| CCE-83289-9 |
Install AIDE [ref] |
The aide package can be installed with the following command: $ sudo zypper install aide |
The AIDE package must be installed if it is to be available for integrity checking. |
medium |
content_rule_package_aide_installed |
SLES-15-010420 |
CM-6(a) |
4.3.4.3.2,4.3.4.3.3,4.3.4.4.4 |
PR.DS-1,PR.DS-6,PR.DS-8,PR.IP-1,PR.IP-3,DE.CM-1,DE.CM-7 |
SRG-OS-000363-GPOS-00150 |
NaN |
SV-234851r622137_rule |
CCI-002699,CCI-001744 |
1,2,3,5,7,8,9,11,12,13,14,15,16 |
NaN |
NaN |
APO01.06,BAI01.06,BAI02.01,BAI03.05,BAI06.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS03.05,DSS04.07,DSS05.02,DSS05.03,DSS05.05,DSS05.07,DSS06.02,DSS06.06 |
A.8.2.3,A.11.2.4,A.12.1.2,A.12.2.1,A.12.4.1,A.12.5.1,A.12.6.2,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.14.2.7,A.15.2.1 |
SR,3.1,SR,3.3,SR,3.4,SR,3.8,SR,4.1,SR,6.2,SR,7.6 |
BP28(R51) |
5.10.1.3,1034,1288,1341,1417,Req-11.5,1.4.1 |
| CCE-85610-4 |
Configure AIDE to Verify the Audit Tools [ref] |
The operating system file integrity tool must be configured to protect the integrity of the audit tools. |
Protecting the integrity of the tools used for auditing purposes is acritical step toward ensuring the integrity of audit information. Auditinformation includes all information (e.g., audit records, audit settings,and audit reports) needed to successfully audit information systemactivity.Audit tools include but are not limited to vendor-provided and open-sourceaudit tools needed to successfully view and manipulate audit informationsystem activity and records. Audit tools include custom queries and reportgenerators.It is not uncommon for attackers to replace the audit tools or inject codeinto the existing tools to provide the capability to hide or erase systemactivity from the audit logs.To address this risk, audit tools must be cryptographically signed toprovide the capability to identify when the audit tools have been modified,manipulated, or replaced. An example is a checksum hash of the file orfiles. |
medium |
content_rule_aide_check_audit_tools |
SLES-15-030630 |
AU-9(3),AU-9(3).1 |
NaN |
NaN |
SRG-OS-000278-GPOS-00108 |
NaN |
SV-234962r622137_rule |
CCI-001496 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85671-6 |
Configure Periodic Execution of AIDE [ref] |
At a minimum, AIDE should be configured to run a weekly scan. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root --check To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * 0 root --check AIDE can be executed periodically through other means; this is merely one example. The usage of cron's special time codes, such as @daily and @weekly is acceptable. |
By default, AIDE does not install itself for periodic execution. Periodicallyrunning AIDE is necessary to reveal unexpected changes in installed files.Unauthorized changes to the baseline configuration could make the system vulnerableto various attacks or allow unauthorized access to the operating system. Changes tooperating system configurations can have unintended side effects, some of which maybe relevant to security.Detecting such changes and providing an automated response can help avoid unintended,negative consequences that could ultimately affect the security state of the operatingsystem. The operating system's Information Management Officer (IMO)/Information SystemSecurity Officer (ISSO) and System Administrators (SAs) must be notified via email and/ormonitoring system trap when there is an unauthorized modification of a configuration item. |
medium |
content_rule_aide_periodic_cron_checking |
SLES-15-010570 |
SI-6(d) |
4.3.4.3.2,4.3.4.3.3,4.3.4.4.4 |
PR.DS-1,PR.DS-6,PR.DS-8,PR.IP-1,PR.IP-3,DE.CM-1,DE.CM-7 |
SRG-OS-000363-GPOS-00150,SRG-OS-000446-GPOS-00200,SRG-OS-000447-GPOS-00201 |
NaN |
SV-234864r622137_rule |
CCI-001744,CCI-002699,CCI-002702 |
1,2,3,5,7,8,9,11,12,13,14,15,16 |
NaN |
NaN |
APO01.06,BAI01.06,BAI02.01,BAI03.05,BAI06.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS03.05,DSS04.07,DSS05.02,DSS05.03,DSS05.05,DSS05.07,DSS06.02,DSS06.06 |
A.8.2.3,A.11.2.4,A.12.1.2,A.12.2.1,A.12.4.1,A.12.5.1,A.12.6.2,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.14.2.7,A.15.2.1 |
SR,3.1,SR,3.3,SR,3.4,SR,3.8,SR,4.1,SR,6.2,SR,7.6 |
BP28(R51) |
5.10.1.3,Req-11.5,1.4.2 |
| CCE-85623-7 |
Configure AIDE to Verify Access Control Lists (ACLs) [ref] |
By default, the acl option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the acl option is missing, add acl to the appropriate ruleset. For example, add acl to the following line in /etc/aide.conf: FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256 AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. The remediation provided with this rule adds acl to all rule sets available in /etc/aide.conf |
ACLs can provide permissions beyond those permitted through the file mode and must beverified by the file integrity tools. |
low |
content_rule_aide_verify_acls |
SLES-15-040040 |
CM-6(a),SI-7,SI-7(1) |
4.3.4.4.4 |
PR.DS-6,PR.DS-8 |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-234986r622137_rule |
CCI-000366 |
2,3 |
NaN |
NaN |
APO01.06,BAI03.05,BAI06.01,DSS06.02 |
A.11.2.4,A.12.2.1,A.12.5.1,A.14.1.2,A.14.1.3,A.14.2.4 |
SR,3.1,SR,3.3,SR,3.4,SR,3.8 |
BP28(R51) |
NaN |
| CCE-85624-5 |
Configure AIDE to Verify Extended Attributes [ref] |
By default, the xattrs option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the xattrs option is missing, add xattrs to the appropriate ruleset. For example, add xattrs to the following line in /etc/aide.conf: FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256 AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. The remediation provided with this rule adds xattrs to all rule sets available in /etc/aide.conf |
Extended attributes in file systems are used to contain arbitrary data and file metadatawith security implications. |
low |
content_rule_aide_verify_ext_attributes |
SLES-15-040050 |
CM-6(a),SI-7,SI-7(1) |
4.3.4.4.4 |
PR.DS-6,PR.DS-8 |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-234987r622137_rule |
CCI-000366 |
2,3 |
NaN |
NaN |
APO01.06,BAI03.05,BAI06.01,DSS06.02 |
A.11.2.4,A.12.2.1,A.12.5.1,A.14.1.2,A.14.1.3,A.14.2.4 |
SR,3.1,SR,3.3,SR,3.4,SR,3.8 |
BP28(R51) |
NaN |
| CCE-85763-1 |
Verify '/proc/sys/crypto/fips_enabled' exists [ref] |
On a system where FIPS 140-2 mode is enabled, /proc/sys/crypto/fips_enabled must exist. To verify FIPS mode, run the following command: cat /proc/sys/crypto/fips_enabledWarning: To configure the OS to run in FIPS 140-2 mode, the kernel parameter "fips=1" needs to be added during its installation. Enabling FIPS mode on a preexisting system involves a number of modifications to it. Refer to the vendor installation guidances.Warning: System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process. |
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption toprotect data. The operating system must implement cryptographic modules adhering to the higherstandards approved by the federal government since this provides assurance they have been testedand validated. |
high |
content_rule_is_fips_mode_enabled |
SLES-15-010510 |
SC-13 |
NaN |
NaN |
SRG-OS-000396-GPOS-00176,SRG-OS-000478-GPOS-00223 |
NaN |
SV-234859r622137_rule |
CCI-002450 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-83260-0 |
The Installed Operating System Is Vendor Supported [ref] |
The installed operating system must be maintained by a vendor. SUSE Linux Enterprise is supported by SUSE. As the SUSE Linux Enterprise vendor, SUSE is responsible for providing security patches.Warning: There is no remediation besides switching to a different operating system. |
An operating system is considered "supported" if the vendor continues toprovide security patches for the product. With an unsupported release, itwill not be possible to resolve any security issue discovered in the systemsoftware. |
high |
content_rule_installed_OS_is_vendor_supported |
SLES-15-010000 |
CM-6(a),MA-6 |
4.2.3.12 |
ID.RA-1,PR.IP-12 |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-234800r622137_rule |
CCI-000366 |
4,18,20 |
NaN |
NaN |
APO12.01,APO12.02,APO12.03,APO12.04,BAI03.10,DSS05.01,DSS05.02 |
A.12.6.1,SA-13(a),A.14.2.3,A.16.1.3,A.18.2.2,A.18.2.3 |
NaN |
NaN |
4.2.3,4.2.3.7,4.2.3.9 |
| CCE-85719-3 |
Encrypt Partitions [ref] |
SUSE Linux Enterprise 15 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time. For manual installations, select the Encrypt checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots. Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on the SUSE Linux Enterprise 15 Documentation web site:https://www.suse.com/documentation/sled-12/book_security/data/sec_security_cryptofs_y2.html |
The risk of a system's physical compromise, particularly mobile systems such aslaptops, places its data at risk of compromise. Encrypting this data mitigatesthe risk of its loss if the system is lost. |
high |
content_rule_encrypt_partitions |
SLES-15-010330 |
SC-28,SC-28.1 |
3.13.16,CIP-003-3,R4.2 |
PR.DS-1,PR.DS-5 |
SRG-OS-000405-GPOS-00184,SRG-OS-000185-GPOS-00079,SRG-OS-000404-GPOS-00183,SRG-OS-000404-VMM-001650,SRG-OS-000405-VMM-001660 |
NaN |
SV-234831r622137_rule |
CCI-001199,CCI-002475,CCI-002476 |
13,14 |
NaN |
164.308(a)(1)(ii)(D),164.308(b)(1),164.310(d),164.312(a)(1),164.312(a)(2)(iii),164.312(a)(2)(iv),164.312(b),164.312(c),164.314(b)(2)(i),164.312(d) |
APO01.06,BAI02.01,BAI06.01,DSS04.07,DSS05.03,DSS05.04,DSS05.07,DSS06.02,DSS06.06 |
A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3 |
SR,3.4,SR,4.1,SR,5.2 |
NaN |
CIP-007-3,R5.1 |
| CCE-85639-3 |
Ensure /home Located On Separate Partition [ref] |
If user home directories will be stored locally, create a separate partition for /home at installation time (or migrate it later using LVM). If /home will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later. |
Ensuring that /home is mounted on its own partition enables thesetting of more restrictive mount options, and also helps ensure thatusers cannot trivially fill partitions used for log or audit data storage. |
low |
content_rule_partition_for_home |
SLES-15-040200 |
CM-6(a),SC-5(2) |
NaN |
PR.PT-4 |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-235004r622137_rule |
CCI-000366,CCI-001208 |
8,12,15 |
NaN |
NaN |
APO13.01,DSS05.02 |
A.13.1.1,A.13.2.1,A.14.1.3 |
SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,7.1,SR,7.6 |
BP28(R12) |
1.1.17 |
| CCE-85640-1 |
Ensure /var Located On Separate Partition [ref] |
The /var directory is used by daemons and other system services to store frequently-changing data. Ensure that /var has its own partition or logical volume at installation time, or migrate it using LVM. |
Ensuring that /var is mounted on its own partition enables thesetting of more restrictive mount options. This helps protectsystem services such as daemons or other programs which use it.It is not uncommon for the /var directory to containworld-writable directories installed by other software packages. |
low |
content_rule_partition_for_var |
SLES-15-040210 |
CM-6(a),SC-5(2) |
NaN |
PR.PT-4 |
SRG-OS-000480-GPOS-00227,SRG-OS-000341-VMM-001220 |
NaN |
SV-235005r622137_rule |
CCI-000366 |
8,12,15 |
NaN |
NaN |
APO13.01,DSS05.02 |
A.13.1.1,A.13.2.1,A.14.1.3 |
SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,7.1,SR,7.6 |
BP28(R12) |
1.1.7 |
| CCE-85618-7 |
Ensure /var/log/audit Located On Separate Partition [ref] |
Audit logs are stored in the /var/log/audit directory. Ensure that /var/log/audit has its own partition or logical volume at installation time, or migrate it using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon. |
Placing /var/log/audit in its own partitionenables better separation between audit filesand other files, and helps ensure thatauditing cannot be halted due to the partition running outof space. |
low |
content_rule_partition_for_var_log_audit |
SLES-15-030810 |
AU-4,CM-6(a),SC-5(2) |
4.3.3.3.9,4.3.3.5.8,4.3.4.4.7 |
PR.DS-4,PR.PT-1,PR.PT-4 |
SRG-OS-000341-GPOS-00132,SRG-OS-000480-GPOS-00227,SRG-OS-000341-VMM-001220 |
NaN |
SV-234980r622137_rule |
CCI-000366,CCI-001849 |
1,2,3,5,6,8,12,13,14,15,16 |
NaN |
164.312(a)(2)(ii) |
APO11.04,APO13.01,BAI03.05,BAI04.04,DSS05.02,DSS05.04,DSS05.07,MEA02.01 |
A.12.1.3,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.17.2.1 |
SR,2.10,SR,2.11,SR,2.12,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,7.1,SR,7.2,SR,7.6 |
BP28(R43) |
4.4.2.1,4.4.2.2,4.4.2.4,CIP-007-3,R6.5,1.1.16 |
| CCE-85723-5 |
Disable GDM Unattended or Automatic Login [ref] |
The GNOME Display Manager (GDM) can allow users to automatically login without user interaction or credentials or unattended login. User should always be required to authenticate themselves to the system that they are authorized to use. To disable user ability to automatically login to the system, set the DISPLAYMANAGER_AUTOLOGIN="" or DISPLAYMANAGER_PASSWORD_LESS_LOGIN="no" in the /etc/sysconfig/displaymanager. For example: DISPLAYMANAGER_AUTOLOGIN="" DISPLAYMANAGER_PASSWORD_LESS_LOGIN="no" |
Failure to restrict system access to authenticated users negatively impacts operatingsystem security. |
high |
content_rule_gnome_gdm_disable_unattended_automatic_login |
SLES-15-040430 |
CM-6(b),CM-6.1(iv) |
NaN |
NaN |
SRG-OS-000480-GPOS-00229 |
NaN |
SV-235031r622137_rule |
CCI-000366 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85669-0 |
Set GNOME3 Screensaver Inactivity Timeout [ref] |
The idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/local.d directory and locked in /etc/dconf/db/local.d/locks directory to prevent user modification. For example, to configure the system for a 15 minute delay, add the following to /etc/dconf/db/local.d/00-security-settings: [org/gnome/desktop/session] idle-delay=uint32 900 Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/session/idle-delay After the settings have been set, run dconf update. |
A session time-out lock is a temporary action taken when a user stops work and moves away fromthe immediate physical vicinity of the information system but does not logout because of thetemporary nature of the absence. Rather than relying on the user to manually lock their operatingsystem session prior to vacating the vicinity, GNOME3 can be configured to identify whena user's session has idled and take action to initiate a session lock. |
medium |
content_rule_dconf_gnome_screensaver_idle_delay |
SLES-15-010120 |
AC-11(a),AC-11.1,(ii) |
3.1.10,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9 |
PR.AC-7 |
SRG-OS-000029-GPOS-00010 |
NaN |
SV-234812r622137_rule |
CCI-000057 |
1,12,15,16 |
NaN |
NaN |
DSS05.04,DSS05.10,DSS06.10 |
A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.2,SR,1.5,SR,1.7,SR,1.8,SR,1.9 |
NaN |
5.5.5,FMT_MOF_EXT.1,Req-8.1.8 |
| CCE-85766-4 |
Enable GNOME3 Screensaver Lock After Idle Period [ref] |
To activate locking of the screensaver in the GNOME3 desktop when it is activated, run the following command to configure the SUSE operating system to allow the user to lock the GUI: gsettings set org.gnome.desktop.lockdown disable-lock-screen false Validate that disable-lock-screen has been set to false with the command: gsettings get org.gnome.desktop.lockdown disable-lock-screen |
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinityof the information system but does not want to logout because of the temporary nature of the absense. |
medium |
content_rule_dconf_gnome_screensaver_lock_enabled |
SLES-15-010100 |
CM-6(a) |
3.1.10,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9 |
PR.AC-7 |
SRG-OS-000028-GPOS-00009,SRG-OS-000030-GPOS-00011 |
NaN |
SV-234810r622137_rule |
CCI-000056,CCI-000058,CCI-000060 |
1,12,15,16 |
NaN |
NaN |
DSS05.04,DSS05.10,DSS06.10 |
A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.2,SR,1.5,SR,1.7,SR,1.8,SR,1.9 |
NaN |
5.5.5,FMT_MOF_EXT.1,Req-8.1.8 |
| CCE-85715-1 |
Implement Blank Screensaver [ref] |
On SUSE users should set the screensaver to use publicly viewable images or blank screen by doing the following: Find the Settings menu and then navigate to the Background selection section - Click "Activities" on the top left. - Click "Show Applications" at the bottom of the Activities menu. - Click the "Settings" icon. - Click "Background" from left hand menu. - Select image and set the Lock Screen image to the user's choice. - Exit Settings Dialog. To set the screensaver mode in the GNOME3 desktop to a blank screen, add or set picture-uri to string '' in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/desktop/screensaver] picture-uri='' Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/screensaver/picture-uri After the settings have been set, run dconf update. |
Setting the screensaver mode to blank-only conceals thecontents of the display from passersby. |
medium |
content_rule_dconf_gnome_screensaver_mode_blank |
SLES-15-010140 |
AC-11(1),AC-11(1).1,CM-6(a) |
3.1.10,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9 |
PR.AC-7 |
SRG-OS-000031-GPOS-00012 |
NaN |
SV-234814r622137_rule |
CCI-000060 |
1,12,15,16 |
NaN |
NaN |
DSS05.04,DSS05.10,DSS06.10 |
A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.2,SR,1.5,SR,1.7,SR,1.8,SR,1.9 |
NaN |
5.5.5,FMT_MOF_EXT.1,Req-8.1.8 |
| CCE-83288-1 |
Make sure that the dconf databases are up-to-date with regards to respective keyfiles [ref] |
By default, DConf uses a binary database as a data backend. The system-level database is compiled from keyfiles in the /etc/dconf/db/ directory by the dconf update command. |
Unlike text-based keyfiles, the binary database is impossible to check by OVAL.Therefore, in order to evaluate dconf configuration, both have to be true at the same time -configuration files have to be compliant, and the database needs to be more recent than those keyfiles,which gives confidence that it reflects them. |
high |
content_rule_dconf_db_up_to_date |
NaN |
NaN |
NaN |
NaN |
SRG-OS-000480-GPOS-00227 |
NaN |
NaN |
NaN |
NaN |
NaN |
164.308(a)(1)(ii)(B),164.308(a)(5)(ii)(A) |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-83267-5 |
Configure GNOME3 DConf User Profile [ref] |
By default, DConf provides a standard user profile. This profile contains a list of DConf configuration databases. The user profile and database always take the highest priority. As such the DConf User profile should always exist and be configured correctly. To make sure that the user profile is configured correctly, the /etc/dconf/profile/gdm should be set as follows: user-db:user system-db:gdm |
Failure to have a functional DConf profile prevents GNOME3 configuration settingsfrom being enforced for all users and allows various security risks. |
high |
content_rule_enable_dconf_user_profile |
NaN |
NaN |
NaN |
NaN |
SRG-OS-000480-GPOS-00227 |
NaN |
NaN |
NaN |
NaN |
NaN |
164.308(a)(1)(ii)(B),164.308(a)(5)(ii)(A) |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-83291-5 |
Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate [ref] |
The sudo !authenticate option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the !authenticate option does not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. |
Without re-authentication, users may access resources or perform tasks for which theydo not have authorization.When operating systems provide the capability to escalate a functional capability, itis critical that the user re-authenticate. |
medium |
content_rule_sudo_remove_no_authenticate |
SLES-15-010450 |
CM-6(a),IA-11 |
4.3.3.5.1,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9 |
PR.AC-1,PR.AC-7 |
SRG-OS-000373-GPOS-00156,SRG-OS-000373-GPOS-00157,SRG-OS-000373-GPOS-00158,SRG-OS-000373-VMM-001470,SRG-OS-000373-VMM-001480,SRG-OS-000373-VMM-001490 |
NaN |
SV-234853r622137_rule |
CCI-002038 |
1,5,12,15,16 |
NaN |
NaN |
DSS05.04,DSS05.10,DSS06.03,DSS06.10 |
A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.7,SR,1.8,SR,1.9 |
BP28(R5),BP28(R59) |
NaN |
| CCE-85663-3 |
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD [ref] |
The sudo NOPASSWD tag, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the NOPASSWD tag does not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. |
Without re-authentication, users may access resources or perform tasks for which theydo not have authorization.When operating systems provide the capability to escalate a functional capability, itis critical that the user re-authenticate. |
medium |
content_rule_sudo_remove_nopasswd |
SLES-15-010450 |
CM-6(a),IA-11 |
4.3.3.5.1,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9 |
PR.AC-1,PR.AC-7 |
SRG-OS-000373-GPOS-00156,SRG-OS-000373-GPOS-00157,SRG-OS-000373-GPOS-00158,SRG-OS-000373-VMM-001470,SRG-OS-000373-VMM-001480,SRG-OS-000373-VMM-001490 |
NaN |
SV-234853r622137_rule |
CCI-002038 |
1,5,12,15,16 |
NaN |
NaN |
DSS05.04,DSS05.10,DSS06.03,DSS06.10 |
A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.7,SR,1.8,SR,1.9 |
BP28(R5),BP28(R59) |
NaN |
| CCE-85673-2 |
Ensure Users Re-Authenticate for Privilege Escalation - sudo [ref] |
The sudo NOPASSWD and !authenticate option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that NOPASSWD and/or !authenticate do not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/." |
Without re-authentication, users may access resources or perform tasks for which theydo not have authorization.When operating systems provide the capability to escalate a functional capability, itis critical that the user re-authenticate. |
medium |
content_rule_sudo_require_authentication |
SLES-15-010450 |
CM-6(a),IA-11 |
4.3.3.5.1,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9 |
PR.AC-1,PR.AC-7 |
SRG-OS-000373-GPOS-00156 |
NaN |
SV-234853r622137_rule |
CCI-002038 |
1,5,12,15,16 |
NaN |
NaN |
DSS05.04,DSS05.10,DSS06.03,DSS06.10 |
A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.7,SR,1.8,SR,1.9 |
