policy filter).

Verify an audit record is generated for all uses of the "sudoedit" command with the following command:

     > sudo auditctl -l | grep -w '/usr/bin/sudoedit'
     -a always,exit -S all -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-sudoedit

If the command does not return any output or the returned line is commented out, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Configure SLEM 5 to generate an audit record for all uses of the "sudoedit" command. 

Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file:

-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -k privileged-sudoedit

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Audit records can be generated from various components within the information system (e.g., module or policy filter).

Verify SLEM 5 generates an audit record for any use of the "unix_chkpwd" or "unix2_chkpwd" commands with the following command:

     > sudo auditctl -l | egrep -w "(unix_chkpwd|unix2_chkpwd)"
     -a always,exit -S all -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-unix-chkpwd
     -a always,exit -S all -F path=/sbin/unix2_chkpwd -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-unix2-chkpwd

If the command does not return any output, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Configure SLEM 5 to generate an audit record for all uses of the "unix_chkpwd" and "unix2_chkpwd" commands. 

Add or modify the following lines in the "/etc/audit/rules.d/audit.rules" file:

-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-chkpwd
-a always,exit -F path=/sbin/unix2_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix2-chkpwd

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Audit records can be generated from various components within the information system (e.g., module or policy filter).

Verify SLEM 5 generates an audit record for any use of the "usermod" command with the following command:

     > sudo auditctl -l | grep -w '/usr/sbin/usermod'
     -a always,exit -S all -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-usermod

If the command does not return any output, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Configure SLEM 5 to generate an audit record for all uses of the "usermod" command. 

Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file:

-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing account creation mitigates this risk.

To address access requirements, SLEM 5 may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.

Verify SLEM 5 generates an audit record when modifications occur to the "/etc/group" file with the following command:

     > sudo auditctl -l | grep -w '/etc/group'
     -w /etc/group -p wa -k account_mod

If the command does not return a line that matches the example or the line is commented out, this is a finding.

Note: The "-k" value is arbitrary and can be different from the example output above.

Configure SLEM 5 to generate an audit record when all modifications to the "/etc/group" file occur.

Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file:

-w /etc/group -p wa -k account_mod

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing account creation mitigates this risk.

To address access requirements, SLEM 5 may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.

Verify SLEM 5 generates an audit record when modifications occur to the "/etc/security/opasswd" file with the following command:

     > sudo auditctl -l | grep -w '/etc/security/opasswd'
     -w /etc/security/opasswd -p wa -k account_mod

If the command does not return a line that matches the example or the line is commented out, this is a finding.

Notes: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Configure SLEM 5 to generate an audit record when all modifications to the "/etc/security/opasswd" file occur.

Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file:

-w /etc/security/opasswd -p wa -k account_mod

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing account creation mitigates this risk.

To address access requirements, SLEM 5 may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.

Verify SLEM 5 generates an audit record when all modifications occur to the "/etc/passwd" file with the following command:

     > sudo auditctl -l | grep -w '/etc/passwd'
     -w /etc/passwd -p wa -k account_mod

If the command does not return a line that matches the example or the line is commented out, this is a finding.

Notes: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Configure SLEM 5 to generate an audit record when all modifications to the "/etc/passwd" file occur.

Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file:

-w /etc/passwd -p wa -k account_mod

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing account creation mitigates this risk.

To address access requirements, SLEM 5 may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.

Verify SLEM 5 generates an audit record when modifications occur to the "/etc/shadow" file with the following command:

     > sudo auditctl -l | grep -w '/etc/shadow'
     -w /etc/shadow -p wa -k account_mod

If the command does not return a line that matches the example or the line is commented out, this is a finding.

Notes: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Configure SLEM 5 to generate an audit record when all modifications to the "/etc/shadow" file occur.

Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file:

-w /etc/shadow -p wa -k account_mod

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. However, the performance can be helped by combining syscalls into one rule whenever possible.