NaN |
NaN |
| CCE-85764-9 |
The operating system must require Re-Authentication when using the sudo command. Ensure sudo timestamp_timeout is appropriate - sudo timestamp_timeout [ref] |
The sudo timestamp_timeout tag sets the amount of time sudo password prompt waits. The default timestamp_timeout value is 5 minutes. The timestamp_timeout should be configured by making sure that the timestamp_timeout tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated. |
Without re-authentication, users may access resources or perform tasks for which theydo not have authorization.When operating systems provide the capability to escalate a functional capability, itis critical that the user re-authenticate. |
medium |
content_rule_sudo_require_reauthentication |
SLES-15-020102 |
IA-11 |
NaN |
NaN |
SRG-OS-000373-GPOS-00156 |
NaN |
SV-234878r622137_rule |
CCI-002038 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85712-8 |
The operating system must restrict privilege elevation to authorized personnel [ref] |
The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. Restrict privileged actions by removing the following entries from the sudoers file: ALL ALL=(ALL) ALL ALL ALL=(ALL:ALL) ALLWarning: This rule doesn't come with a remediation, as the exact requirement allows exceptions, and removing lines from the sudoers file can make the system non-administrable. |
If the "sudoers" file is not configured correctly, any user definedon the system can initiate privileged actions on the target system. |
medium |
content_rule_sudo_restrict_privilege_elevation_to_authorized |
SLES-15-020101 |
CM-6(b),CM-6(iv) |
NaN |
NaN |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-234877r622137_rule |
CCI-000366 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85747-4 |
Ensure invoking users password for privilege escalation when using sudo [ref] |
The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. The expected output for: sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' /etc/sudoers:Defaults !targetpw /etc/sudoers:Defaults !rootpw /etc/sudoers:Defaults !runaspw |
If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will promptthe invoking user for the "root" user password. |
medium |
content_rule_sudoers_validate_passwd |
SLES-15-020103 |
CM-6(b),CM-6.1(iv) |
NaN |
NaN |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-234879r622137_rule |
CCI-000366,CCI-002227 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85551-0 |
Ensure zypper Removes Previous Package Versions [ref] |
zypper should be configured to remove previous software components after new versions have been installed. To configure zypper to remove the previous software components after updating, set the solver.upgradeRemoveDroppedPackages to 1 in /etc/zypp/zypp.conf. |
Previous versions of software components that are not removed from the informationsystem after updates have been installed may be exploited by some adversaries. |
low |
content_rule_clean_components_post_updating |
SLES-15-010560 |
CM-11(a),CM-11(b),CM-6(a),SI-2(6) |
4.2.3.12,3.4.8 |
ID.RA-1,PR.IP-12 |
SRG-OS-000437-GPOS-00194,SRG-OS-000437-VMM-001760 |
NaN |
SV-234863r622137_rule |
CCI-002617 |
4,18,20 |
NaN |
NaN |
APO12.01,APO12.02,APO12.03,APO12.04,BAI03.10,DSS05.01,DSS05.02 |
A.12.6.1,A.14.2.3,A.16.1.3,A.18.2.2,A.18.2.3 |
NaN |
NaN |
4.2.3,4.2.3.7,4.2.3.9 |
| CCE-83290-7 |
Ensure gpgcheck Enabled In Main zypper Configuration [ref] |
The gpgcheck option controls whether RPM packages' signatures are always checked prior to installation. To configure zypper to check package signatures before installing them, ensure the following line appears in /etc/zypp/zypp.conf in the [main] section: gpgcheck=1 |
Changes to any software components can have significant effects on theoverall security of the operating system. This requirement ensures thesoftware has not been tampered with and that it has been provided by atrusted vendor.Accordingly, patches, service packs, device drivers, or operating systemcomponents must be signed with a certificate recognized and approved by theorganization.Verifying the authenticity of the software prior to installationvalidates the integrity of the patch or upgrade received from a vendor.This ensures the software has not been tampered with and that it has beenprovided by a trusted vendor. Self-signed certificates are disallowed bythis requirement. Certificates used to verify the software must be from anapproved Certificate Authority (CA). |
high |
content_rule_ensure_gpgcheck_globally_activated |
SLES-15-010430 |
CM-5(3),CM-6(a),CM-11(a),CM-11(b),SA-12,SC-12,SC-12(3),SI-7 |
3.4.8,4.3.4.3.2,4.3.4.3.3,4.3.4.4.4 |
PR.DS-6,PR.DS-8,PR.IP-1 |
SRG-OS-000366-GPOS-00153,SRG-OS-000366-VMM-001430,SRG-OS-000370-VMM-001460,SRG-OS-000404-VMM-001650 |
NaN |
SV-234852r622137_rule |
CCI-001749 |
2,3,9,11 |
NaN |
164.308(a)(1)(ii)(D),164.312(b),164.312(c)(1),164.312(c)(2),164.312(e)(2)(i) |
APO01.06,BAI03.05,BAI06.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS06.02 |
A.11.2.4,A.12.1.2,A.12.2.1,A.12.5.1,A.12.6.2,SA-12(10),A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4 |
SR,3.1,SR,3.3,SR,3.4,SR,3.8,SR,7.6 |
BP28(R15) |
5.10.4.1,FPT_TUD_EXT.1,FPT_TUD_EXT.2,Req-6.2,1.2.3 |
| CCE-83261-8 |
Ensure Software Patches Installed [ref] |
If the system is configured for online updates, invoking the following command will list available security updates: $ sudo zypper refresh && sudo zypper list-patches -g security NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy dictates. |
Installing software updates is a fundamental mitigation againstthe exploitation of publicly-known vulnerabilities. If the mostrecent security patches and updates are not installed, unauthorizedusers may take advantage of weaknesses in the unpatched software. Thelack of prompt attention to patching could result in a system compromise. |
high |
content_rule_security_patches_up_to_date |
SLES-15-010010 |
CM-6(a),SI-2(5),SI-2(c) |
4.2.3.12 |
ID.RA-1,PR.IP-12 |
SRG-OS-000480-GPOS-00227,SRG-OS-000480-VMM-002000 |
NaN |
SV-234802r622137_rule |
CCI-000366,CCI-001227 |
4,18,20 |
NaN |
NaN |
APO12.01,APO12.02,APO12.03,APO12.04,BAI03.10,DSS05.01,DSS05.02 |
A.12.6.1,A.14.2.3,A.16.1.3,A.18.2.2,A.18.2.3 |
NaN |
BP28(R08) |
5.10.4.1,4.2.3,4.2.3.7,4.2.3.9,FMT_MOF_EXT.1,Req-6.2 |
| CCE-83264-2 |
Modify the System GUI Login Banner [ref] |
To configure the GUI system login banner edit /etc/gdm/banner. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. OR: I've read & consent to terms in IS user agreem't. |
Display of a standardized and approved use notification before grantingaccess to the operating system ensures privacy and security notificationverbiage used is consistent with applicable federal laws, Executive Orders,directives, policies, regulations, standards, and guidance.System use notifications are required only for access via login interfaceswith human users and are not required when such human interfaces do notexist. |
medium |
content_rule_banner_etc_gdm_banner |
SLES-15-010060 |
AC-8(b) |
NaN |
NaN |
NaN |
NaN |
SV-234807r622137_rule |
CCI-000050 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-83265-9 |
Enable GNOME3 Login Warning Banner [ref] |
In the default graphical environment, displaying a login warning banner in the GNOME Display Manager's login screen can be enabled on the login screen by setting banner-message-enable to true. To enable, add or edit banner-message-enable to /etc/dconf/db/gdm.d/00-security-settings. For example: [org/gnome/login-screen] banner-message-enable=true Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/login-screen/banner-message-enable After the settings have been set, run dconf update. The banner text must also be set. |
Display of a standardized and approved use notification before granting access to the operating systemensures privacy and security notification verbiage used is consistent with applicable federal laws,Executive Orders, directives, policies, regulations, standards, and guidance.For U.S. Government systems, system use notifications are required only for access via login interfaceswith human users and are not required when such human interfaces do not exist. |
medium |
content_rule_dconf_gnome_banner_enabled |
SLES-15-010080 |
AC-8(a),AC-8(b),AC-8(c) |
3.1.9,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9 |
PR.AC-7 |
SRG-OS-000023-GPOS-00006,SRG-OS-000024-GPOS-00007,SRG-OS-000228-GPOS-00088 |
NaN |
SV-234808r622137_rule |
CCI-000048,CCI-000050,CCI-001384,CCI-001385,CCI-001386,CCI-001387,CCI-001388 |
1,12,15,16 |
NaN |
NaN |
DSS05.04,DSS05.10,DSS06.10 |
A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.2,SR,1.5,SR,1.7,SR,1.8,SR,1.9 |
NaN |
FMT_MOF_EXT.1,1.10 |
| CCE-83266-7 |
Set the GNOME3 Login Warning Banner Text [ref] |
In the default graphical environment, configuring the login warning banner text in the GNOME Display Manager's login screen can be configured on the login screen by setting banner-message-text to 'APPROVED_BANNER' where APPROVED_BANNER is the approved banner for your environment. To enable, add or edit banner-message-text to /etc/dconf/db/gdm.d/00-security-settings. For example: [org/gnome/login-screen] banner-message-text='APPROVED_BANNER' Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/login-screen/banner-message-text After the settings have been set, run dconf update. When entering a warning banner that spans several lines, remember to begin and end the string with ' and use \n for new lines. |
An appropriate warning message reinforces policy awareness during the logonprocess and facilitates possible legal action against attackers. |
medium |
content_rule_dconf_gnome_login_banner_text |
SLES-15-010090 |
AC-8(a),AC-8(c) |
3.1.9,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9 |
PR.AC-7 |
SRG-OS-000023-GPOS-00006,SRG-OS-000024-GPOS-00007,SRG-OS-000228-GPOS-00088 |
NaN |
SV-234809r622137_rule |
CCI-000048 |
1,12,15,16 |
NaN |
NaN |
DSS05.04,DSS05.10,DSS06.10 |
A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.2,SR,1.5,SR,1.7,SR,1.8,SR,1.9 |
NaN |
FMT_MOF_EXT.1,1.10 |
| CCE-85668-2 |
Display the Standard Mandatory DoD Notice and Consent Banner until Explicit Acknowledgement [ref] |
Display of a standardized and approved use notification before granting access to the SUSE operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The banner must be acknowledged by the user prior to allowing the user access to the SUSE operating system. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD will not be in compliance with system use notifications required by law. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for the SUSE operating system: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. Check the configuration by running the following command: # more /etc/gdm/Xsession The beginning of the file must contain the following text immediately after #!/bin/sh: if ! zenity --text-info \ --title "Consent" \ --filename=/etc/gdm/banner \ --no-markup \ --checkbox="Accept." 10 10; then sleep 1; exit 1; fi |
Display of a standardized and approved use notification before granting access to the operating systemensures privacy and security notification verbiage used is consistent with applicable federal laws,Executive Orders, directives, policies, regulations, standards, and guidance.For U.S. Government systems, system use notifications are required only for access via login interfaceswith human users and are not required when such human interfaces do not exist. |
medium |
content_rule_gui_login_dod_acknowledgement |
SLES-15-010050 |
AC-8,a,AC-8.1,(ii),AC-8,b,AC-8.1,(iii) |
NaN |
NaN |
SRG-OS-000023-GPOS-00006 |
NaN |
SV-234806r622137_rule |
CCI-000048,CCI-000050 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-83262-6 |
Modify the System Login Banner [ref] |
To configure the system login banner edit /etc/issue. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. OR: I've read & consent to terms in IS user agreem't. |
Display of a standardized and approved use notification before grantingaccess to the operating system ensures privacy and security notificationverbiage used is consistent with applicable federal laws, Executive Orders,directives, policies, regulations, standards, and guidance.System use notifications are required only for access via login interfaceswith human users and are not required when such human interfaces do notexist. |
medium |
content_rule_banner_etc_issue |
SLES-15-010020 |
AC-8(a),AC-8(c) |
3.1.9,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9 |
PR.AC-7 |
SRG-OS-000023-GPOS-00006,SRG-OS-000024-GPOS-00007,SRG-OS-000023-VMM-000060,SRG-OS-000024-VMM-000070 |
NaN |
SV-234803r622137_rule |
CCI-000048,CCI-000050 |
1,12,15,16 |
NaN |
NaN |
DSS05.04,DSS05.10,DSS06.10 |
A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.2,SR,1.5,SR,1.7,SR,1.8,SR,1.9 |
NaN |
FMT_MOF_EXT.1,1.8.1.2 |
| CCE-85678-1 |
Limit Password Reuse [ref] |
Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules. In the file /etc/pam.d/system-auth, append remember=5 to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below: for the pam_unix.so case: password sufficient pam_unix.so ...existing_options... remember=5 for the pam_pwhistory.so case: password requisite pam_pwhistory.so ...existing_options... remember=5 The DoD STIG requirement is 5 passwords. |
Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user. |
medium |
content_rule_accounts_password_pam_unix_remember |
SLES-15-020250 |
NaN |
4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.4,3.5.8 |
PR.AC-1,PR.AC-6,PR.AC-7 |
SRG-OS-000077-GPOS-00045,SRG-OS-000077-VMM-000440 |
NaN |
SV-234894r622137_rule |
CCI-000200 |
1,5,12,15,16 |
NaN |
NaN |
DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 |
IA-5(1)(e),IA-5(1).1(v),A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.7,SR,1.8,SR,1.9,SR,2.1 |
BP28(R18) |
5.6.2.1.1,Req-8.2.5 |
| CCE-85619-5 |
Enforce Delay After Failed Logon Attempts [ref] |
To configure the system to introduce a delay after failed logon attempts, add or correct the pam_faildelay settings in /etc/pam.d/common-auth to make sure its delay parameter is at least 4000000 or greater. For example: auth required pam_faildelay.so delay=4000000 |
Limiting the number of logon attempts over a certain time interval reducesthe chances that an unauthorized user may gain access to an account. |
medium |
content_rule_accounts_passwords_pam_faildelay_delay |
SLES-15-040000 |
NaN |
NaN |
NaN |
SRG-OS-000480-GPOS-00226 |
NaN |
SV-234982r622137_rule |
CCI-000366 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85554-4 |
Set Deny For Failed Password Attempts [ref] |
The SUSE Linux Enterprise 15 operating system must lock an account after - at most - 3 consecutive invalid access attempts. |
By limiting the number of failed logon attempts, the risk of unauthorizedsystem access via user password guessing, otherwise known as brute-forceattacks, is reduced. Limits are imposed by locking the account.To configure the operating system to lock an account after threeunsuccessful consecutive access attempts using pam_tally2.so,modify the content of both /etc/pam.d/common-auth and/etc/pam.d/common-account as follows: add or modify the pam_tally2.so module line in/etc/pam.d/common-auth to ensure both onerr=fail anddeny=3 are present. For example:auth required pam_tally2.so onerr=fail silent audit deny=3 add or modify the following line in /etc/pam.d/common-account:account required pam_tally2.so |
medium |
content_rule_accounts_passwords_pam_tally2 |
SLES-15-020010 |
NaN |
NaN |
NaN |
SRG-OS-000021-GPOS-00005 |
NaN |
SV-234867r622137_rule |
CCI-000044 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
5.3.2 |
| CCE-85564-3 |
Set Password Strength Minimum Digit Characters [ref] |
The pam_cracklib module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_cracklib will grant +1 additional length credit for each digit. Add dcredit=-1 after pam_cracklib.so to require use of a digit in passwords. |
Requiring digits makes password guessing attacks more difficult by ensuringa larger search space. |
medium |
content_rule_cracklib_accounts_password_pam_dcredit |
SLES-15-020150 |
NaN |
NaN |
NaN |
SRG-OS-000071-GPOS-00039 |
NaN |
SV-234884r622137_rule |
CCI-000194 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
5.3.1 |
| CCE-85677-3 |
Set Password Strength Minimum Different Characters [ref] |
The pam_cracklib module's difok parameter controls requirements for usage of different characters during a password change. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different. Make sure the difok parameter for the pam_cracklib module is configured to greater than or equal to 8. |
Requiring a minimum number of different characters during password changesensures that newly changed passwords should not resemble previouslycompromised ones. Note that passwords which are changed on compromisedsystems will still be compromised, however. |
medium |
content_rule_cracklib_accounts_password_pam_difok |
SLES-15-020160 |
NaN |
NaN |
NaN |
SRG-OS-000072-GPOS-00040 |
NaN |
SV-234885r622137_rule |
CCI-000195 |
NaN |
NaN |
NaN |
NaN |
IA-5(1).1(v),IA-5(1)(b) |
NaN |
NaN |
NaN |
| CCE-85676-5 |
Set Password Strength Minimum Lowercase Characters [ref] |
The pam_cracklib module's lcredit= parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each lowercase character. Add lcredit=-1 after pam_cracklib.so to require use of a lowercase character in passwords. |
Requiring a minimum number of lowercase characters makes password guessingattacks more difficult by ensuring a larger search space. |
medium |
content_rule_cracklib_accounts_password_pam_lcredit |
SLES-15-020140 |
NaN |
NaN |
NaN |
SRG-OS-000070-GPOS-00038 |
NaN |
SV-234883r622137_rule |
CCI-000193 |
NaN |
NaN |
NaN |
NaN |
IA-5(1)(a),IA-5(1).1(v) |
NaN |
NaN |
5.3.1 |
| CCE-85573-4 |
Set Password Minimum Length [ref] |
The pam_cracklib module's minlen parameter controls requirements for minimum characters required in a password. Add minlen=15 to set minimum password length requirements. |
Password length is one factor of several that helps to determinestrength and how long it takes to crack a password. Use of more characters ina password helps to exponentially increase the time and/or resourcesrequired to compromise the password. |
medium |
content_rule_cracklib_accounts_password_pam_minlen |
SLES-15-020260 |
NaN |
NaN |
NaN |
SRG-OS-000078-GPOS-00046 |
NaN |
SV-234895r622137_rule |
CCI-000205 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
5.3.1 |
| CCE-85574-2 |
Set Password Strength Minimum Special Characters [ref] |
The pam_cracklib module's ocredit= parameter controls requirements for usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each special character. Make sure the ocredit parameter for the pam_cracklib module is set to less than or equal to -1. For example, ocredit=-1. |
Requiring a minimum number of special characters makes password guessingattacks more difficult by ensuring a larger search space. |
medium |
content_rule_cracklib_accounts_password_pam_ocredit |
SLES-15-020270 |
NaN |
NaN |
NaN |
SRG-OS-000266-GPOS-00101 |
NaN |
SV-234896r622137_rule |
CCI-001619 |
NaN |
NaN |
NaN |
NaN |
IA-5(a),IA-5(v) |
NaN |
NaN |
5.3.1 |
| CCE-85675-7 |
Set Password Strength Minimum Uppercase Characters [ref] |
The pam_cracklib module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each uppercase character. Add ucredit=-1 after pam_cracklib.so to require use of an upper case character in passwords. |
Requiring a minimum number of uppercase characters makes password guessingattacks more difficult by ensuring a larger search space. |
medium |
content_rule_cracklib_accounts_password_pam_ucredit |
SLES-15-020130 |
NaN |
NaN |
NaN |
SRG-OS-000069-GPOS-00037 |
NaN |
SV-234882r622137_rule |
CCI-000192 |
NaN |
NaN |
NaN |
NaN |
IA-5(1)(a),IA-5(1).1(v) |
NaN |
NaN |
5.3.1 |
| CCE-85754-0 |
Set PAM's Common Authentication Hashing Algorithm [ref] |
The PAM system service can be configured to only store encrypted representations of passwords. In /etc/pam.d/common-auth, the auth section of the file controls which PAM modules execute during a password change. Set the pam_unix.so module in the auth section to include the argument sha512, as shown below: auth required pam_unix.so sha512 other arguments... This will help ensure when local users change their authentication method, hashes for the new authentications will be generated using the SHA-512 algorithm. This is the default. |
Unapproved mechanisms used for authentication to the cryptographic moduleare not verified and therefore cannot be relied on to provideconfidentiality or integrity, and data may be compromised.This setting ensures user and group account administration utilities areconfigured to store only encrypted representations of passwords.Additionally, the crypt_style configuration option ensures the useof a strong hashing algorithm that makes password cracking attacks moredifficult. |
medium |
content_rule_set_password_hashing_algorithm_commonauth |
SLES-15-010250 |
IA-7 |
NaN |
NaN |
SRG-OS-000120-GPOS-00061,SRG-OS-000480-VMM-002000 |
NaN |
SV-234824r622137_rule |
CCI-000803 |
NaN |
NaN |
NaN |
NaN |
IA-7.1 |
NaN |
NaN |
NaN |
| CCE-83279-0 |
Set Password Hashing Algorithm in /etc/login.defs [ref] |
In /etc/login.defs, add or correct the following line to ensure the system will use SHA-512 as the hashing algorithm: ENCRYPT_METHOD SHA512 |
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords.If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwordsthat are encrypted with a weak algorithm are no more protected than if they are kept in plain text.Using a stronger hashing algorithm makes password cracking attacks more difficult. |
medium |
content_rule_set_password_hashing_algorithm_logindefs |
SLES-15-010260 |
CM-6(a) |
3.13.11,4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.4 |
PR.AC-1,PR.AC-6,PR.AC-7 |
SRG-OS-000073-GPOS-00041 |
NaN |
SV-234825r622137_rule |
CCI-000196 |
1,5,12,15,16 |
NaN |
NaN |
DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 |
IA-5(c),IA-5(1)(c),A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.7,SR,1.8,SR,1.9,SR,2.1 |
BP28(R32) |
5.6.2.2,0418,1055,1402,Req-8.2.1,5.4.1.2 |
| CCE-85565-0 |
Set PAM's Password Hashing Algorithm [ref] |
The PAM system service can be configured to only store encrypted representations of passwords. In /etc/pam.d/common-password, the password section of the file controls which PAM modules execute during a password change. Set the pam_unix.so module in the password section to include the argument sha512, as shown below: password required pam_unix.so sha512 other arguments... This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default. |
Passwords need to be protected at all times, and encryption is the standardmethod for protecting passwords. If passwords are not encrypted, they canbe plainly read (i.e., clear text) and easily compromised. Passwords thatare encrypted with a weak algorithm are no more protected than if they arekepy in plain text.This setting ensures user and group account administration utilities areconfigured to store only encrypted representations of passwords.Additionally, the crypt_style configuration option ensures the useof a strong hashing algorithm that makes password cracking attacks moredifficult. |
medium |
content_rule_set_password_hashing_algorithm_systemauth |
SLES-15-020170 |
CM-6(a) |
3.13.11,4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.4 |
PR.AC-1,PR.AC-6,PR.AC-7 |
SRG-OS-000073-GPOS-00041,SRG-OS-000480-VMM-002000 |
NaN |
SV-234886r622137_rule |
CCI-000196 |
1,5,12,15,16 |
NaN |
NaN |
DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 |
IA-5(c),IA-5(1)(c),A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.7,SR,1.8,SR,1.9,SR,2.1 |
BP28(R32) |
5.6.2.2,0418,1055,1402,Req-8.2.1 |
| CCE-85567-6 |
Set Password Hashing Rounds in /etc/login.defs [ref] |
In /etc/login.defs, ensure SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS has the minimum value of 5000. For example: SHA_CRYPT_MIN_ROUNDS 5000 SHA_CRYPT_MAX_ROUNDS 5000 Notice that if neither are set, they already have the default value of 5000. If either is set, they must have the minimum value of 5000. |
Passwords need to be protected at all times, and encryption is the standardmethod for protecting passwords. If passwords are not encrypted, they canbe plainly read (i.e., clear text) and easily compromised. Passwordsthat are encrypted with a weak algorithm are no more protected than ifthey are kept in plain text.Using more hashing rounds makes password cracking attacks more difficult. |
medium |
content_rule_set_password_hashing_min_rounds_logindefs |
SLES-15-020180 |
NaN |
NaN |
NaN |
SRG-OS-000073-GPOS-00041,SRG-OS-000120-GPOS-00061 |
NaN |
SV-234887r622137_rule |
CCI-000803 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85560-1 |
Ensure PAM Displays Last Logon/Access Notification [ref] |
To configure the system to notify users of last logon/access using pam_lastlog, add or correct the pam_lastlog settings in /etc/pam.d/login to read as follows: session required pam_lastlog.so showfailed And make sure that the silent option is not set. |
Users need to be aware of activity that occurs regardingtheir account. Providing users with information regarding the numberof unsuccessful attempts that were made to login to their accountallows the user to determine if any unauthorized activity has occurredand gives them an opportunity to notify administrators. |
low |
content_rule_display_login_attempts |
SLES-15-020080 |
AC-9(1),CM-6(a) |
4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9 |
PR.AC-7 |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-234873r622137_rule |
CCI-000366 |
1,12,15,16 |
NaN |
NaN |
DSS05.04,DSS05.10,DSS06.10 |
A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.2,SR,1.5,SR,1.7,SR,1.8,SR,1.9 |
NaN |
5.5.2,0582,0584,05885,0586,0846,0957,Req-10.2.4 |
| CCE-85641-9 |
The PAM configuration should not be changed automatically [ref] |
Verify the SUSE operating system is configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes. |
pam-config is a command line utility that automatically generatesa system PAM configuration as packages are installed, updated or removedfrom the system. pam-config removes configurations for PAM modulesand parameters that it does not know about. It may render ineffective PAMconfiguration by the system administrator and thus impact system security. |
medium |
content_rule_pam_disable_automatic_configuration |
SLES-15-040220 |
NaN |
NaN |
NaN |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-235006r622137_rule |
CCI-000366 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-83268-3 |
Check that vlock is installed to allow session locking [ref] |
The SUSE Linux Enterprise 15 operating system must have vlock installed to allow for session locking. The kbd package can be installed with the following command: $ sudo zypper install kbd |
A session lock is a temporary action taken when a user stops work andmoves away from the immediate physical vicinity of the informationsystem but does not want to log out because of the temporary nature ofthe absence.The session lock is implemented at the point where session activity canbe determined.Regardless of where the session lock is determined and implemented,once invoked, the session lock must remain in place until the userreauthenticates. No other activity aside from reauthentication mustunlock the system. |
medium |
content_rule_vlock_installed |
SLES-15-010110 |
NaN |
NaN |
NaN |
SRG-OS-000028-GPOS-00009 |
NaN |
SV-234811r622137_rule |
CCI-000056,CCI-000058,CCI-000060 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-83292-3 |
Install Smart Card Packages For Multifactor Authentication [ref] |
Configure the operating system to implement multifactor authentication by installing the required package with the following command: The pam_pkcs11 package can be installed with the following command: $ sudo zypper install pam_pkcs11 The mozilla-nss package can be installed with the following command: $ sudo zypper install mozilla-nss The mozilla-nss-tools package can be installed with the following command: $ sudo zypper install mozilla-nss-tools The pcsc-ccid package can be installed with the following command: $ sudo zypper install pcsc-ccid The pcsc-lite package can be installed with the following command: $ sudo zypper install pcsc-lite The pcsc-tools package can be installed with the following command: $ sudo zypper install pcsc-tools The opensc package can be installed with the following command: $ sudo zypper install opensc |
Using an authentication device, such as a CAC or token that is separate fromthe information system, ensures that even if the information system iscompromised, that compromise will not affect credentials stored on theauthentication device.Multifactor solutions that require devices separate frominformation systems gaining access include, for example, hardware tokensproviding time-based or challenge-response authenticators and smart cards suchas the U.S. Government Personal Identity Verification card and the DoD CommonAccess Card. |
medium |
content_rule_install_smartcard_packages |
SLES-15-010460 |
CM-6(a) |
NaN |
NaN |
SRG-OS-000105-GPOS-00052,SRG-OS-000375-GPOS-00160,SRG-OS-000375-GPOS-00161,SRG-OS-000377-GPOS-00162 |
NaN |
SV-234854r622137_rule |
CCI-000765,CCI-001948,CCI-001953,CCI-001954 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-83272-5 |
Configure Smart Card Certificate Authority Validation [ref] |
Configure the operating system to do certificate status checking for PKI authentication. Modify all of the cert_policy lines in /etc/pam_pkcs11/pam_pkcs11.conf to include ca like so: cert_policy = ca, ocsp_on, signature; |
Using an authentication device, such as a CAC or token that is separate fromthe information system, ensures that even if the information system iscompromised, that compromise will not affect credentials stored on theauthentication device.Multifactor solutions that require devices separate frominformation systems gaining access include, for example, hardware tokensproviding time-based or challenge-response authenticators and smart cards suchas the U.S. Government Personal Identity Verification card and the DoD CommonAccess Card. |
medium |
content_rule_smartcard_configure_ca |
SLES-15-010170 |
NaN |
NaN |
NaN |
SRG-OS-000066-GPOS-00034,SRG-OS-000384-GPOS-00167 |
NaN |
SV-234817r622137_rule |
CCI-000185,CCI-001991 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-83293-1 |
Configure Smart Card Certificate Status Checking [ref] |
Configure the operating system to do certificate status checking for PKI authentication. Modify all of the cert_policy lines in /etc/pam_pkcs11/pam_pkcs11.conf to include ocsp_on like so: cert_policy = ca, ocsp_on, signature; |
Using an authentication device, such as a CAC or token that is separate fromthe information system, ensures that even if the information system iscompromised, that compromise will not affect credentials stored on theauthentication device.Multifactor solutions that require devices separate frominformation systems gaining access include, for example, hardware tokensproviding time-based or challenge-response authenticators and smart cards suchas the U.S. Government Personal Identity Verification card and the DoD CommonAccess Card. |
medium |
content_rule_smartcard_configure_cert_checking |
SLES-15-010470 |
NaN |
NaN |
NaN |
SRG-OS-000375-GPOS-00160,SRG-OS-000376-GPOS-00161,SRG-OS-000377-GPOS-00162,SRG-OS-000384-GPOS-00167 |
NaN |
SV-234855r622137_rule |
CCI-001948,CCI-001953,CCI-001954 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85556-9 |
Enable Smart Card Logins in PAM [ref] |
This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). Check that the pam_pkcs11.so option is configured in the etc/pam.d/common-auth file with the following command: # grep pam_pkcs11.so /etc/pam.d/common-auth auth sufficient pam_pkcs11.so For general information about enabling smart card authentication, consult the documentation at: https://www.suse.com/c/configuring-smart-card-authentication-suse-linux-enterprise/ |
Smart card login provides two-factor authentication stronger thanthat provided by a username and password combination. Smart cards leverage PKI(public key infrastructure) in order to provide and verify credentials.Using an authentication device, such as a CAC or token that is separatefrom the information system, ensures that even if the information system iscompromised, that compromise will not affect credentials stored on theauthentication device.Multifactor solutions that require devices separate from informationsystems gaining access include, for example, hardware tokens providingtime-based or challenge-response authenticators and smart cards such as theU.S. Government Personal Identity Verification card and the DoD CommonAccess Card. |
medium |
content_rule_smartcard_pam_enabled |
SLES-15-020030 |
NaN |
NaN |
NaN |
SRG-OS-000068-GPOS-00036,SRG-OS-000105-GPOS-00052,SRG-OS-000106-GPOS-00053,SRG-OS-000107-GPOS-00054,SRG-OS-000108-GPOS-00055,SRG-OS-000375-GPOS-00160,SRG-OS-000375-GPOS-00161,SRG-OS-000375-GPOS-00162 |
NaN |
SV-234869r622137_rule |
CCI-000765,CCI-000766,CCI-000767,CCI-000768,CCI-000187,CCI-001948,CCI-001953,CCI-001954 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85665-8 |
Disable Ctrl-Alt-Del Burst Action [ref] |
By default, SystemD will reboot the system if the Ctrl-Alt-Del key sequence is pressed Ctrl-Alt-Delete more than 7 times in 2 seconds. To configure the system to ignore the CtrlAltDelBurstAction setting, add or modify the following to /etc/systemd/system.conf: CtrlAltDelBurstAction=noneWarning: Disabling the Ctrl-Alt-Del key sequence in /etc/init/control-alt-delete.conf DOES NOT disable the Ctrl-Alt-Del key sequence if running in runlevel 6 (e.g. in GNOME, KDE, etc.)! The Ctrl-Alt-Del key sequence will only be disabled if running in the non-graphical runlevel 3. |
A locally logged-in user who presses Ctrl-Alt-Del, when at the console,can reboot the system. If accidentally pressed, as could happen inthe case of mixed OS environment, this can create the risk of short-termloss of availability of systems due to unintentional reboot. |
high |
content_rule_disable_ctrlaltdel_burstaction |
SLES-15-040062 |
CM-6(b),CM-6.1(iv) |
4.3.3.7.3,CIP-003-3,R5.1.1,CIP-003-3,R5.3,3.4.5 |
PR.AC-4,PR.DS-5 |
SRG-OS-000324-GPOS-00125,SRG-OS-000480-GPOS-00227 |
NaN |
SV-234990r622137_rule |
CCI-000366 |
3,5,12,13,14,15,16,18 |
NaN |
164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii) |
APO01.06,DSS05.04,DSS05.07,DSS06.02 |
A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3 |
SR,2.1,SR,5.2 |
NaN |
CIP-004-3,R2.3,CIP-007-3,R2.1,CIP-007-3,R2.2,CIP-007-3,R2.3,CIP-007-3,R5.1,CIP-007-3,R5.1.1,CIP-007-3,R5.1.2 |
| CCE-85625-2 |
Disable Ctrl-Alt-Del Reboot Activation [ref] |
By default, SystemD will reboot the system if the Ctrl-Alt-Del key sequence is pressed. To configure the system to ignore the Ctrl-Alt-Del key sequence from the command line instead of rebooting the system, do either of the following: ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target or systemctl mask ctrl-alt-del.target Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file, as this file may be restored during future system updates. |
A locally logged-in user who presses Ctrl-Alt-Del, when at the console,can reboot the system. If accidentally pressed, as could happen inthe case of mixed OS environment, this can create the risk of short-termloss of availability of systems due to unintentional reboot. |
high |
content_rule_disable_ctrlaltdel_reboot |
SLES-15-040060 |
AC-6(1),CM-6(a) |
4.3.3.7.3,CIP-003-3,R5.1.1,CIP-003-3,R5.3,3.4.5 |
PR.AC-4,PR.DS-5 |
SRG-OS-000324-GPOS-00125,SRG-OS-000480-GPOS-00227 |
NaN |
SV-234988r622137_rule |
CCI-000366 |
3,5,12,13,14,15,16,18 |
NaN |
164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii) |
APO01.06,DSS05.04,DSS05.07,DSS06.02 |
A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3 |
SR,2.1,SR,5.2 |
NaN |
CIP-004-3,R2.3,CIP-007-3,R2.1,CIP-007-3,R2.2,CIP-007-3,R2.3,CIP-007-3,R5.1,CIP-007-3,R5.1.1,CIP-007-3,R5.1.2 |
| CCE-85558-5 |
Set Account Expiration Following Inactivity [ref] |
To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following line in /etc/default/useradd: INACTIVE=35 If a password is currently on the verge of expiration, then 35 day(s) remain(s) until the account is automatically disabled. However, if the password will not expire for another 60 days, then 60 days plus 35 day(s) could elapse until the account would be automatically disabled. See the useradd man page for more information. |
Disabling inactive accounts ensures that accounts which may nothave been responsibly removed are not available to attackerswho may have compromised their credentials. |
medium |
content_rule_account_disable_post_pw_expiration |
SLES-15-020050 |
AC-2(3),CM-6(a),IA-4(e) |
4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,3.5.6 |
PR.AC-1,PR.AC-4,PR.AC-6,PR.AC-7,DE.CM-1,DE.CM-3 |
SRG-OS-000118-GPOS-00060,SRG-OS-000003-VMM-000030,SRG-OS-000118-VMM-000590 |
NaN |
SV-234871r622137_rule |
CCI-000017,CCI-000795 |
1,3,5,7,8,12,13,14,15,16,18 |
NaN |
NaN |
DSS01.03,DSS03.05,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 |
A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5,A.12.4.1,A.12.4.3,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,6.2 |
NaN |
5.6.2.1.1,CIP-004-3,R2.2.2,CIP-004-3,R2.2.3,CIP-007-3,R.1.3,CIP-007-3,R5,CIP-007-3,R5.1.1,CIP-007-3,R5.1.3,CIP-007-3,R5.2.1,CIP-007-3,R5.2.3,Req-8.1.4,5.4.1.5 |
| CCE-85559-3 |
Never Automatically Remove or Disable Emergency Administrator Accounts [ref] |
Emergency accounts are privileged accounts that are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. Check to see if an emergency administrator account password or account expires with the following command: # sudo chage -l [Emergency_Administrator] Password expires:never If Password expires or Account expires is set to anything other than never, this is a finding. |
Emergency accounts are different from infrequently used accounts (i.e.,local logon accounts used by the organization's system administrators whennetwork or normal logon/access is not available). Infrequently usedaccounts are not subject to automatic termination dates. Emergency accountsare accounts created in response to crisis situations, usually for use bymaintenance personnel. The automatic expiration or disabling time periodmay be extended as needed until the crisis is resolved; however, it mustnot be extended indefinitely. A permanent account should be established forprivileged users who need long-term maintenance accounts.To address access requirements the SUSE operating system can be integratedwith enterprise-level authentication/access mechanisms that meet or exceedaccess control policy requirements. |
medium |
content_rule_account_emergency_admin |
SLES-15-020060 |
NaN |
NaN |
NaN |
SRG-OS-000123-GPOS-00064 |
NaN |
SV-234872r622137_rule |
CCI-001682 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85553-6 |
Assign Expiration Date to Temporary Accounts [ref] |
Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts. In the event temporary or emergency accounts are required, configure the system to terminate them after a documented time period. For every temporary and emergency account, run the following command to set an expiration date on it, substituting USER and YYYY-MM-DD appropriately: $ sudo chage -E YYYY-MM-DD USER YYYY-MM-DD indicates the documented expiration date for the account. For U.S. Government systems, the operating system must be configured to automatically terminate these types of accounts after a period of 72 hours. |
If temporary user accounts remain active when no longer needed or foran excessive period, these accounts may be used to gain unauthorized access.To mitigate this risk, automated termination of all temporary accountsmust be set upon account creation. |
medium |
content_rule_account_temp_expire_date |
SLES-15-020000 |
AC-2(2),AC-2(3),CM-6(a) |
4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4 |
PR.AC-1,PR.AC-4,PR.AC-6,DE.CM-1,DE.CM-3 |
SRG-OS-000123-GPOS-00064,SRG-OS-000002-GPOS-00002,SRG-OS-000002-VMM-000020,SRG-OS-000123-VMM-000620 |
NaN |
SV-234866r622137_rule |
CCI-000016,CCI-001682 |
1,3,5,7,8,12,13,14,15,16,18 |
NaN |
NaN |
DSS01.03,DSS03.05,DSS05.04,DSS05.05,DSS05.07,DSS06.03 |
A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5,A.12.4.1,A.12.4.3 |
SR,1.1,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,6.2 |
NaN |
NaN |
| CCE-85570-0 |
Set Password Maximum Age [ref] |
To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line: PASS_MAX_DAYS 60 A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is 60. |
Any password, no matter how complex, can eventually be cracked. Therefore, passwordsneed to be changed periodically. If the operating system does not limit the lifetimeof passwords and force users to change their passwords, there is the risk that theoperating system passwords could be compromised.Setting the password maximum age ensures users are required toperiodically change their passwords. Requiring shorter password lifetimesincreases the risk of users writing down the password in a convenientlocation subject to physical compromise. |
medium |
content_rule_accounts_maximum_age_login_defs |
SLES-15-020220 |
CM-6(a) |
4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.4,3.5.6 |
PR.AC-1,PR.AC-6,PR.AC-7 |
SRG-OS-000076-GPOS-00044 |
NaN |
SV-234891r622137_rule |
CCI-000199 |
1,5,12,15,16 |
NaN |
NaN |
DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 |
IA-5(f),IA-5(1)(d),A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.7,SR,1.8,SR,1.9,SR,2.1 |
BP28(R18) |
5.6.2.1,0418,1055,1402,Req-8.2.4,5.4.1.2 |
| CCE-85571-8 |
Set Existing Passwords Maximum Age [ref] |
Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction by running the following command: $ sudo chage -M 60 USER |
Any password, no matter how complex, can eventually be cracked. Therefore,passwords need to be changed periodically. If the operating system doesnot limit the lifetime of passwords and force users to change theirpasswords, there is the risk that the operating system passwords could becompromised. |
medium |
content_rule_accounts_password_set_max_life_existing |
SLES-15-020230 |
CM-6(a) |
NaN |
NaN |
SRG-OS-000076-GPOS-00044,SRG-OS-000076-VMM-000430 |
NaN |
SV-234892r622137_rule |
CCI-000199 |
NaN |
NaN |
NaN |
NaN |
IA-5(f),IA-5(1)(d) |
NaN |
NaN |
NaN |
| CCE-85710-2 |
Set Existing Passwords Minimum Age [ref] |
Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime by running the following command: $ sudo chage -m 1 USER |
Enforcing a minimum password lifetime helps to prevent repeated passwordchanges to defeat the password reuse or history enforcement requirement. Ifusers are allowed to immediately and continually change their password, thepassword could be repeatedly changed in a short period of time to defeat theorganization's policy regarding password reuse. |
medium |
content_rule_accounts_password_set_min_life_existing |
SLES-15-020210 |
NaN |
NaN |
NaN |
SRG-OS-000075-GPOS-00043,SRG-OS-000075-VMM000420 |
NaN |
SV-234890r622137_rule |
CCI-000198 |
NaN |
NaN |
NaN |
NaN |
IA-5(1).1(v) |
NaN |
NaN |
NaN |
| CCE-85566-8 |
Verify All Account Password Hashes are Shadowed with SHA512 [ref] |