Verify SLEM 5 generates an audit record for all uses of the "chmod", "fchmod" and "fchmodat" system calls with the following command:

     > sudo auditctl -l | grep chmod
     -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod
     -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod

If both the "b32" and "b64" audit rules are not defined for the "chmod", "fchmod", and "fchmodat" syscalls, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Configure SLEM 5 to generate an audit record for all uses of the "chmod", "fchmod", and "fchmodat" system calls. 

Add or modify the following lines in the "/etc/audit/rules.d/audit.rules" file:

-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary, since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.

Verify SLEM 5 generates an audit record for all uses of the "chown", "fchown", "fchownat", and "lchown" system calls with the following command:

     > sudo auditctl -l | grep chown
     -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -F key=perm_mod
     -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -F key=perm_mod

If both the "b32" and "b64" audit rules are not defined for the "chown", "fchown", "fchownat", and "lchown" syscalls, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Configure SLEM 5 to generate an audit record for all uses of the "chown", "fchown", "fchownat", and "lchown" system calls. 

Add or modify the following lines in the "/etc/audit/rules.d/audit.rules" file:

-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod
-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary, since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.

Verify SLEM 5 generates an audit record for all uses of the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" system calls with the following command:

     > sudo auditctl -l | grep 'open\|truncate\|creat'
     -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=perm_access
     -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=perm_access

     -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=perm_access
     -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=perm_access

If both the "b32" and "b64" audit rules are not defined for the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" syscalls, this is a finding.

If the output does not produce rules containing "-F exit=-EPERM", this is a finding.

If the output does not produce rules containing "-F exit=-EACCES", this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Configure SLEM 5 to generate an audit record for all uses of the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" system calls. 

Add or modify the following lines in the "/etc/audit/rules.d/audit.rules" file:

-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access

-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Audit records can be generated from various components within the information system (e.g., module or policy filter).

Verify SLEM 5 generates an audit record for all uses of the "delete_module" system call with the following command:

     > sudo auditctl -l | grep -w 'delete_module'
     -a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=-1 -F key=unload_module
     -a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=-1 -F key=unload_module

If both the "b32" and "b64" audit rules are not defined for the "unload_module" syscall, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Configure SLEM 5 to generate an audit record for all uses of the "delete_module" system call. 

Add or modify the following lines in the "/etc/audit/rules.d/audit.rules" file:

-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k unload_module
-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k unload_module

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary, since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.

Verify SLEM 5 generates an audit record for all uses of the "init_module" and "finit_module" system calls with the following command:

     > sudo auditctl -l | grep init_module
     -a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=-1 -F key=moduleload
     -a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=-1 -F key=moduleload

If both the "b32" and "b64" audit rules are not defined for the init_module" and "finit_module" syscalls, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Configure SLEM 5 to generate an audit record for all uses of the "init_module" and "finit_module" system calls.

Add or modify the following lines in the "/etc/audit/rules.d/audit.rules" file:

-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k moduleload
-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k moduleload

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.

At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.

Verify SLEM 5 generates an audit record for all uses of the "mount" system call with the following command:

     > sudo auditctl -l | grep -w 'mount'
     -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=-1 -F key=privileged-mount
     -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=-1 -F key=privileged-mount

If both the "b32" and "b64" audit rules are not defined for the "mount" syscall, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Configure SLEM 5 to generate an audit record for all uses of the "mount" system call.

Add or modify the following lines in the "/etc/audit/rules.d/audit.rules" file:

-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary, since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.

Verify SLEM 5 generates an audit record for all uses of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls with the following command:

     > sudo auditctl -l | grep xattr
     -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=-1 -F key=perm_mod
     -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=-1 -F key=perm_mod

If both the "b32" and "b64" audit rules are not defined for the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" syscalls, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Configure SLEM 5 to generate an audit record for all uses of the "setxattr", "fsetxattr", "lsetxattr","removexattr", "fremovexattr", and "lremovexattr" system calls. 

Add or modify the following lines in the "/etc/audit/rules.d/audit.rules" file:

-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod
-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.

At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.