Verify the operating system requires the shadow password suite configuration be set to encrypt interactive user passwords using a strong cryptographic hash. Check that the interactive user account passwords are using a strong password hash with the following command: # sudo cut -d: -f2 /etc/shadow $6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/ Password hashes ! or * indicate inactive accounts not available for logon and are not evaluated. If any interactive user password hash does not begin with $6, this is a finding. |
The system must use a strong hashing algorithm to store the password. Thesystem must use a sufficient number of hashing rounds to ensure the requiredlevel of entropy. |
medium |
content_rule_accounts_password_all_shadowed_sha512 |
SLES-15-020180 |
IA-7 |
NaN |
NaN |
SRG-OS-000073-GPOS-00041,SRG-OS-000120-GPOS-00061 |
NaN |
SV-234887r622137_rule |
CCI-000196,CCI-000803 |
NaN |
NaN |
NaN |
NaN |
IA-5(1)(c),IA-5(1).1(v),IA-7.1 |
NaN |
NaN |
NaN |
| CCE-85576-7 |
Prevent Login to Accounts With Empty Password [ref] |
If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok in password authentication configurations in /etc/pam.d/ to prevent logins with empty passwords. Note that this rule is not applicable for systems running within a container. Having user with empty password within a container is not considered a risk, because it should not be possible to directly login into a container anyway. |
If an account has an empty password, anyone could log in andrun commands with the privileges of that account. Accounts withempty passwords should never be used in operational environments. |
high |
content_rule_no_empty_passwords |
SLES-15-020300 |
CM-6(a) |
3.1.1,3.1.5,4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4 |
PR.AC-1,PR.AC-4,PR.AC-6,PR.AC-7,PR.DS-5 |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-234898r622137_rule |
CCI-000366 |
1,3,5,12,13,14,15,16,18 |
NaN |
164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii) |
APO01.06,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.02,DSS06.03,DSS06.10 |
IA-5(1)(a),IA-5(c),A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,5.2 |
NaN |
5.5.2,FIA_UAU.1,Req-8.2.3 |
| CCE-85664-1 |
Verify Only Root Has UID 0 [ref] |
If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed. If the account is associated with system commands or applications the UID should be changed to one greater than "0" but less than "1000." Otherwise assign a UID greater than "1000" that has not already been assigned. |
An account has root authority if it has a UID of 0. Multiple accountswith a UID of 0 afford more opportunity for potential intruders toguess a password for a privileged account. Proper configuration ofsudo is recommended to afford multiple system administratorsaccess to root privileges in an accountable manner. |
high |
content_rule_accounts_no_uid_except_zero |
SLES-15-020100 |
CM-6(b),CM-6.1(iv) |
3.1.1,3.1.5,4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,CIP-003-3,R5.1.1,CIP-003-3,R5.3 |
PR.AC-1,PR.AC-4,PR.AC-6,PR.AC-7,PR.DS-5 |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-234876r622137_rule |
CCI-000366 |
1,3,5,12,13,14,15,16,18 |
NaN |
NaN |
APO01.06,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.02,DSS06.03,DSS06.10 |
A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,5.2 |
NaN |
CIP-004-3,R2.2.3,CIP-004-3,R2.3,CIP-007-3,R5.1,CIP-007-3,R5.1.2,CIP-007-3,R5.2,CIP-007-3,R5.3.1,CIP-007-3,R5.3.2,CIP-007-3,R5.3.3,6.2.3 |
| CCE-85672-4 |
Ensure that System Accounts Do Not Run a Shell Upon Login [ref] |
Some accounts are not associated with a human user of the system, and exist to perform some administrative function. Should an attacker be able to log into these accounts, they should not be granted access to a shell. The login shell for each local account is stored in the last field of each line in /etc/passwd. System accounts are those user accounts with a user ID less than UID_MIN, where value of UID_MIN directive is set in /etc/login.defs configuration file. In the default configuration UID_MIN is set to 1000, thus system accounts are those user accounts with a user ID less than 1000. The user ID is stored in the third field. If any system account SYSACCT (other than root) has a login shell, disable it with the command: $ sudo usermod -s /sbin/nologin SYSACCTWarning: Do not perform the steps in this section on the root account. Doing so might cause the system to become inaccessible. |
Ensuring shells are not given to system accounts upon login makes it moredifficult for attackers to make use of system accounts. |
medium |
content_rule_no_shelllogin_for_systemaccounts |
SLES-15-020091 |
AC-6,CM-6(a),CM-6(b),CM-6.1(iv) |
4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4 |
PR.AC-1,PR.AC-4,PR.AC-6,DE.CM-1,DE.CM-3 |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-234875r622137_rule |
CCI-000366 |
1,3,5,7,8,12,13,14,15,16,18 |
NaN |
NaN |
DSS01.03,DSS03.05,DSS05.04,DSS05.05,DSS05.07,DSS06.03 |
A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5,A.12.4.1,A.12.4.3 |
SR,1.1,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,6.2 |
NaN |
1491,5.4.2 |
| CCE-83277-4 |
Ensure All Accounts on the System Have Unique User IDs [ref] |
Change user IDs (UIDs), or delete accounts, so each has a unique name. |
To assure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system. |
medium |
content_rule_account_unique_id |
SLES-15-010230 |
NaN |
NaN |
NaN |
SRG-OS-000104-GPOS-00051,SRG-OS-000121-GPOS-00062,SRG-OS-000042-GPOS-00020 |
NaN |
SV-234822r622137_rule |
CCI-000764,CCI-000804 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
6.2.14 |
| CCE-85561-9 |
Only Authorized Local User Accounts Exist on Operating System [ref] |
Enterprise Application tends to use the server or virtual machine exclusively. Besides the default operating system user, there should be only authorized local users required by the installed softoware groups and applications that exist on the operating system. The authorized user list can be customized in the refine value variable var_accounts_authorized_local_users_regex. OVAL regular expression is used for the user list. Configure the system so all accounts on the system are assigned to an active system, application, or user account. Remove accounts that do not support approved system activities or that allow for a normal user to perform administrative-level actions. To remove unauthorized system accounts, use the following command: $ sudo userdel unauthorized_user |
Accounts providing no operational purpose provide additional opportunities forsystem compromise. Unnecessary accounts include user accounts for individuals notrequiring access to the system and application accounts for applications not installedon the system. |
medium |
content_rule_accounts_authorized_local_users |
SLES-15-020090 |
NaN |
NaN |
NaN |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-234874r622137_rule |
CCI-000366 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85659-1 |
Ensure the Default Umask is Set Correctly in login.defs [ref] |
To ensure the default umask controlled by /etc/login.defs is set properly, add or correct the UMASK setting in /etc/login.defs to read as follows: UMASK 027 |
The umask value influences the permissions assigned to files when they are created.A misconfigured umask value could result in files with excessive permissions that can be read andwritten to by unauthorized users. |
medium |
content_rule_accounts_umask_etc_login_defs |
SLES-15-040420 |
AC-6(1),CM-6(a) |
CIP-003-3,R5.1.1,CIP-003-3,R5.3,4.3.4.3.2,4.3.4.3.3 |
PR.IP-1,PR.IP-2 |
SRG-OS-000480-GPOS-00228 |
NaN |
SV-235030r622137_rule |
CCI-000366 |
3,9,11,18 |
NaN |
NaN |
APO13.01,BAI03.01,BAI03.02,BAI03.03,BAI10.01,BAI10.02,BAI10.03,BAI10.05 |
A.6.1.5,A.12.1.2,A.12.5.1,A.12.6.2,A.14.1.1,A.14.2.1,A.14.2.2,A.14.2.3,A.14.2.4,A.14.2.5 |
SR,7.6 |
BP28(R35) |
CIP-004-3,R2.3,CIP-007-3,R2.1,CIP-007-3,R2.2,CIP-007-3,R2.3,CIP-007-3,R5.1,CIP-007-3,R5.1.1,CIP-007-3,R5.1.2,5.4.5 |
| CCE-85562-7 |
Ensure Home Directories are Created for New Users [ref] |
All local interactive user accounts, upon creation, should be assigned a home directory. Configure the operating system to assign home directories to all new local interactive users by setting the CREATE_HOME parameter in /etc/login.defs to yes as follows: CREATE_HOME yes |
If local interactive users are not assigned a valid home directory, there is no placefor the storage and control of files they should own. |
medium |
content_rule_accounts_have_homedir_login_defs |
SLES-15-020110 |
NaN |
NaN |
NaN |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-234880r622137_rule |
CCI-000366 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85555-1 |
Limit the Number of Concurrent Login Sessions Allowed Per User [ref] |
Limiting the number of allowed users and sessions per user can limit risks related to Denial of Service attacks. This addresses concurrent sessions for a single account and does not address concurrent sessions by a single user via multiple accounts. To set the number of concurrent sessions per user add the following line in /etc/security/limits.conf or a file under /etc/security/limits.d/: * hard maxlogins 10 |
Limiting simultaneous user logins can insulate the system from denial of serviceproblems caused by excessive logins. Automated login processes operating improperly ormaliciously may result in an exceptional number of simultaneous login sessions. |
low |
content_rule_accounts_max_concurrent_login_sessions |
SLES-15-020020 |
AC-10,CM-6(a) |
4.3.3.4 |
PR.AC-5 |
SRG-OS-000027-GPOS-00008,SRG-OS-000027-VMM-000080 |
NaN |
SV-234868r622137_rule |
CCI-000054 |
9,14,15,18 |
NaN |
NaN |
DSS01.05,DSS05.02 |
A.13.1.1,A.13.1.3,A.13.2.1,A.14.1.2,A.14.1.3 |
SR,3.1,SR,3.8 |
NaN |
5.5.2.2,CIP-007-3,R5.1,CIP-007-3,R5.1.2 |
| CCE-83269-1 |
Set Interactive Session Timeout [ref] |
Setting the TMOUT option in /etc/profile ensures that all user sessions will terminate based on inactivity. The TMOUT setting in /etc/profile.d/autologout.sh should read as follows: TMOUT=900 readonly TMOUT export TMOUT |
Terminating an idle session within a short time period reducesthe window of opportunity for unauthorized personnel to take control of amanagement session enabled on the console or console port that has beenleft unattended. |
medium |
content_rule_accounts_tmout |
SLES-15-010130 |
AC-12,AC-2(5),CM-6(a),SC-10 |
3.1.11,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9 |
PR.AC-7 |
SRG-OS-000163-GPOS-00072,SRG-OS-000029-GPOS-00010,SRG-OS-000163-VMM-000700,SRG-OS-000279-VMM-001010 |
NaN |
SV-234813r622137_rule |
CCI-000057,CCI-001133,CCI-002361 |
1,12,15,16 |
NaN |
NaN |
DSS05.04,DSS05.10,DSS06.10 |
A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.2,SR,1.5,SR,1.7,SR,1.8,SR,1.9 |
BP28(R29) |
CIP-004-3,R2.2.3,CIP-007-3,R5.1,CIP-007-3,R5.2,CIP-007-3,R5.3.1,CIP-007-3,R5.3.2,CIP-007-3,R5.3.3,FMT_MOF_EXT.1,5.4.4 |
| CCE-85632-8 |
User Initialization Files Must Not Run World-Writable Programs [ref] |
Set the mode on files being executed by the user initialization files with the following command: $ sudo chmod 0755 FILE |
If user start-up files execute world-writable programs, especially inunprotected directories, they could be maliciously modified to destroy userfiles or otherwise compromise the system at the user level. If the system iscompromised at the user level, it is easier to elevate privileges to eventuallycompromise the system at the root and network level. |
medium |
content_rule_accounts_user_dot_no_world_writable_programs |
SLES-15-040130 |
NaN |
NaN |
NaN |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-234997r622137_rule |
CCI-000366 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85631-0 |
Ensure that Users Path Contains Only Local Directories [ref] |
Ensure that all interactive user initialization files executable search path statements do not contain statements that will reference a working directory other than the users home directory. |
The executable search path (typically the PATH environment variable) contains alist of directories for the shell to search to find executables. If this pathincludes the current working directory (other than the users home directory),executables in these directories may be executed instead of system commands.This variable is formatted as a colon-separated list of directories. If there isan empty entry, such as a leading or trailing colon or two consecutive colons,this is interpreted as the current working directory. If deviations from thedefault system search path for the local interactive user are required, theymust be documented with the Information System Security Officer (ISSO). |
medium |
content_rule_accounts_user_home_paths_only |
SLES-15-040120 |
NaN |
NaN |
NaN |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-234996r622137_rule |
CCI-000366 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85627-8 |
All Interactive Users Must Have A Home Directory Defined [ref] |
Assign home directories to all interactive users that currently do not have a home directory assigned. |
If local interactive users are not assigned a valid home directory, there is noplace for the storage and control of files they should own. |
medium |
content_rule_accounts_user_interactive_home_directory_defined |
SLES-15-040070 |
NaN |
NaN |
NaN |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-234991r622137_rule |
CCI-000366 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85628-6 |
All Interactive Users Home Directories Must Exist [ref] |
Create home directories to all interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in /etc/passwd: $ sudo mkdir /home/USER |
If a local interactive user has a home directory defined that does not exist,the user may be given access to the / directory as the current working directoryupon logon. This could create a Denial of Service because the user would not beable to access their logon configuration files, and it may give them visibilityto system files they normally would not be able to access. |
medium |
content_rule_accounts_user_interactive_home_directory_exists |
SLES-15-040080 |
NaN |
NaN |
NaN |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-234992r622137_rule |
CCI-000366 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
6.2.5 |
| CCE-85711-0 |
All Interactive User Home Directories Must Be Group-Owned By The Primary User [ref] |
Change the group owner of interactive users home directory to the group found in /etc/passwd. To change the group owner of interactive users home directory, use the following command: $ sudo chgrp USER_GROUP /home/USER |
If the Group Identifier (GID) of a local interactive users home directory isnot the same as the primary GID of the user, this would allow unauthorizedaccess to the users files, and users that share the same group may not beable to access files that they legitimately should. |
medium |
content_rule_file_groupownership_home_directories |
SLES-15-040100 |
CM-6(b),CM-6.1(iv) |
NaN |
NaN |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-234994r622137_rule |
CCI-000366 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85630-2 |
Ensure All User Initialization Files Have Mode 0740 Or Less Permissive [ref] |
Set the mode of the user initialization files to 0740 with the following command: $ sudo chmod 0740 /home/USER/.INIT_FILE |
Local initialization files are used to configure the user's shell environmentupon logon. Malicious modification of these files could compromise accounts uponlogon. |
medium |
content_rule_file_permission_user_init_files |
SLES-15-040110 |
NaN |
NaN |
NaN |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-234995r622137_rule |
CCI-000366 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85629-4 |
All Interactive User Home Directories Must Have mode 0750 Or Less Permissive [ref] |
Change the mode of interactive users home directories to 0750. To change the mode of interactive users home directory, use the following command: $ sudo chmod 0750 /home/USER |
Excessive permissions on local interactive user home directories may allowunauthorized access to user files by other users. |
medium |
content_rule_file_permissions_home_directories |
SLES-15-040090 |
NaN |
NaN |
NaN |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-234993r622137_rule |
CCI-000366 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
6.2.6 |
| CCE-85693-0 |
Record Events that Modify the System's Discretionary Access Controls - chmod [ref] |
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_modWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. |
The changing of file permissions could indicate that a user is attempting togain access to information that would otherwise be disallowed. Auditing DAC modificationscan facilitate the identification of patterns of abuse among both authorized andunauthorized users. |
medium |
content_rule_audit_rules_dac_modification_chmod |
SLES-15-030290 |
AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 |
NaN |
SV-234928r622137_rule |
CCI-000126,CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.5.5,4.1.9 |
| CCE-85690-6 |
Record Events that Modify the System's Discretionary Access Controls - chown [ref] |
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_modWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. |
The changing of file permissions could indicate that a user is attempting togain access to information that would otherwise be disallowed. Auditing DAC modificationscan facilitate the identification of patterns of abuse among both authorized andunauthorized users. |
medium |
content_rule_audit_rules_dac_modification_chown |
SLES-15-030250 |
AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 |
NaN |
SV-234924r622137_rule |
CCI-000126,CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.5.5,4.1.9 |
| CCE-85694-8 |
Record Events that Modify the System's Discretionary Access Controls - fchmod [ref] |
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_modWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. |
The changing of file permissions could indicate that a user is attempting togain access to information that would otherwise be disallowed. Auditing DAC modificationscan facilitate the identification of patterns of abuse among both authorized andunauthorized users. |
medium |
content_rule_audit_rules_dac_modification_fchmod |
SLES-15-030300 |
AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 |
NaN |
SV-234929r622137_rule |
CCI-000126,CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.5.5,4.1.9 |
| CCE-85695-5 |
Record Events that Modify the System's Discretionary Access Controls - fchmodat [ref] |
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_modWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. |
The changing of file permissions could indicate that a user is attempting togain access to information that would otherwise be disallowed. Auditing DAC modificationscan facilitate the identification of patterns of abuse among both authorized andunauthorized users. |
medium |
content_rule_audit_rules_dac_modification_fchmodat |
SLES-15-030310 |
AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 |
NaN |
SV-234930r622137_rule |
CCI-000126,CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.5.5,4.1.9 |
| CCE-85721-9 |
Record Events that Modify the System's Discretionary Access Controls - fchown [ref] |
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_modWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. |
The changing of file permissions could indicate that a user is attempting togain access to information that would otherwise be disallowed. Auditing DAC modificationscan facilitate the identification of patterns of abuse among both authorized andunauthorized users. |
medium |
content_rule_audit_rules_dac_modification_fchown |
SLES-15-030260 |
AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 |
NaN |
SV-234925r622137_rule |
CCI-000126,CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.5.5,4.1.9 |
| CCE-85692-2 |
Record Events that Modify the System's Discretionary Access Controls - fchownat [ref] |
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_modWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. |
The changing of file permissions could indicate that a user is attempting togain access to information that would otherwise be disallowed. Auditing DAC modificationscan facilitate the identification of patterns of abuse among both authorized andunauthorized users. |
medium |
content_rule_audit_rules_dac_modification_fchownat |
SLES-15-030280 |
AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 |
NaN |
SV-234927r622137_rule |
CCI-000126,CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.5.5,4.1.9 |
| CCE-85686-4 |
Record Events that Modify the System's Discretionary Access Controls - fremovexattr [ref] |
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_modWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. |
The changing of file permissions could indicate that a user is attempting togain access to information that would otherwise be disallowed. Auditing DAC modificationscan facilitate the identification of patterns of abuse among both authorized andunauthorized users. |
medium |
content_rule_audit_rules_dac_modification_fremovexattr |
SLES-15-030210 |
AU-12(a),AU-12.1(ii),AU-12(c),AU-12.1(iv),AU-3,AU-3.1,MA-4(1)(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033,SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 |
NaN |
SV-234920r622137_rule |
CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.5.5,4.1.9 |
| CCE-85688-0 |
Record Events that Modify the System's Discretionary Access Controls - fsetxattr [ref] |
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_modWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. |
The changing of file permissions could indicate that a user is attempting togain access to information that would otherwise be disallowed. Auditing DAC modificationscan facilitate the identification of patterns of abuse among both authorized andunauthorized users. |
medium |
content_rule_audit_rules_dac_modification_fsetxattr |
SLES-15-030230 |
AU-12(a),AU-12.1(ii),AU-12(c),AU-12.1(iv),AU-3,AU-3.1,MA-4(1)(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000064-GPOS-00033,SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 |
NaN |
SV-234922r622137_rule |
CCI-000126,CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.5.5,4.1.9 |
| CCE-85691-4 |
Record Events that Modify the System's Discretionary Access Controls - lchown [ref] |
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_modWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. |
The changing of file permissions could indicate that a user is attempting togain access to information that would otherwise be disallowed. Auditing DAC modificationscan facilitate the identification of patterns of abuse among both authorized andunauthorized users. |
medium |
content_rule_audit_rules_dac_modification_lchown |
SLES-15-030270 |
AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 |
NaN |
SV-234926r622137_rule |
CCI-000126,CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.5.5,4.1.9 |
| CCE-85685-6 |
Record Events that Modify the System's Discretionary Access Controls - lremovexattr [ref] |
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_modWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. |
The changing of file permissions could indicate that a user is attempting togain access to information that would otherwise be disallowed. Auditing DAC modificationscan facilitate the identification of patterns of abuse among both authorized andunauthorized users. |
medium |
content_rule_audit_rules_dac_modification_lremovexattr |
SLES-15-030200 |
AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033,SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 |
NaN |
SV-234919r622137_rule |
CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.5.5,4.1.9 |
| CCE-85689-8 |
Record Events that Modify the System's Discretionary Access Controls - lsetxattr [ref] |
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_modWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. |
The changing of file permissions could indicate that a user is attempting togain access to information that would otherwise be disallowed. Auditing DAC modificationscan facilitate the identification of patterns of abuse among both authorized andunauthorized users. |
medium |
content_rule_audit_rules_dac_modification_lsetxattr |
SLES-15-030240 |
AU-12(a),AU-12.1(ii),AU-12(c),AU-12.1(iv),AU-3,AU-3.1,MA-4(1)(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000064-GPOS-00033,SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 |
NaN |
SV-234923r622137_rule |
CCI-000126,CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.5.5,4.1.9 |
| CCE-85684-9 |
Record Events that Modify the System's Discretionary Access Controls - removexattr [ref] |
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_modWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. |
The changing of file permissions could indicate that a user is attempting togain access to information that would otherwise be disallowed. Auditing DAC modificationscan facilitate the identification of patterns of abuse among both authorized andunauthorized users. |
medium |
content_rule_audit_rules_dac_modification_removexattr |
SLES-15-030190 |
AU-12(a),AU-12.1(ii),AU-12(c),AU-12.1(iv),AU-3,AU-3.1,MA-4(1)(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033,SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 |
NaN |
SV-234918r622137_rule |
CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.5.5,4.1.9 |
| CCE-85687-2 |
Record Events that Modify the System's Discretionary Access Controls - setxattr [ref] |
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_modWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. |
The changing of file permissions could indicate that a user is attempting togain access to information that would otherwise be disallowed. Auditing DAC modificationscan facilitate the identification of patterns of abuse among both authorized andunauthorized users. |
medium |
content_rule_audit_rules_dac_modification_setxattr |
SLES-15-030220 |
AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 |
NaN |
SV-234921r622137_rule |
CCI-000126,CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.5.5,4.1.9 |
| CCE-85734-2 |
Record Events that Modify the System's Discretionary Access Controls - umount [ref] |
At a minimum, the audit system should collect file system umount changes. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -F key=perm_modWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. |
The changing of file permissions could indicate that a user is attempting togain access to information that would otherwise be disallowed. Auditing DAC modificationscan facilitate the identification of patterns of abuse among both authorized andunauthorized users. |
medium |
content_rule_audit_rules_dac_modification_umount |
SLES-15-030360 |
NaN |
NaN |
NaN |
SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 |
NaN |
SV-234935r622137_rule |
CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| NaN |
Record Events that Modify the System's Discretionary Access Controls - umount2 [ref] |
At a minimum, the audit system should collect file system umount2 changes. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_modWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. |
The changing of file permissions could indicate that a user is attempting togain access to information that would otherwise be disallowed. Auditing DAC modificationscan facilitate the identification of patterns of abuse among both authorized andunauthorized users. |
medium |
content_rule_audit_rules_dac_modification_umount2 |
SLES-15-030360 |
NaN |
NaN |
NaN |
SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 |
NaN |
SV-234935r622137_rule |
CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85595-7 |
Record Any Attempts to Run chacl [ref] |
At a minimum, the audit system should collect any execution attempt of the chacl command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Without generating audit records that are specific to the security andmission needs of the organization, it would be difficult to establish,correlate, and investigate the events relating to an incident or identifythose responsible for one.Audit records can be generated from various components within theinformation system (e.g., module or policy filter). |
medium |
content_rule_audit_rules_execution_chacl |
SLES-15-030440 |
NaN |
NaN |
NaN |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210 |
NaN |
SV-234943r622137_rule |
CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85593-2 |
Record Any Attempts to Run chmod [ref] |
At a minimum, the audit system should collect any execution attempt of the chmod command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Without generating audit records that are specific to the security andmission needs of the organization, it would be difficult to establish,correlate, and investigate the events relating to an incident or identifythose responsible for one.Audit records can be generated from various components within theinformation system (e.g., module or policy filter). |
medium |
content_rule_audit_rules_execution_chmod |
SLES-15-030420 |
NaN |
NaN |
NaN |
SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 |
NaN |
SV-234941r622137_rule |
CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85594-0 |
Record Any Attempts to Run setfacl [ref] |
At a minimum, the audit system should collect any execution attempt of the setfacl command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Without generating audit records that are specific to the security andmission needs of the organization, it would be difficult to establish,correlate, and investigate the events relating to an incident or identifythose responsible for one.Audit records can be generated from various components within theinformation system (e.g., module or policy filter). |
medium |
content_rule_audit_rules_execution_setfacl |
SLES-15-030430 |
NaN |
NaN |
NaN |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 |
NaN |
SV-234942r622137_rule |
CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85716-9 |
Record Any Attempts to Run chcon [ref] |
At a minimum, the audit system should collect any execution attempt of the chcon command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally byauthorized users, or by unauthorized external entities that have compromised system accounts,is a serious and ongoing concern and can have significant adverse impacts on organizations.Auditing the use of privileged functions is one way to detect such misuse and identifythe risk from insider and advanced persistent threats.Privileged programs are subject to escalation-of-privilege attacks,which attempt to subvert their normal role of providing some necessary butlimited capability. As such, motivation exists to monitor these programs forunusual activity. |
medium |
content_rule_audit_rules_execution_chcon |
SLES-15-030450 |
AU-3,AU-3.1,AU-12(a),AU-12.1(ii)AU-12.1(iv),MA-4(1)(a) |
3.1.7,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7 |
ID.SC-4,PR.PT-1,DE.CM-1,DE.CM-3,DE.CM-7 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000463-VMM-001850 |
NaN |
SV-234944r622137_rule |
CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,5,6,7,8,9,12,13,14,15,16 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.14.2.7,A.15.2.1,A.15.2.2 |
SR,2.10,SR,2.11,SR,2.12,SR,2.8,SR,2.9,SR,6.1,SR,6.2 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c |
| CCE-85596-5 |
Record Any Attempts to Run rm [ref] |
At a minimum, the audit system should collect any execution attempt of the rm command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Without generating audit records that are specific to the security andmission needs of the organization, it would be difficult to establish,correlate, and investigate the events relating to an incident or identifythose responsible for one.Audit records can be generated from various components within theinformation system (e.g., module or policy filter). |
medium |
content_rule_audit_rules_execution_rm |
SLES-15-030460 |
NaN |
NaN |
NaN |
SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 |
NaN |
SV-234945r622137_rule |
CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85681-5 |
Record Unsuccessful Access Attempts to Files - creat [ref] |
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. |
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditingthese events could serve as evidence of potential system compromise. |
medium |
content_rule_audit_rules_unsuccessful_file_modification_creat |
SLES-15-030160 |
AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12(c),AU-12.1(iv),MA-4(1)(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000458-VMM-001810,SRG-OS-000461-VMM-001830 |
NaN |
SV-234915r622137_rule |
CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.2.4,Req-10.2.1,4.1.10 |
| CCE-85696-3 |
Record Unsuccessful Access Attempts to Files - ftruncate [ref] |
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S ftruncate -F exiu=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. |
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditingthese events could serve as evidence of potential system compromise. |
medium |
content_rule_audit_rules_unsuccessful_file_modification_ftruncate |
SLES-15-030320 |
AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000458-VMM-001810,SRG-OS-000461-VMM-001830 |
NaN |
SV-234931r622137_rule |
CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.2.4,Req-10.2.1,4.1.10 |
| CCE-85680-7 |
Record Unsuccessful Access Attempts to Files - open [ref] |
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. |
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditingthese events could serve as evidence of potential system compromise. |
medium |
content_rule_audit_rules_unsuccessful_file_modification_open |
SLES-15-030150 |
AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),AU-3,AU-3.1,MA-4(1)(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000458-VMM-001810,SRG-OS-000461-VMM-001830 |
NaN |
SV-234914r622137_rule |
CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.2.4,Req-10.2.1,4.1.10 |
| CCE-85683-1 |
Record Unsuccessful Access Attempts to Files - open_by_handle_at [ref] |
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. |
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditingthese events could serve as evidence of potential system compromise. |
medium |
content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at |
SLES-15-030180 |
AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000458-VMM-001810,SRG-OS-000461-VMM-001830 |
NaN |
SV-234917r622137_rule |
CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.2.4,Req-10.2.1 |
| CCE-85682-3 |
Record Unsuccessful Access Attempts to Files - openat [ref] |
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. |
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditingthese events could serve as evidence of potential system compromise. |
medium |
content_rule_audit_rules_unsuccessful_file_modification_openat |
SLES-15-030170 |
AU-12(a),AU-12.1(ii),AU-12(c),AU-12.1(iv),AU-3,AU-3.1,MA-4(1)(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000458-VMM-001810,SRG-OS-000461-VMM-001830 |
NaN |
SV-234916r622137_rule |
CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.2.4,Req-10.2.1,4.1.10 |
| CCE-85701-1 |
Record Unsuccessul Delete Attempts to Files - rename [ref] |
The audit system should collect unsuccessful file deletion attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-deleteWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete |
Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditingthese events could serve as evidence of potential system compromise. |
medium |
content_rule_audit_rules_unsuccessful_file_modification_rename |
SLES-15-030710 |
AU-12(c),AU-12.1(iv) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212,SRG-OS-000458-VMM-001810,SRG-OS-000461-VMM-001830 |
NaN |
SV-234970r622137_rule |
CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.2.4,Req-10.2.1 |
| CCE-85702-9 |
Record Unsuccessul Delete Attempts to Files - renameat [ref] |
The audit system should collect unsuccessful file deletion attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b32 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b64 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-deleteWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete |
Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditingthese events could serve as evidence of potential system compromise. |
medium |
content_rule_audit_rules_unsuccessful_file_modification_renameat |
SLES-15-030720 |
AU-12(c),AU-12.1(iv) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212,SRG-OS-000458-VMM-001810,SRG-OS-000461-VMM-001830 |
NaN |
SV-234971r622137_rule |
CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.2.4,Req-10.2.1 |
| CCE-85726-8 |
Record Unsuccessul Delete Attempts to Files - renameat2 [ref] |
The audit system should collect unsuccessful file deletion attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S renameat2 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b32 -S renameat2 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S renameat2 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b64 -S renameat2 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-deleteWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,renameat2 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete |
Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditingthese events could serve as evidence of potential system compromise. |
medium |
content_rule_audit_rules_unsuccessful_file_modification_renameat2 |
SLES-15-030730 |
AU-12(c),AU-12.1(iv) |
NaN |
NaN |
SRG-OS-000468-GPOS-00212 |
NaN |
SV-234972r622137_rule |
CCI-000172 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85608-8 |
Record Unsuccessful Access Attempts to Files - truncate [ref] |
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. |
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditingthese events could serve as evidence of potential system compromise. |
medium |
content_rule_audit_rules_unsuccessful_file_modification_truncate |
SLES-15-030610 |
AU-2(d),AU-12(c),CM-6(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000458-VMM-001810,SRG-OS-000461-VMM-001830 |
NaN |
SV-234960r622137_rule |
CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.2.4,Req-10.2.1,4.1.10 |
| CCE-85703-7 |
Record Unsuccessul Delete Attempts to Files - unlink [ref] |
The audit system should collect unsuccessful file deletion attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-deleteWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete |
Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditingthese events could serve as evidence of potential system compromise. |
medium |
content_rule_audit_rules_unsuccessful_file_modification_unlink |
SLES-15-030740 |
AU-12(c),AU-12.1(iv) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212,SRG-OS-000458-VMM-001810,SRG-OS-000461-VMM-001830 |
NaN |
SV-234973r622137_rule |
CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.2.4,Req-10.2.1 |
| CCE-85704-5 |
Record Unsuccessul Delete Attempts to Files - unlinkat [ref] |
The audit system should collect unsuccessful file deletion attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-deleteWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete |
Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditingthese events could serve as evidence of potential system compromise. |
medium |
content_rule_audit_rules_unsuccessful_file_modification_unlinkat |
SLES-15-030750 |
AU-12(c),AU-12.1(iv) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212,SRG-OS-000458-VMM-001810,SRG-OS-000461-VMM-001830 |
NaN |
SV-234974r622137_rule |
CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.2.4,Req-10.2.1 |
| CCE-85748-2 |
Ensure auditd Collects Information on Kernel Module Unloading - delete_module [ref] |
To capture kernel module unloading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S delete_module -F key=modules Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules. |
The removal of kernel modules can be used to alter the behavior ofthe kernel and potentially introduce malicious code into kernel space. It is importantto have an audit trail of modules that have been introduced into the kernel. |
medium |
content_rule_audit_rules_kernel_module_loading_delete |
SLES-15-030520 |
AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12.1(iv),MA-4(1)(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222,SRG-OS-000477-VMM-001970 |
NaN |
SV-234951r622137_rule |
CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.2.7,4.1.16 |
| CCE-85749-0 |
Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module [ref] |
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S finit_module -F key=modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S finit_module -F key=modules |
The addition/removal of kernel modules can be used to alter the behavior ofthe kernel and potentially introduce malicious code into kernel space. It is importantto have an audit trail of modules that have been introduced into the kernel. |
medium |
content_rule_audit_rules_kernel_module_loading_finit |
SLES-15-030530 |
AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12.1(iv),MA-4(1)(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222,SRG-OS-000477-VMM-001970 |
NaN |
SV-234952r622137_rule |
CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.2.7 |
| CCE-85750-8 |
Ensure auditd Collects Information on Kernel Module Loading - init_module [ref] |
To capture kernel module loading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S init_module -F key=modules Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules. |
The addition of kernel modules can be used to alter the behavior ofthe kernel and potentially introduce malicious code into kernel space. It is importantto have an audit trail of modules that have been introduced into the kernel. |
medium |
content_rule_audit_rules_kernel_module_loading_init |
SLES-15-030540 |
AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12.1(iv),MA-4(1)(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222,SRG-OS-000477-VMM-001970 |
NaN |
SV-234953r622137_rule |
CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.2.7,4.1.16 |
| CCE-85598-1 |
Record Attempts to Alter Logon and Logout Events - lastlog [ref] |
The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/lastlog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/lastlog -p wa -k logins |
Manual editing of these files may indicate nefarious activity, suchas an attacker attempting to remove evidence of an intrusion. |
medium |
content_rule_audit_rules_login_events_lastlog |
SLES-15-030480 |
AC-6(9),AU-2(d),AU-12(c),CM-6(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000473-GPOS-00218,SRG-OS-000470-GPOS-00214,SRG-OS-000473-VMM-001930,SRG-OS-000470-VMM-001900 |
NaN |
SV-234947r622137_rule |
CCI-000126,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.2.3,4.1.7 |
| CCE-85597-3 |
Record Attempts to Alter Logon and Logout Events - tallylog [ref] |