Verify SLEM 5 generates an audit record for all uses of the "umount" and "umount2" system calls with the following command:

     > sudo auditctl -l | grep 'umount'
     -a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=-1 -F key=privileged-umount
     -a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=-1 -F key=privileged-umount
     -a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=-1 -F key=privileged-umount

If both the "b32" and "b64" audit rules are not defined for the "umount" syscall, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Configure SLEM 5 to generate an audit record for all uses of the "umount" and "umount2" system calls.

Add or modify the following lines in the "/etc/audit/rules.d/audit.rules" file:

-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -k privileged-umount
-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -k privileged-umount
-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -k privileged-umount

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary, since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.

Verify SLEM 5 generates an audit record for all uses of the "unlink", "unlinkat", "rename", "renameat", and "rmdir" system calls with the following command:

     > sudo auditctl -l | grep 'unlink\|rename\|rmdir'
     -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -F key=perm_mod
     -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -F key=perm_mod

If both the "b32" and "b64" audit rules are not defined for the "unlink", "unlinkat", "rename", "renameat", and "rmdir" syscalls, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Configure SLEM 5 to generate an audit record for all uses of the "unlink", "unlinkat", "rename", "renameat", and "rmdir" system calls. 

Add or modify the following lines in the "/etc/audit/rules.d/audit.rules" file:

-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k perm_mod
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k perm_mod

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.

Verify SLEM 5 generates an audit record for any privileged use of the "execve" system call with the following command:

     > sudo auditctl -l | grep -w 'execve'
     -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=setuid
     -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=setuid
     -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=setgid
     -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=setgid

If both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding.

If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Configure SLEM 5 to generate an audit record for any privileged use of the "execve" system call.

Add or modify the following lines in "/etc/audit/rules.d/audit.rules" file:

-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid
-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Audit records can be generated from various components within the information system (e.g., module or policy filter).

Verify SLEM 5 generates an audit record when all modifications to the "lastlog" file occur with the following command:

     > sudo auditctl -l | grep -w '/var/log/lastlog'
     -w /var/log/lastlog -p wa -k logins

If the command does not return a line that matches the example or the line is commented out, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Configure SLEM 5 to generate an audit record for any all modifications to the "lastlog" file occur. 

Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file:

-w /var/log/lastlog -p wa -k logins

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Audit records can be generated from various components within the information system (e.g., module or policy filter).

Verify SLEM 5 generates an audit record when all modifications to the "tallylog" file occur with the following command:

     > sudo auditctl -l | grep -w '/var/log/tallylog'
     -w /var/log/tallylog -p wa -k logins

If the command does not return a line that matches the example or the line is commented out, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Configure SLEM 5 to generate an audit record for any all modifications to the "tallylog" file occur. 

Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file:

-w /var/log/tallylog -p wa -k logins

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.

At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.

Verify SLEM 5 generates audit records when successful/unsuccessful attempts to access the "/etc/sudoers" file and files in the "/etc/sudoers.d/" directory with the following command:

     > sudo auditctl -l | grep -w '/etc/sudoers'
     -w /etc/sudoers -p wa -k privileged-actions
     -w /etc/sudoers.d -p wa -k privileged-actions

If the commands do not return output that match the examples, this is a finding.

Notes: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Configure SLEM 5 to generate audit records when successful/unsuccessful attempts to access the "/etc/sudoers" file and files in the "/etc/sudoers.d/" directory.

Add or modify the following lines in "/etc/audit/rules.d/audit.rules" file:

-w /etc/sudoers -p wa -k privileged-actions

-w /etc/sudoers.d -p wa -k privileged-actions

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.

At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "setfiles" command is primarily used to initialize the security context fields (extended attributes) on one or more filesystems (or parts of them). Usually it is initially run as part of the SELinux installation process (a step commonly known as labeling).

When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way.

Verify SLEM 5 generates an audit record for all uses of the "setfiles" command with the following command:

     > sudo grep -w "setfiles" /etc/audit/audit.rules
     -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update

If the command does not return a line, or the line is commented out, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "setfiles" command.