The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -w /var/log/tallylog -p wa -k logins |
Manual editing of these files may indicate nefarious activity, suchas an attacker attempting to remove evidence of an intrusion. |
medium |
content_rule_audit_rules_login_events_tallylog |
SLES-15-030470 |
AC-6(9),AU-2(d),AU-12(c),CM-6(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000392-GPOS-00172,SRG-OS-000470-GPOS-00214,SRG-OS-000473-GPOS-00218,SRG-OS-000473-VMM-001930,SRG-OS-000470-VMM-001900 |
NaN |
SV-234946r622137_rule |
CCI-000172,CCI-002884,CCI-000126 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.2.3 |
| CCE-85587-4 |
Ensure auditd Collects Information on the Use of Privileged Commands - chage [ref] |
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally byauthorized users, or by unauthorized external entities that have compromised system accounts,is a serious and ongoing concern and can have significant adverse impacts on organizations.Auditing the use of privileged functions is one way to detect such misuse and identifythe risk from insider and advanced persistent threats.Privileged programs are subject to escalation-of-privilege attacks,which attempt to subvert their normal role of providing some necessary butlimited capability. As such, motivation exists to monitor these programs forunusual activity. |
medium |
content_rule_audit_rules_privileged_commands_chage |
SLES-15-030120 |
AC-2(4),AC-6(9),AU-2(d),AU-12(c),CM-6(a) |
3.1.7,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7 |
ID.SC-4,PR.PT-1,DE.CM-1,DE.CM-3,DE.CM-7 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000471-VMM-001910 |
NaN |
SV-234911r622137_rule |
CCI-000135,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,5,6,7,8,9,12,13,14,15,16 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.14.2.7,A.15.2.1,A.15.2.2 |
SR,2.10,SR,2.11,SR,2.12,SR,2.8,SR,2.9,SR,6.1,SR,6.2 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4,CIP-004-3,R2.2.2,CIP-004-3,R2.2.3,CIP-007-3,R.1.3,CIP-007-3,R5,CIP-007-3,R5.1.1,CIP-007-3,R5.1.3,CIP-007-3,R5.2.1,CIP-007-3,R5.2.3 |
| CCE-85589-0 |
Ensure auditd Collects Information on the Use of Privileged Commands - chfn [ref] |
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Without generating audit records that are specific to the security andmission needs of the organization, it would be difficult to establish,correlate, and investigate the events relating to an incident or identifythose responsible for one.Audit records can be generated from various components within theinformation system (e.g., module or policy filter). |
medium |
content_rule_audit_rules_privileged_commands_chfn |
SLES-15-030340 |
AU-3,AU-12(a),AU-12(c),MA-4(1)(a) |
NaN |
NaN |
NaN |
NaN |
SV-234933r622137_rule |
CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85586-6 |
Ensure auditd Collects Information on the Use of Privileged Commands - chsh [ref] |
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally byauthorized users, or by unauthorized external entities that have compromised system accounts,is a serious and ongoing concern and can have significant adverse impacts on organizations.Auditing the use of privileged functions is one way to detect such misuse and identifythe risk from insider and advanced persistent threats.Privileged programs are subject to escalation-of-privilege attacks,which attempt to subvert their normal role of providing some necessary butlimited capability. As such, motivation exists to monitor these programs forunusual activity. |
medium |
content_rule_audit_rules_privileged_commands_chsh |
SLES-15-030100 |
AC-2(4),AC-6(9),AU-2(d),AU-12(c),CM-6(a) |
3.1.7,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7 |
ID.SC-4,PR.PT-1,DE.CM-1,DE.CM-3,DE.CM-7 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-VMM-001910 |
NaN |
SV-234909r622137_rule |
CCI-000130,CCI-000135,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,5,6,7,8,9,12,13,14,15,16 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.14.2.7,A.15.2.1,A.15.2.2 |
SR,2.10,SR,2.11,SR,2.12,SR,2.8,SR,2.9,SR,6.1,SR,6.2 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4,CIP-004-3,R2.2.2,CIP-004-3,R2.2.3,CIP-007-3,R.1.3,CIP-007-3,R5,CIP-007-3,R5.1.1,CIP-007-3,R5.1.3,CIP-007-3,R5.2.1,CIP-007-3,R5.2.3 |
| CCE-85588-2 |
Ensure auditd Collects Information on the Use of Privileged Commands - crontab [ref] |
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally byauthorized users, or by unauthorized external entities that have compromised system accounts,is a serious and ongoing concern and can have significant adverse impacts on organizations.Auditing the use of privileged functions is one way to detect such misuse and identifythe risk from insider and advanced persistent threats.Privileged programs are subject to escalation-of-privilege attacks,which attempt to subvert their normal role of providing some necessary butlimited capability. As such, motivation exists to monitor these programs forunusual activity. |
medium |
content_rule_audit_rules_privileged_commands_crontab |
SLES-15-030130 |
AC-6(9),AU-2(d),AU-12(c),CM-6(a) |
3.1.7,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7 |
ID.SC-4,PR.PT-1,DE.CM-1,DE.CM-3,DE.CM-7 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-VMM-001910 |
NaN |
SV-234912r622137_rule |
CCI-000135,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,5,6,7,8,9,12,13,14,15,16 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.14.2.7,A.15.2.1,A.15.2.2 |
SR,2.10,SR,2.11,SR,2.12,SR,2.8,SR,2.9,SR,6.1,SR,6.2 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4 |
| CCE-85584-1 |
Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd [ref] |
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally byauthorized users, or by unauthorized external entities that have compromised system accounts,is a serious and ongoing concern and can have significant adverse impacts on organizations.Auditing the use of privileged functions is one way to detect such misuse and identifythe risk from insider and advanced persistent threats.Privileged programs are subject to escalation-of-privilege attacks,which attempt to subvert their normal role of providing some necessary butlimited capability. As such, motivation exists to monitor these programs forunusual activity. |
medium |
content_rule_audit_rules_privileged_commands_gpasswd |
SLES-15-030080 |
AC-2(4),AC-6(9),AU-2(d),AU-12(c),CM-6(a) |
3.1.7,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7 |
ID.SC-4,PR.PT-1,DE.CM-1,DE.CM-3,DE.CM-7 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-VMM-001910 |
NaN |
SV-234907r622137_rule |
CCI-000135,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,5,6,7,8,9,12,13,14,15,16 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.14.2.7,A.15.2.1,A.15.2.2 |
SR,2.10,SR,2.11,SR,2.12,SR,2.8,SR,2.9,SR,6.1,SR,6.2 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4,CIP-004-3,R2.2.2,CIP-004-3,R2.2.3,CIP-007-3,R.1.3,CIP-007-3,R5,CIP-007-3,R5.1.1,CIP-007-3,R5.1.3,CIP-007-3,R5.2.1,CIP-007-3,R5.2.3,FAU_GEN.1.1.c |
| CCE-85744-1 |
Ensure auditd Collects Information on the Use of Privileged Commands - insmod [ref] |
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -w /sbin/insmod -p x -k modules |
Misuse of privileged functions, either intentionally or unintentionally byauthorized users, or by unauthorized external entities that have compromised system accounts,is a serious and ongoing concern and can have significant adverse impacts on organizations.Auditing the use of privileged functions is one way to detect such misuse and identifythe risk from insider and advanced persistent threats.Privileged programs are subject to escalation-of-privilege attacks,which attempt to subvert their normal role of providing some necessary butlimited capability. As such, motivation exists to monitor these programs forunusual activity. |
medium |
content_rule_audit_rules_privileged_commands_insmod |
SLES-15-030380 |
AU-12(c),AU-12.1(iv),AU-3,AU-3.1,AU-12(a),AU-12.1(ii),MA-4(1)(a) |
NaN |
NaN |
SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 |
NaN |
SV-234937r622137_rule |
CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
4.1.16 |
| CCE-85591-6 |
Ensure auditd Collects Information on the Use of Privileged Commands - kmod [ref] |
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -w /usr/bin/kmod -p x -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -w /usr/bin/kmod -p x -k modules |
Without generating audit records that are specific to the security andmission needs of the organization, it would be difficult to establish,correlate, and investigate the events relating to an incident or identifythose responsible for one.Audit records can be generated from various components within theinformation system (e.g., module or policy filter). |
medium |
content_rule_audit_rules_privileged_commands_kmod |
SLES-15-030410 |
AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12.1(iv)AU-12(c),MA-4(1)(a) |
NaN |
NaN |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222 |
NaN |
SV-234940r622137_rule |
CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85731-8 |
Ensure auditd Collects Information on the Use of Privileged Commands - modprobe [ref] |
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -w /sbin/modprobe -p x -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -w /sbin/modprobe -p x -k modules |
Misuse of privileged functions, either intentionally or unintentionally byauthorized users, or by unauthorized external entities that have compromised system accounts,is a serious and ongoing concern and can have significant adverse impacts on organizations.Auditing the use of privileged functions is one way to detect such misuse and identifythe risk from insider and advanced persistent threats.Privileged programs are subject to escalation-of-privilege attacks,which attempt to subvert their normal role of providing some necessary butlimited capability. As such, motivation exists to monitor these programs forunusual activity. |
medium |
content_rule_audit_rules_privileged_commands_modprobe |
SLES-15-030400 |
AU-12(a),AU-12.1(ii),AU-3,AU-3.1,AU-12(c),AU-12.1(iv),MA-4(1)(a) |
NaN |
NaN |
SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 |
NaN |
SV-234939r622137_rule |
CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
4.1.16 |
| CCE-85585-8 |
Ensure auditd Collects Information on the Use of Privileged Commands - newgrp [ref] |
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally byauthorized users, or by unauthorized external entities that have compromised system accounts,is a serious and ongoing concern and can have significant adverse impacts on organizations.Auditing the use of privileged functions is one way to detect such misuse and identifythe risk from insider and advanced persistent threats.Privileged programs are subject to escalation-of-privilege attacks,which attempt to subvert their normal role of providing some necessary butlimited capability. As such, motivation exists to monitor these programs forunusual activity. |
medium |
content_rule_audit_rules_privileged_commands_newgrp |
SLES-15-030090 |
AC-2(4),AC-6(9),AU-2(d),AU-12(c),CM-6(a) |
3.1.7,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7 |
ID.SC-4,PR.PT-1,DE.CM-1,DE.CM-3,DE.CM-7 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-VMM-001910 |
NaN |
SV-234908r622137_rule |
CCI-000130,CCI-000169,CCI-000135,CCI-000172,CCI-002884 |
1,2,3,5,6,7,8,9,12,13,14,15,16 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.14.2.7,A.15.2.1,A.15.2.2 |
SR,2.10,SR,2.11,SR,2.12,SR,2.8,SR,2.9,SR,6.1,SR,6.2 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4,CIP-004-3,R2.2.2,CIP-004-3,R2.2.3,CIP-007-3,R.1.3,CIP-007-3,R5,CIP-007-3,R5.1.1,CIP-007-3,R5.1.3,CIP-007-3,R5.2.1,CIP-007-3,R5.2.3,FAU_GEN.1.1.c |
| CCE-85601-3 |
Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check [ref] |
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally byauthorized users, or by unauthorized external entities that have compromised system accounts,is a serious and ongoing concern and can have significant adverse impacts on organizations.Auditing the use of privileged functions is one way to detect such misuse and identifythe risk from insider and advanced persistent threats.Privileged programs are subject to escalation-of-privilege attacks,which attempt to subvert their normal role of providing some necessary butlimited capability. As such, motivation exists to monitor these programs forunusual activity. |
medium |
content_rule_audit_rules_privileged_commands_pam_timestamp_check |
SLES-15-030510 |
AC-6(9),AU-2(d),AU-12(c),CM-6(a) |
3.1.7,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7 |
ID.SC-4,PR.PT-1,DE.CM-1,DE.CM-3,DE.CM-7 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-VMM-001910 |
NaN |
SV-234950r622137_rule |
CCI-000135,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,5,6,7,8,9,12,13,14,15,16 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.14.2.7,A.15.2.1,A.15.2.2 |
SR,2.10,SR,2.11,SR,2.12,SR,2.8,SR,2.9,SR,6.1,SR,6.2 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4 |
| CCE-85599-9 |
Ensure auditd Collects Information on the Use of Privileged Commands - passmass [ref] |
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/passmass -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/passmass -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally byauthorized users, or by unauthorized external entities that have compromised system accounts,is a serious and ongoing concern and can have significant adverse impacts on organizations.Auditing the use of privileged functions is one way to detect such misuse and identifythe risk from insider and advanced persistent threats.Privileged programs are subject to escalation-of-privilege attacks,which attempt to subvert their normal role of providing some necessary butlimited capability. As such, motivation exists to monitor these programs forunusual activity. |
medium |
content_rule_audit_rules_privileged_commands_passmass |
SLES-15-030490 |
NaN |
NaN |
NaN |
SRG-OS-000037-GPOS-00015 |
NaN |
SV-234948r622137_rule |
CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85583-3 |
Ensure auditd Collects Information on the Use of Privileged Commands - passwd [ref] |
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally byauthorized users, or by unauthorized external entities that have compromised system accounts,is a serious and ongoing concern and can have significant adverse impacts on organizations.Auditing the use of privileged functions is one way to detect such misuse and identifythe risk from insider and advanced persistent threats.Privileged programs are subject to escalation-of-privilege attacks,which attempt to subvert their normal role of providing some necessary butlimited capability. As such, motivation exists to monitor these programs forunusual activity. |
medium |
content_rule_audit_rules_privileged_commands_passwd |
SLES-15-030070 |
AC-2(4),AC-6(9),AU-2(d),AU-12(c),CM-6(a) |
3.1.7,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7 |
ID.SC-4,PR.PT-1,DE.CM-1,DE.CM-3,DE.CM-7 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-VMM-001910 |
NaN |
SV-234906r622137_rule |
CCI-000135,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,5,6,7,8,9,12,13,14,15,16 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.14.2.7,A.15.2.1,A.15.2.2 |
SR,2.10,SR,2.11,SR,2.12,SR,2.8,SR,2.9,SR,6.1,SR,6.2 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4,CIP-004-3,R2.2.2,CIP-004-3,R2.2.3,CIP-007-3,R.1.3,CIP-007-3,R5,CIP-007-3,R5.1.1,CIP-007-3,R5.1.3,CIP-007-3,R5.2.1,CIP-007-3,R5.2.3,FAU_GEN.1.1.c |
| CCE-85732-6 |
Ensure auditd Collects Information on the Use of Privileged Commands - rmmod [ref] |
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -w /sbin/rmmod -p x -k modules |
Misuse of privileged functions, either intentionally or unintentionally byauthorized users, or by unauthorized external entities that have compromised system accounts,is a serious and ongoing concern and can have significant adverse impacts on organizations.Auditing the use of privileged functions is one way to detect such misuse and identifythe risk from insider and advanced persistent threats.Privileged programs are subject to escalation-of-privilege attacks,which attempt to subvert their normal role of providing some necessary butlimited capability. As such, motivation exists to monitor these programs forunusual activity. |
medium |
content_rule_audit_rules_privileged_commands_rmmod |
SLES-15-030390 |
AU-12(c),AU-12.1(iv),AU-3,AU-3.1,AU-12(a),AU-12.1(ii),MA-4(1)(a) |
NaN |
NaN |
SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 |
NaN |
SV-234938r622137_rule |
CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
4.1.16 |
| CCE-85590-8 |
Record Any Attempts to Run ssh-agent [ref] |
At a minimum, the audit system should collect any execution attempt of the ssh-agent command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent |
Without generating audit records that are specific to the security andmission needs of the organization, it would be difficult to establish,correlate, and investigate the events relating to an incident or identifythose responsible for one.Audit records can be generated from various components within theinformation system (e.g., module or policy filter). |
medium |
content_rule_audit_rules_privileged_commands_ssh_agent |
SLES-15-030370 |
NaN |
NaN |
NaN |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 |
NaN |
SV-234936r622137_rule |
CCI-000130,CCI-000169,CCI-000172 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85582-5 |
Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign [ref] |
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/lib/ssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/lib/ssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally byauthorized users, or by unauthorized external entities that have compromised system accounts,is a serious and ongoing concern and can have significant adverse impacts on organizations.Auditing the use of privileged functions is one way to detect such misuse and identifythe risk from insider and advanced persistent threats.Privileged programs are subject to escalation-of-privilege attacks,which attempt to subvert their normal role of providing some necessary butlimited capability. As such, motivation exists to monitor these programs forunusual activity. |
medium |
content_rule_audit_rules_privileged_commands_ssh_keysign |
SLES-15-030060 |
AC-6(9),AU-2(d),AU-12(c),CM-6(a) |
3.1.7,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7 |
ID.SC-4,PR.PT-1,DE.CM-1,DE.CM-3,DE.CM-7 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-VMM-001910 |
NaN |
SV-234905r622137_rule |
CCI-000135,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,5,6,7,8,9,12,13,14,15,16 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.14.2.7,A.15.2.1,A.15.2.2 |
SR,2.10,SR,2.11,SR,2.12,SR,2.8,SR,2.9,SR,6.1,SR,6.2 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c |
| CCE-85602-1 |
Ensure auditd Collects Information on the Use of Privileged Commands - su [ref] |
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally byauthorized users, or by unauthorized external entities that have compromised system accounts,is a serious and ongoing concern and can have significant adverse impacts on organizations.Auditing the use of privileged functions is one way to detect such misuse and identifythe risk from insider and advanced persistent threats.Privileged programs are subject to escalation-of-privilege attacks,which attempt to subvert their normal role of providing some necessary butlimited capability. As such, motivation exists to monitor these programs forunusual activity. |
medium |
content_rule_audit_rules_privileged_commands_su |
SLES-15-030550 |
AC-6(9),AU-2(d),AU-12(c),CM-6(a) |
3.1.7,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7 |
ID.SC-4,PR.PT-1,DE.CM-1,DE.CM-3,DE.CM-7 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-0003,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000471-VMM-001910 |
NaN |
SV-234954r622137_rule |
CCI-000130,CCI-000135,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,5,6,7,8,9,12,13,14,15,16 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.14.2.7,A.15.2.1,A.15.2.2 |
SR,2.10,SR,2.11,SR,2.12,SR,2.8,SR,2.9,SR,6.1,SR,6.2 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c |
| CCE-85603-9 |
Ensure auditd Collects Information on the Use of Privileged Commands - sudo [ref] |
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally byauthorized users, or by unauthorized external entities that have compromised system accounts,is a serious and ongoing concern and can have significant adverse impacts on organizations.Auditing the use of privileged functions is one way to detect such misuse and identifythe risk from insider and advanced persistent threats.Privileged programs are subject to escalation-of-privilege attacks,which attempt to subvert their normal role of providing some necessary butlimited capability. As such, motivation exists to monitor these programs forunusual activity. |
medium |
content_rule_audit_rules_privileged_commands_sudo |
SLES-15-030560 |
AC-6(9),AU-2(d),AU-12(c),CM-6(a) |
3.1.7,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7 |
ID.SC-4,PR.PT-1,DE.CM-1,DE.CM-3,DE.CM-7 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000471-VMM-001910 |
NaN |
SV-234955r622137_rule |
CCI-000130,CCI-000135,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,5,6,7,8,9,12,13,14,15,16 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.14.2.7,A.15.2.1,A.15.2.2 |
SR,2.10,SR,2.11,SR,2.12,SR,2.8,SR,2.9,SR,6.1,SR,6.2 |
BP28(R19) |