Add or modify the following lines in the "/etc/audit/rules.d/audit.rules" file:

-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.

At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "semanage" command is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources.

When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way.

Verify SLEM 5 generates an audit record for all uses of the "semanage" command with the following command:

     > sudo grep -w "semanage" /etc/audit/audit.rules
     -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update

If the command does not return a line, or the line is commented out, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "semanage" command.

Add or modify the following lines in the "/etc/audit/rules.d/audit.rules" file:

-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.

At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "setsebool" command sets the current state of a particular SELinux boolean or a list of booleans to a given value.

When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way.

Verify SLEM 5 generates an audit record for all uses of the "setsebool" command with the following command:

     > sudo grep -w "setsebool" /etc/audit/audit.rules
     -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update

If the command does not return a line, or the line is commented out, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "setsebool" command.

Add or modify the following lines in the "/etc/audit/rules.d/audit.rules" file:

-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Audit records can be generated from various components within the information system (e.g., module or policy filter).

Verify SLEM 5 generates an audit record for the "/run/utmp" file with the following command:

     > sudo auditctl -l | grep -w '/run/utmp'
     -w /run/utmp -p wa -k login_mod

If the command does not return a line that matches the example, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Configure SLEM 5 to generate an audit record for the "/run/utmp" file. 

Add or modify the following lines in the "/etc/audit/rules.d/audit.rules" file:

-w /run/utmp -p wa -k login_mod

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Audit records can be generated from various components within the information system (e.g., module or policy filter).

Verify SLEM 5 generates an audit record for the "/var/log/btmp" file with the following command:

     > sudo auditctl -l | grep -w '/var/log/btmp'
     -w /var/log/btmp -p wa -k login_mod

If the command does not return a line that matches the example, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Configure SLEM 5 to generate an audit record for the "/var/log/btmp" file. 

Add or modify the following lines in the "/etc/audit/rules.d/audit.rules" file:

-w /var/log/btmp -p wa -k login_mod

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Audit records can be generated from various components within the information system (e.g., module or policy filter).

Verify SLEM 5 generates an audit record for the "/var/log/wtmp" file with the following command:

     > sudo auditctl -l | grep -w '/var/log/wtmp'
     -w /var/log/wtmp -p wa -k login_mod

If the command does not return a line that matches the example, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Configure SLEM 5 to generate an audit record for the "/var/log/wtmp" file. 

Add or modify the following lines in the "/etc/audit/rules.d/audit.rules" file:

-w /var/log/wtmp -p wa -k login_mod

To reload the rules file, restart the audit daemon:

     > sudo systemctl restart auditd.service

or issue the following command:

     > sudo augenrules --load

By default, SLEM 5 includes the "-a task,never" audit rule as a default. This rule suppresses syscall auditing for all tasks started with this rule in effect. Because the audit daemon processes the "audit.rules" file from the top down, this rule supersedes all other defined syscall rules; therefore no syscall auditing can take place on the operating system.

Verify syscall auditing has not been disabled with the following command:

     > sudo auditctl -l | grep -i "a task,never"

If any results are returned, this is a finding.

Verify the default rule "-a task,never" is not statically defined :

     > grep -rv "^#" /etc/audit/rules.d/ | grep -i "a task,never"

If any results are returned, this is a finding.

Remove the "-a task,never" rule from the /etc/audit/rules.d/audit.rules file.

The audit daemon must be restarted for the changes to take effect.

     > sudo systemctl restart auditd.service

Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. SLEM 5 must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.

Verify SLEM 5 is running in FIPS mode by running the following command.

     > cat /proc/sys/crypto/fips_enabled 
     1

If the value returned is "0", nothing is returned, or the file does not exist, this is a finding.

To configure SLEM 5 to run in FIPS mode, add "fips=1" to the kernel parameter during SLEM 5 install.

Enabling FIPS mode on a preexisting system involves a number of modifications to SLEM 5. Refer to section 9.1, "Crypto Officer Guidance", of the following document for installation guidance:

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2435.pdf