4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c |
| CCE-85717-7 |
Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit [ref] |
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/bin/sudoedit -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/bin/sudoedit -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally byauthorized users, or by unauthorized external entities that have compromised system accounts,is a serious and ongoing concern and can have significant adverse impacts on organizations.Auditing the use of privileged functions is one way to detect such misuse and identifythe risk from insider and advanced persistent threats.Privileged programs are subject to escalation-of-privilege attacks,which attempt to subvert their normal role of providing some necessary butlimited capability. As such, motivation exists to monitor these programs forunusual activity. |
medium |
content_rule_audit_rules_privileged_commands_sudoedit |
SLES-15-030330 |
AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12.1(iv) |
3.1.7,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7 |
ID.SC-4,PR.PT-1,DE.CM-1,DE.CM-3,DE.CM-7 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-VMM-001910 |
NaN |
SV-234932r622137_rule |
CCI-000130,CCI-000135,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,5,6,7,8,9,12,13,14,15,16 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.14.2.7,A.15.2.1,A.15.2.2 |
SR,2.10,SR,2.11,SR,2.12,SR,2.8,SR,2.9,SR,6.1,SR,6.2 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c |
| CCE-85762-3 |
Ensure auditd Collects Information on the Use of Privileged Commands - unix2_chkpwd [ref] |
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/sbin/unix2_chkpwd -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/sbin/unix2_chkpwd -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally byauthorized users, or by unauthorized external entities that have compromised system accounts,is a serious and ongoing concern and can have significant adverse impacts on organizations.Auditing the use of privileged functions is one way to detect such misuse and identifythe risk from insider and advanced persistent threats.Privileged programs are subject to escalation-of-privilege attacks,which attempt to subvert their normal role of providing some necessary butlimited capability. As such, motivation exists to monitor these programs forunusual activity. |
medium |
content_rule_audit_rules_privileged_commands_unix2_chkpwd |
SLES-15-030110 |
AC-2(4),AC-6(9),AU-2(d),AU-3,AU-3.1,AU-12(a),AU-12(c),AU-12.1(ii),AU-12.1(iv),CM-6(a),MA-4(1)(a) |
3.1.7,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7 |
ID.SC-4,PR.PT-1,DE.CM-1,DE.CM-3,DE.CM-7 |
SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215,SRG-OS-000037-GPOS-00015,SRG-OS-000471-VMM-001910 |
NaN |
SV-234910r622137_rule |
CCI-000130,CCI-000135,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,5,6,7,8,9,12,13,14,15,16 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.14.2.7,A.15.2.1,A.15.2.2 |
SR,2.10,SR,2.11,SR,2.12,SR,2.8,SR,2.9,SR,6.1,SR,6.2 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c |
| CCE-85727-6 |
Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd [ref] |
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally byauthorized users, or by unauthorized external entities that have compromised system accounts,is a serious and ongoing concern and can have significant adverse impacts on organizations.Auditing the use of privileged functions is one way to detect such misuse and identifythe risk from insider and advanced persistent threats.Privileged programs are subject to escalation-of-privilege attacks,which attempt to subvert their normal role of providing some necessary butlimited capability. As such, motivation exists to monitor these programs forunusual activity. |
medium |
content_rule_audit_rules_privileged_commands_unix_chkpwd |
SLES-15-030110 |
AC-2(4),AC-6(9),AU-2(d),AU-3,AU-3.1,AU-12(a),AU-12(c),AU-12.1(ii),AU-12.1(iv),CM-6(a),MA-4(1)(a) |
3.1.7,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7 |
ID.SC-4,PR.PT-1,DE.CM-1,DE.CM-3,DE.CM-7 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-VMM-001910 |
NaN |
SV-234910r622137_rule |
CCI-000130,CCI-000135,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,5,6,7,8,9,12,13,14,15,16 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.14.2.7,A.15.2.1,A.15.2.2 |
SR,2.10,SR,2.11,SR,2.12,SR,2.8,SR,2.9,SR,6.1,SR,6.2 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4,CIP-004-3,R2.2.2,CIP-004-3,R2.2.3,CIP-007-3,R.1.3,CIP-007-3,R5,CIP-007-3,R5.1.1,CIP-007-3,R5.1.3,CIP-007-3,R5.2.1,CIP-007-3,R5.2.3,CIP-007-3,R6.5,FAU_GEN.1.1.c |
| CCE-85600-5 |
Ensure auditd Collects Information on the Use of Privileged Commands - usermod [ref] |
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Misuse of privileged functions, either intentionally or unintentionally byauthorized users, or by unauthorized external entities that have compromised system accounts,is a serious and ongoing concern and can have significant adverse impacts on organizations.Auditing the use of privileged functions is one way to detect such misuse and identifythe risk from insider and advanced persistent threats.Privileged programs are subject to escalation-of-privilege attacks,which attempt to subvert their normal role of providing some necessary butlimited capability. As such, motivation exists to monitor these programs forunusual activity. |
medium |
content_rule_audit_rules_privileged_commands_usermod |
SLES-15-030500 |
NaN |
NaN |
NaN |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210 |
NaN |
SV-234949r622137_rule |
CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85706-0 |
Remove Default Configuration to Disable Syscall Auditing [ref] |
By default, SUSE Linux Enterprise 15 ships an audit rule to disable syscall auditing for performance reasons. To make sure that syscall auditing works, this line must be removed from /etc/audit/rules.d/audit.rules and /etc/audit/audit.rules: -a task,never |
Audit rules for syscalls do not take effect unless this line is removed. |
medium |
content_rule_audit_rules_enable_syscall_auditing |
SLES-15-030820 |
CM-6(b),CM-6.1(iv) |
NaN |
NaN |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-234981r622137_rule |
CCI-000366 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85718-5 |
Ensure auditd Collects Information on Exporting to Media (successful) [ref] |
At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export |
The unauthorized exportation of data to external media could result in an information leakwhere classified information, Privacy Act information, and intellectual property could be lost. An audittrail should be created each time a filesystem is mounted to help identify and guard against informationloss. |
medium |
content_rule_audit_rules_media_export |
SLES-15-030350 |
AC-6(9),AU-2(d),AU-12(c),CM-6(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 |
NaN |
SV-234934r622137_rule |
CCI-000135,CCI-000169,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,Req-10.2.7,4.1.12 |
| CCE-85758-1 |
Record Attempts to Alter Process and Session Initiation Information btmp [ref] |
The audit system already collects process information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing such process information: -w /var/log/btmp -p wa -k session If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for attempted manual edits of files involved in storing such process information: -w /var/log/btmp -p wa -k session |
Manual editing of these files may indicate nefarious activity, suchas an attacker attempting to remove evidence of an intrusion. |
medium |
content_rule_audit_rules_session_events_btmp |
SLES-15-030780 |
AU-12(c),AU-12.1(iv) |
NaN |
NaN |
SRG-OS-000472-GPOS-00217 |
NaN |
SV-234977r622137_rule |
CCI-000172 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85714-4 |
Record Attempts to Alter Process and Session Initiation Information utmp [ref] |
The audit system already collects process information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing such process information: -w /run/utmp -p wa -k session If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for attempted manual edits of files involved in storing such process information: -w /run/utmp -p wa -k session |
Manual editing of these files may indicate nefarious activity, suchas an attacker attempting to remove evidence of an intrusion. |
medium |
content_rule_audit_rules_session_events_utmp |
SLES-15-030760 |
AU-12(c),AU-12.1(iv) |
NaN |
NaN |
SRG-OS-000472-GPOS-00217 |
NaN |
SV-234975r622137_rule |
CCI-000172 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85757-3 |
Record Attempts to Alter Process and Session Initiation Information wtmp [ref] |
The audit system already collects process information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing such process information: -w /var/log/wtmp -p wa -k session If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for attempted manual edits of files involved in storing such process information: -w /var/log/wtmp -p wa -k session |
Manual editing of these files may indicate nefarious activity, suchas an attacker attempting to remove evidence of an intrusion. |
medium |
content_rule_audit_rules_session_events_wtmp |
SLES-15-030770 |
AU-12(c),AU-12.1(iv) |
NaN |
NaN |
SRG-OS-000472-GPOS-00217 |
NaN |
SV-234976r622137_rule |
CCI-000172 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85611-2 |
Record Events When Privileged Executables Are Run [ref] |
Verify the system generates an audit record when privileged functions are executed. # grep -iw execve /etc/audit/audit.rules -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid If both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding. If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding.Warning: Note that these rules can be configured in a number of ways while still achieving the desired effect. |
Misuse of privileged functions, either intentionally or unintentionally byauthorized users, or by unauthorized external entities that havecompromised information system accounts, is a serious and ongoing concernand can have significant adverse impacts on organizations. Auditing the useof privileged functions is one way to detect such misuse and identify therisk from insider threats and the advanced persistent threat. |
medium |
content_rule_audit_rules_suid_privilege_function |
SLES-15-030640 |
AC-6(9),AU-7(a),AU-7(b),AU-8(b),AU-12(3),CM-5(1) |
NaN |
NaN |
SRG-OS-000326-GPOS-00126,SRG-OS-000327-GPOS-00127,SRG-OS-000337-GPOS-00129,SRG-OS-000348-GPOS-00136,SRG-OS-000349-GPOS-00137,SRG-OS-000350-GPOS-00138,SRG-OS-000351-GPOS-00139,SRG-OS-000352-GPOS-00140,SRG-OS-000353-GPOS-00141,SRG-OS-000354-GPOS-00142,SRG-OS-000358-GPOS-00145,SRG-OS-000359-GPOS-00146,SRG-OS-000365-GPOS-00152 |
NaN |
SV-234963r622137_rule |
CCI-001814,CCI-001882,CCI-001889,CCI-001880,CCI-001881,CCI-001878,CCI-001879,CCI-001875,CCI-001877,CCI-001914,CCI-002234 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85679-9 |
Ensure auditd Collects System Administrator Actions [ref] |
At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions |
The actions taken by system administrators should be audited to keep a recordof what was executed on the system, as well as, for accountability purposes. |
medium |
content_rule_audit_rules_sysadmin_actions |
SLES-15-030140 |
AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12.1(iv),MA-4(1)(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.8,4.3.3.6.6,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-1,PR.AC-3,PR.AC-4,PR.AC-6,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221,SRG-OS-000462-VMM-001840,SRG-OS-000471-VMM-001910 |
NaN |
SV-234913r622137_rule |
CCI-000126,CCI-000130,CCI-000135,CCI-000169,CCI-000172,CCI-002884,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,18,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.1,SR,1.13,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.2.2,Req-10.2.5.b,4.1.14 |
| CCE-85578-3 |
Record Events that Modify User/Group Information - /etc/group [ref] |
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification |
In addition to auditing new user and group accounts, these watcheswill alert the system administrator(s) to any modifications. Any unexpectedusers, groups, or modifications should be investigated for legitimacy. |
medium |
content_rule_audit_rules_usergroup_modification_group |
SLES-15-030010 |
AC-2(4),AC-6(9),AU-2(d),AU-12(c),CM-6(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.8,4.3.3.6.6,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-1,PR.AC-3,PR.AC-4,PR.AC-6,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221,SRG-OS-000004-VMM-000040,SRG-OS-000239-VMM-000810,SRG-OS-000240-VMM-000820,SRG-OS-000241-VMM-000830,SRG-OS-000274-VMM-000960,SRG-OS-000275-VMM-000970,SRG-OS-000276-VMM-000980,SRG-OS-000277-VMM-000990,SRG-OS-000303-VMM-001090,SRG-OS-000304-VMM-001100,SRG-OS-000476-VMM-001960 |
NaN |
SV-234900r622137_rule |
CCI-000018,CCI-000169,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,18,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.1,SR,1.13,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,CIP-004-3,R2.2.2,CIP-004-3,R2.2.3,CIP-007-3,R.1.3,CIP-007-3,R5,CIP-007-3,R5.1.1,CIP-007-3,R5.1.3,CIP-007-3,R5.2.1,CIP-007-3,R5.2.3,FAU_GEN.1.1.c,Req-10.2.5,4.1.4 |
| CCE-85580-9 |
Record Events that Modify User/Group Information - /etc/gshadow [ref] |
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/gshadow -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/gshadow -p wa -k audit_rules_usergroup_modification |
In addition to auditing new user and group accounts, these watcheswill alert the system administrator(s) to any modifications. Any unexpectedusers, groups, or modifications should be investigated for legitimacy. |
medium |
content_rule_audit_rules_usergroup_modification_gshadow |
SLES-15-030040 |
AC-2(4),AC-6(9),AU-2(d),AU-12(c),CM-6(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.8,4.3.3.6.6,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-1,PR.AC-3,PR.AC-4,PR.AC-6,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221,SRG-OS-000004-VMM-000040,SRG-OS-000239-VMM-000810,SRG-OS-000240-VMM-000820,SRG-OS-000241-VMM-000830,SRG-OS-000274-VMM-000960,SRG-OS-000275-VMM-000970,SRG-OS-000276-VMM-000980,SRG-OS-000277-VMM-000990,SRG-OS-000303-VMM-001090,SRG-OS-000304-VMM-001100,SRG-OS-000476-VMM-001960 |
NaN |
SV-234903r622137_rule |
CCI-000018,CCI-000169,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,18,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.1,SR,1.13,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,CIP-004-3,R2.2.2,CIP-004-3,R2.2.3,CIP-007-3,R.1.3,CIP-007-3,R5,CIP-007-3,R5.1.1,CIP-007-3,R5.1.3,CIP-007-3,R5.2.1,CIP-007-3,R5.2.3,FAU_GEN.1.1.c,Req-10.2.5,4.1.4 |
| CCE-85728-4 |
Record Events that Modify User/Group Information - /etc/security/opasswd [ref] |
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification |
In addition to auditing new user and group accounts, these watcheswill alert the system administrator(s) to any modifications. Any unexpectedusers, groups, or modifications should be investigated for legitimacy. |
medium |
content_rule_audit_rules_usergroup_modification_opasswd |
SLES-15-030030 |
AC-2(4).1(i&ii),AU-12.1(iv) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.8,4.3.3.6.6,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-1,PR.AC-3,PR.AC-4,PR.AC-6,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,SRG-OS-000476-GPOS-00221,SRG-OS-000463-GPOS-00207,SRG-OS-000004-VMM-000040,SRG-OS-000239-VMM-000810,SRG-OS-000240-VMM-000820,SRG-OS-000241-VMM-000830,SRG-OS-000274-VMM-000960,SRG-OS-000275-VMM-000970,SRG-OS-000276-VMM-000980,SRG-OS-000277-VMM-000990,SRG-OS-000303-VMM-001090,SRG-OS-000304-VMM-001100,SRG-OS-000476-VMM-001960 |
NaN |
SV-234902r622137_rule |
CCI-000018,CCI-000169,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,18,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.1,SR,1.13,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,CIP-004-3,R2.2.2,CIP-004-3,R2.2.3,CIP-007-3,R.1.3,CIP-007-3,R5,CIP-007-3,R5.1.1,CIP-007-3,R5.1.3,CIP-007-3,R5.2.1,CIP-007-3,R5.2.3,FAU_GEN.1.1.c,Req-10.2.5,4.1.4 |
| CCE-85577-5 |
Record Events that Modify User/Group Information - /etc/passwd [ref] |
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/passwd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/passwd -p wa -k audit_rules_usergroup_modification |
In addition to auditing new user and group accounts, these watcheswill alert the system administrator(s) to any modifications. Any unexpectedusers, groups, or modifications should be investigated for legitimacy. |
medium |
content_rule_audit_rules_usergroup_modification_passwd |
SLES-15-030000 |
AC-2(4),AC-6(9),AU-2(d),AU-12(c),CM-6(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.8,4.3.3.6.6,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-1,PR.AC-3,PR.AC-4,PR.AC-6,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221,SRG-OS-000274-GPOS-00104,SRG-OS-000275-GPOS-00105,SRG-OS-000276-GPOS-00106,SRG-OS-000277-GPOS-00107,SRG-OS-000004-VMM-000040,SRG-OS-000239-VMM-000810,SRG-OS-000240-VMM-000820,SRG-OS-000241-VMM-000830,SRG-OS-000274-VMM-000960,SRG-OS-000275-VMM-000970,SRG-OS-000276-VMM-000980,SRG-OS-000277-VMM-000990,SRG-OS-000303-VMM-001090,SRG-OS-000304-VMM-001100,SRG-OS-000476-VMM-001960 |
NaN |
SV-234899r622137_rule |
CCI-000018,CCI-000169,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,18,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.1,SR,1.13,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,CIP-004-3,R2.2.2,CIP-004-3,R2.2.3,CIP-007-3,R.1.3,CIP-007-3,R5,CIP-007-3,R5.1.1,CIP-007-3,R5.1.3,CIP-007-3,R5.2.1,CIP-007-3,R5.2.3,FAU_GEN.1.1.c,Req-10.2.5,4.1.4 |
| CCE-85579-1 |
Record Events that Modify User/Group Information - /etc/shadow [ref] |
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/shadow -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/shadow -p wa -k audit_rules_usergroup_modification |
In addition to auditing new user and group accounts, these watcheswill alert the system administrator(s) to any modifications. Any unexpectedusers, groups, or modifications should be investigated for legitimacy. |
medium |
content_rule_audit_rules_usergroup_modification_shadow |
SLES-15-030020 |
AC-2(4),AC-6(9),AU-2(d),AU-12(c),CM-6(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.8,4.3.3.6.6,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-1,PR.AC-3,PR.AC-4,PR.AC-6,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221,SRG-OS-000004-VMM-000040,SRG-OS-000239-VMM-000810,SRG-OS-000240-VMM-000820,SRG-OS-000241-VMM-000830,SRG-OS-000274-VMM-000960,SRG-OS-000275-VMM-000970,SRG-OS-000276-VMM-000980,SRG-OS-000277-VMM-000990,SRG-OS-000303-VMM-001090,SRG-OS-000304-VMM-001100,SRG-OS-000476-VMM-001960 |
NaN |
SV-234901r622137_rule |
CCI-000018,CCI-000169,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,18,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.1,SR,1.13,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,CIP-004-3,R2.2.2,CIP-004-3,R2.2.3,CIP-007-3,R.1.3,CIP-007-3,R5,CIP-007-3,R5.1.1,CIP-007-3,R5.1.3,CIP-007-3,R5.2.1,CIP-007-3,R5.2.3,FAU_GEN.1.1.c,Req-10.2.5,4.1.4 |
| CCE-85697-1 |
Configure a Sufficiently Large Partition for Audit Logs [ref] |
The SUSE Linux Enterprise 15 operating system must allocate audit record storage capacity to store at least one weeks worth of audit records when audit records are not immediately sent to a central audit record storage facility. The partition size needed to capture a week's worth of audit records is based on the activity level of the system and the total storage capacity available. In normal circumstances, 10.0 GB of storage space for audit records will be sufficient. Determine which partition the audit records are being written to with the following command: # grep log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Check the size of the partition that audit records are written to with the following command: # df -h /var/log/audit/ /dev/sda2 24G 10.4G 13.6G 43% /var/log/audit |
Information stored in one location is vulnerable to accidental or incidentaldeletion or alteration.Off-loading is a common process in informationsystems with limited audit storage capacity. |
medium |
content_rule_auditd_audispd_configure_sufficiently_large_partition |
SLES-15-030660 |
AU-4 |
NaN |
NaN |
SRG-OS-000341-GPOS-00132,SRG-OS-000342-GPOS-00133 |
NaN |
SV-234965r622137_rule |
CCI-001849 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85617-9 |
Configure audispd's Plugin disk_full_action When Disk Is Full [ref] |
Configure the action the operating system takes if the disk the audit records are written to becomes full. Edit the file /etc/audisp/audisp-remote.conf. Add or modify the following line, substituting ACTION appropriately: disk_full_action = ACTION Set this value to single to cause the system to switch to single user mode for corrective action. Acceptable values also include syslog and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. |
Taking appropriate action in case of a filled audit storage volume willminimize the possibility of losing audit records. |
medium |
content_rule_auditd_audispd_disk_full_action |
SLES-15-030800 |
AU-5(b),AU-5(2),AU-5(1),AU-5(4),CM-6(a) |
NaN |
NaN |
SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224 |
NaN |
SV-234979r622137_rule |
CCI-001851 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85614-6 |
Encrypt Audit Records Sent With audispd Plugin [ref] |
Configure the operating system to encrypt the transfer of off-loaded audit records onto a different system or media from the system being audited. Uncomment the enable_krb5 option in /etc/audisp/audisp-remote.conf, and set it with the following line: enable_krb5 = yes |
Information stored in one location is vulnerable to accidental or incidental deletionor alteration. Off-loading is a common process in information systems with limitedaudit storage capacity. |
medium |
content_rule_auditd_audispd_encrypt_sent_records |
SLES-15-030680 |
AU-9(3),CM-6(a) |
NaN |
NaN |
SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224 |
NaN |
SV-234967r622137_rule |
CCI-001851 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
FAU_GEN.1.1.c |
| CCE-85705-2 |
Configure audispd's Plugin network_failure_action On Network Failure [ref] |
Configure the action the operating system takes if there is an error sending audit records to a remote system. Edit the file /etc/audisp/audisp-remote.conf. Add or modify the following line, substituting ACTION appropriately: network_failure_action = ACTION Set this value to single to cause the system to switch to single user mode for corrective action. Acceptable values also include syslog and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. This profile configures the action to be single. |
Taking appropriate action when there is an error sending audit records to aremote system will minimize the possibility of losing audit records. |
medium |
content_rule_auditd_audispd_network_failure_action |
SLES-15-030790 |
AU-4(1) |
NaN |
NaN |
SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224 |
NaN |
SV-234978r622137_rule |
CCI-001851 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85606-2 |
Configure auditd Disk Full Action when Disk Space Is Full [ref] |
The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately: disk_full_action = ACTION Set this value to single to cause the system to switch to single-user mode for corrective action. Acceptable values also include syslog, single, and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page. |
Taking appropriate action in case of a filled audit storage volume will minimizethe possibility of losing audit records. |
medium |
content_rule_auditd_data_disk_full_action |
SLES-15-030590 |
AU-5(b),AU-5(2),AU-5(1),AU-5(4),CM-6(a) |
4.2.3.10,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
PR.DS-4,PR.PT-1,DE.AE-3,DE.AE-5,RS.AN-1,RS.AN-4 |
SRG-OS-000047-GPOS-00023 |
NaN |
SV-234958r622137_rule |
CCI-000140 |
1,2,3,4,5,6,7,8,11,12,13,14,15,16,19 |
NaN |
NaN |
APO11.04,APO12.06,APO13.01,BAI03.05,BAI04.04,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,MEA02.01 |
A.12.1.3,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.16.1.4,A.16.1.5,A.16.1.7,A.17.2.1 |
SR,2.10,SR,2.11,SR,2.12,SR,2.8,SR,2.9,SR,6.1,SR,7.1,SR,7.2 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4 |
| CCE-85604-7 |
Configure auditd mail_acct Action on Low Disk Space [ref] |
The auditd service can be configured to send email to a designated account in certain situations. Add or correct the following line in /etc/audit/auditd.conf to ensure that administrators are notified via email for those situations: action_mail_acct = root |
Email sent to the root account is typically aliased to theadministrators of the system, who can take appropriate action. |
medium |
content_rule_auditd_data_retention_action_mail_acct |
SLES-15-030570 |
AU-5(a),AU-5(2),CM-6(a) |
4.2.3.10,3.3.1,4.3.3.3.9,4.3.3.5.8,CIP-003-3,R1.3,CIP-003-3,R3,CIP-003-3,R3.1,CIP-003-3,R3.2,CIP-003-3,R3.3,CIP-003-3,R5.1.1,CIP-003-3,R5.3,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
PR.DS-4,PR.PT-1,DE.AE-3,DE.AE-5,RS.AN-1,RS.AN-4 |
SRG-OS-000046-GPOS-00022,SRG-OS-000343-GPOS-00134,SRG-OS-000046-VMM-000210,SRG-OS-000343-VMM-001240 |
NaN |
SV-234956r622137_rule |
CCI-000139,CCI-001855 |
1,2,3,4,5,6,7,8,11,12,13,14,15,16,19 |
NaN |
164.312(a)(2)(ii) |
APO11.04,APO12.06,APO13.01,BAI03.05,BAI04.04,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,MEA02.01 |
IA-5(1),A.12.1.3,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.16.1.4,A.16.1.5,A.16.1.7,A.17.2.1 |
SR,2.10,SR,2.11,SR,2.12,SR,2.8,SR,2.9,SR,6.1,SR,7.1,SR,7.2 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,CIP-004-3,R2.2.3,CIP-004-3,R2.3,CIP-007-3,R5.1,CIP-007-3,R5.1.2,CIP-007-3,R5.2,CIP-007-3,R5.3.1,CIP-007-3,R5.3.2,CIP-007-3,R5.3.3,Req-10.7.a,4.1.2.3 |
| CCE-85616-1 |
Configure auditd space_left on Low Disk Space [ref] |
The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting SIZE_in_MB appropriately: space_left = SIZE_in_MB Set this value to the appropriate size in Megabytes cause the system to notify the user of an issue. |
Notifying administrators of an impending disk space problem may allow them totake corrective action prior to any disruption. |
medium |
content_rule_auditd_data_retention_space_left |
SLES-15-030700 |
AU-5(b),AU-5(2),AU-5(1),AU-5(4),CM-6(a) |
4.2.3.10,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
PR.DS-4,PR.PT-1,DE.AE-3,DE.AE-5,RS.AN-1,RS.AN-4 |
SRG-OS-000343-GPOS-00134,SRG-OS-000343-VMM-001240 |
NaN |
SV-234969r622137_rule |
CCI-001855 |
1,2,3,4,5,6,7,8,11,12,13,14,15,16,19 |
NaN |
NaN |
APO11.04,APO12.06,APO13.01,BAI03.05,BAI04.04,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,MEA02.01 |
A.12.1.3,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.16.1.4,A.16.1.5,A.16.1.7,A.17.2.1 |
SR,2.10,SR,2.11,SR,2.12,SR,2.8,SR,2.9,SR,6.1,SR,7.1,SR,7.2 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4,Req-10.7 |
| CCE-85613-8 |
Ensure the default plugins for the audit dispatcher are Installed [ref] |
The audit-audispd-plugins package should be installed. |
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. |
medium |
content_rule_package_audit-audispd-plugins_installed |
SLES-15-030670 |
NaN |
NaN |
NaN |
SRG-OS-000342-GPOS-00133 |
NaN |
SV-234966r622137_rule |
CCI-001851 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85612-0 |
Ensure the audit Subsystem is Installed [ref] |
The audit package should be installed. |
The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. |
medium |
content_rule_package_audit_installed |
SLES-15-030650 |
AC-7(a),AU-7(1),AU-7(2),AU-14,AU-12(2),AU-2(a),CM-6(a) |
NaN |
NaN |
SRG-OS-000122-GPOS-00063,SRG-OS-000337-GPOS-00129,SRG-OS-000348-GPOS-00136,SRG-OS-000349-GPOS-00137,SRG-OS-000350-GPOS-00138,SRG-OS-000351-GPOS-00139,SRG-OS-000352-GPOS-00140,SRG-OS-000353-GPOS-00141,SRG-OS-000354-GPOS-00142,SRG-OS-000358-GPOS-00145,SRG-OS-000359-GPOS-00146,SRG-OS-000365-GPOS-00152,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000480-GPOS-00227,SRG-OS-000062-GPOS-00031 |
NaN |
SV-234964r622137_rule |
CCI-000172,CCI-001814,CCI-001875,CCI-001877,CCI-001878,CCI-001879,CCI-001880,CCI-001881,CCI-001882,CCI-001889,CCI-001914,CCI-000169 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
BP28(R50) |
CIP-004-3,R3.3,CIP-007-3,R6.5,4.1.1.1 |
| CCE-85581-7 |
Enable auditd Service [ref] |
The auditd service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The auditd service can be enabled with the following command: $ sudo systemctl enable auditd.service |
Without establishing what type of events occurred, it would be difficultto establish, correlate, and investigate the events leading up to an outage or attack.Ensuring the auditd service is active ensures audit recordsgenerated by the kernel are appropriately recorded.Additionally, a properly configured audit subsystem ensures that actions ofindividual system users can be uniquely traced to those users so theycan be held accountable for their actions. |
medium |
content_rule_service_auditd_enabled |
SLES-15-030050 |
AC-2(g),AC-6(9),AU-3,AU-10,AU-2(d),AU-12(c),AU-14(1),CM-6(a),SI-4(23) |
4.2.3.10,4.3.2.6.7,3.3.1,3.3.2,3.3.6,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000038-GPOS-00016,SRG-OS-000039-GPOS-00017,SRG-OS-000040-GPOS-00018,SRG-OS-000041-GPOS-00019,SRG-OS-000042-GPOS-00021,SRG-OS-000051-GPOS-00024,SRG-OS-000054-GPOS-00025,SRG-OS-000122-GPOS-00063,SRG-OS-000254-GPOS-00095,SRG-OS-000255-GPOS-00096,SRG-OS-000365-GPOS-00152,SRG-OS-000392-GPOS-00172,SRG-OS-000480-GPOS-00227,SRG-OS-000062-GPOS-00031,SRG-OS-000037-VMM-000150,SRG-OS-000063-VMM-000310,SRG-OS-000038-VMM-000160,SRG-OS-000039-VMM-000170,SRG-OS-000040-VMM-000180,SRG-OS-000041-VMM-000190 |
NaN |
SV-234904r622137_rule |
CCI-000126,CCI-000130,CCI-000131,CCI-000132,CCI-000133,CCI-000134,CCI-000135,CCI-000154,CCI-000158,CCI-000366,CCI-001464,CCI-001487,CCI-001814,CCI-001876,CCI-002884,CCI-000169 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(5)(ii)(C),164.310(a)(2)(iv),164.310(d)(2)(iii),164.312(b) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,CIP-004-3,R3.3,CIP-007-3,R6.5,Req-10.1,4.1.1.2 |
| CCE-85765-6 |
Install the pam_apparmor Package [ref] |
The pam_apparmor package can be installed with the following command: $ sudo zypper install pam_apparmor |
Protection of system integrity using AppArmor depends on this package beinginstalled. |
medium |
content_rule_package_pam_apparmor_installed |
SLES-15-010390 |
AC-3(4),AC-6(8),AC-6(10),CM-7(5)(b),CM-7(2),CM-6(a),SC-7(21) |
NaN |
NaN |
SRG-OS-000312-GPOS-00122,SRG-OS-000312-GPOS-00123SRG-OS-000312-GPOS-00124,SRG-OS-000324-GPOS-00125,SRG-OS-000326-GPOS-00126,SRG-OS-000370-GPOS-00155,SRG-OS-000480-GPOS-00230,SRG-OS-000480-GPOS-00227,SRG-OS-000480-GPOS-00231,SRG-OS-000480-GPOS-00232 |
NaN |
SV-234848r622137_rule |
CCI-001764,CCI-001774,CCI-002165,CCI-002233,CCI-002235 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
1.7.1.1 |
| CCE-85752-4 |
Ensure AppArmor is Active and Configured [ref] |
Verify that the Apparmor tool is configured to control whitelisted applications and user home directory access control. The apparmor service can be enabled with the following command: $ sudo systemctl enable apparmor.service |
Using a whitelist provides a configuration management method for allowingthe execution of only authorized software. Using only authorized softwaredecreases risk by limiting the number of potential vulnerabilities.The organization must identify authorized software programs and permitexecution of authorized software by adding each authorized program to the"pam_apparmor" exception policy. The process used to identify softwareprograms that are authorized to execute on organizational informationsystems is commonly referred to as whitelisting.Verification of whitelisted software occurs prior to execution or at systemstartup.Users' home directories/folders may contain information of a sensitivenature. Nonprivileged users should coordinate any sharing of informationwith a System Administrator (SA) through shared resources.Apparmor can confine users to their home directory, not allowing them tomake any changes outside of their own home directories. Confining users totheir home directory will minimize the risk of sharing information. |
medium |
content_rule_apparmor_configured |
SLES-15-010390 |
AC-3(4),AC-6(8),AC-6(10),CM-7(5)(b),CM-7(2),CM-6(a),SC-7(21) |
NaN |
NaN |
SRG-OS-000312-GPOS-00122,SRG-OS-000312-GPOS-00123SRG-OS-000312-GPOS-00124,SRG-OS-000324-GPOS-00125,SRG-OS-000326-GPOS-00126,SRG-OS-000370-GPOS-00155,SRG-OS-000480-GPOS-00230,SRG-OS-000480-GPOS-00227,SRG-OS-000480-GPOS-00231,SRG-OS-000480-GPOS-00232 |
NaN |
SV-234848r622137_rule |
CCI-001764,CCI-001774,CCI-002165,CCI-002233,CCI-002235 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
1.7.1.2 |
| CCE-83274-1 |
Set Boot Loader Password in grub2 [ref] |
The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. Since plaintext passwords are a security risk, generate a hash for the password by running the following command: $ grub2-mkpasswd-pbkdf2 When prompted, enter the password that was selected. Using the hash from the output, modify the /etc/grub.d/40_custom file with the following content: set superusers="boot" password_pbkdf2 boot grub.pbkdf2.sha512.VeryLongString NOTE: the bootloader superuser account and password MUST differ from the root account and password. Once the superuser password has been added, update the grub.cfg file by running: grub2-mkconfig -o /boot/grub2/grub.cfgWarning: To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation must be automated as a component of machine provisioning, or followed manually as outlined above. Also, do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file. |
Password protection on the boot loader configuration ensuresusers with physical access cannot trivially alterimportant bootloader settings. These include which kernel to use,and whether to enter single-user mode. |
high |
content_rule_grub2_password |
SLES-15-010190 |
CM-6(a) |
4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,3.4.5 |
PR.AC-1,PR.AC-4,PR.AC-6,PR.AC-7,PR.PT-3 |
SRG-OS-000080-GPOS-00048 |
NaN |
SV-234819r622137_rule |
CCI-000213 |
1,3,5,11,12,14,15,16,18 |
NaN |
164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii) |
DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.06,DSS06.10 |
A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.11,SR,1.12,SR,1.13,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.6,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,2.2,SR,2.3,SR,2.4,SR,2.5,SR,2.6,SR,2.7 |
BP28(R17) |
FIA_UAU.1,1.5.1 |
| CCE-83275-8 |
Set the UEFI Boot Loader Password [ref] |
The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. Since plaintext passwords are a security risk, generate a hash for the password by running the following command: $ grub2-mkpasswd-pbkdf2 When prompted, enter the password that was selected. Using the hash from the output, modify the /etc/grub.d/40_custom file with the following content: set superusers="boot" password_pbkdf2 boot grub.pbkdf2.sha512.VeryLongString NOTE: the bootloader superuser account and password MUST differ from the root account and password. Once the superuser password has been added, update the grub.cfg file by running: grub2-mkconfig -o /boot/grub2/grub.cfgWarning: To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation must be automated as a component of machine provisioning, or followed manually as outlined above. Also, do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file. |
Password protection on the boot loader configuration ensuresusers with physical access cannot trivially alterimportant bootloader settings. These include which kernel to use,and whether to enter single-user mode. |
high |
content_rule_grub2_uefi_password |
SLES-15-010200 |
CM-6(a) |
4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,3.4.5 |
PR.AC-4,PR.AC-6,PR.PT-3 |
SRG-OS-000080-GPOS-00048 |
NaN |
SV-234820r622137_rule |
CCI-000213 |
3,5,11,12,14,15,16,18 |
NaN |
164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii) |
DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.03,DSS06.06 |
A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 |
SR,1.1,SR,1.10,SR,1.11,SR,1.12,SR,1.13,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.6,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,2.2,SR,2.3,SR,2.4,SR,2.5,SR,2.6,SR,2.7 |
BP28(R17) |
FIA_UAU.1,1.5.1 |
| CCE-85552-8 |
Ensure Logs Sent To Remote Host [ref] |
To configure rsyslog to send logs to a remote log server, open /etc/rsyslog.conf and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting logcollector appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments. To use UDP for log message delivery: *.* @logcollector To use TCP for log message delivery: *.* @@logcollector To use RELP for log message delivery: *.* :omrelp:logcollector There must be a resolvable DNS CNAME or Alias record set to "logcollector" for logs to be sent correctly to the centralized logging utility. |
A log server (loghost) receives syslog messages from one or moresystems. This data can be used as an additional log source in the event asystem is compromised and its local logs are suspect. Forwarding log messagesto a remote loghost also provides system administrators with a centralizedplace to view the status of multiple hosts within the enterprise. |
medium |
content_rule_rsyslog_remote_loghost |
SLES-15-010580 |
AU-4(1),AU-9(2),CM-6(a) |
4.3.3.3.9,4.3.3.5.8,CIP-003-3,R5.2,4.3.4.4.7 |
PR.DS-4,PR.PT-1 |
SRG-OS-000479-GPOS-00224,SRG-OS-000480-GPOS-00227,SRG-OS-000342-GPOS-00133,SRG-OS-000032-VMM-000130 |
NaN |
SV-234865r622137_rule |
CCI-000366,CCI-001348,CCI-000136,CCI-001851 |
1,2,3,5,6,13,14,15,16 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(5)(ii)(B),164.308(a)(5)(ii)(C),164.308(a)(6)(ii),164.308(a)(8),164.310(d)(2)(iii),164.312(b),164.314(a)(2)(i)(C),164.314(a)(2)(iii) |
APO11.04,APO13.01,BAI03.05,BAI04.04,DSS05.04,DSS05.07,MEA02.01 |
A.12.1.3,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.17.2.1 |
SR,2.10,SR,2.11,SR,2.12,SR,2.8,SR,2.9,SR,7.1,SR,7.2 |
BP28(R7) |
NT28(R43),NT12(R5),4.4.2.1,4.4.2.2,4.4.2.4,0988,1405,CIP-004-3,R3.3,FAU_GEN.1.1.c,4.2.1.5 |
| CCE-85724-3 |
Ensure real-time clock is set to UTC [ref] |
Ensure that the system real-time clock (RTC) is set to Coordinated Universal Time (UTC). |
If time stamps are not consistently applied and there is no commontime reference, it is difficult to perform forensic analysis.Time stamps generated by the operating system include date and time.Time is commonly expressed in UTC, a modern continuation of GMT, orlocal time with an offset from UTC. |
high |
content_rule_ensure_rtc_utc_configuration |
SLES-15-010410 |
AU-8(b) |
NaN |
NaN |
SRG-OS-000359-GPOS-00146 |
NaN |
SV-234850r622137_rule |
CCI-001890 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85698-9 |
Install firewalld Package [ref] |
The firewalld package can be installed with the following command: $ sudo zypper install firewalld |
The firewalld package should be installed to provide access control methods. |
medium |
content_rule_package_firewalld_installed |
SLES-15-010220 |
AC-17(1),CM-7,CM-7.1(iii),CM-7(b) |
3.5.1.1 |
NaN |
SRG-OS-000096-GPOS-00050,SRG-OS-000297-GPOS-00115,SRG-OS-000298-GPOS-00116,SRG-OS-000480-GPOS-00227,SRG-OS-000480-GPOS-00232 |
NaN |
SV-234821r622137_rule |
CCI-002314 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85751-6 |
Verify firewalld Enabled [ref] |
The firewalld service can be enabled with the following command: $ sudo systemctl enable firewalld.service |
Access control methods provide the ability to enhance system security postureby restricting services and known good IP addresses and address ranges. Thisprevents connections from unknown hosts and protocols. |
medium |
content_rule_service_firewalld_enabled |
SLES-15-010220 |
AC-17(1),CM-7,CM-7.1(iii),CM-7(b) |
3.1.3,CIP-003-3,R4,CIP-003-3,R5,3.4.7,4.3.4.3.2,4.3.4.3.3,3.5.1.4 |
PR.IP-1 |
SRG-OS-000096-GPOS-00050,SRG-OS-000297-GPOS-00115,SRG-OS-000480-GPOS-00227,SRG-OS-000480-GPOS-00231,SRG-OS-000480-GPOS-00232 |
NaN |
SV-234821r622137_rule |
CCI-000366,CCI-000382,CCI-002314 |
3,9,11 |
NaN |
NaN |
BAI10.01,BAI10.02,BAI10.03,BAI10.05 |
A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4 |
SR,7.6 |
NaN |
CIP-004-3,R3,FMT_MOF_EXT.1 |
| CCE-85708-6 |
Disable Accepting ICMP Redirects for All IPv6 Interfaces [ref] |
To set the runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0 To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_redirects = 0 |
An illicit ICMP redirect message could result in a man-in-the-middle attack. |
medium |
content_rule_sysctl_net_ipv6_conf_all_accept_redirects |
SLES-15-040341 |
CM-7(a),CM-7(b),CM-6(a),CM-6(b),CM-6.1(iv) |
3.1.20,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,3.3.2,4.3.4.3.2,4.3.4.3.3 |
PR.IP-1,PR.PT-3 |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-235020r622137_rule |
CCI-000366,CCI-001551 |
3,9,11,14 |
NaN |
NaN |
BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06 |
A.9.1.2,A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4 |
SR,1.1,SR,1.10,SR,1.11,SR,1.12,SR,1.13,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.6,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,2.2,SR,2.3,SR,2.4,SR,2.5,SR,2.6,SR,2.7,SR,7.6 |
BP28(R22) |
NaN |
| CCE-85649-2 |
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces [ref] |
To set the runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0 To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_source_route = 0 |
Source-routed packets allow the source of the packet to suggest routersforward the packet along a different path than configured on the router, which canbe used to bypass network security measures. This requirement applies only to theforwarding of source-routerd traffic, such as when IPv6 forwarding is enabled andthe system is functioning as a router.Accepting source-routed packets in the IPv6 protocol has few legitimateuses. It should be disabled unless it is absolutely required. |
medium |
content_rule_sysctl_net_ipv6_conf_all_accept_source_route |
SLES-15-040310 |
CM-7(a),CM-7(b),CM-6(a) |
3.1.20,4.3.3.4,3.3.1 |
ID.AM-3,PR.AC-5,PR.DS-5,PR.PT-4,DE.AE-1 |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-235015r622137_rule |
CCI-000366 |
1,4,6,8,9,12,13,14,15,16,18 |
NaN |
NaN |
APO01.06,APO13.01,DSS01.05,DSS03.01,DSS05.02,DSS05.04,DSS05.07,DSS06.02 |
A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3 |
SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,7.1,SR,7.6 |
BP28(R22) |
4.2.3.4,4.4.3.3 |
| CCE-85713-6 |
Disable Kernel Parameter for IPv6 Forwarding [ref] |
To set the runtime status of the net.ipv6.conf.all.forwarding kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.forwarding=0 To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.forwarding = 0 |
IP forwarding permits the kernel to forward packets from one networkinterface to another. The ability to forward packets between two networks isonly appropriate for systems acting as routers. |
medium |
content_rule_sysctl_net_ipv6_conf_all_forwarding |
SLES-15-040381 |
CM-7(a),CM-7(b),CM-6(a),CM-6(b),CM-6.1(iv) |
3.2.1,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3 |
PR.DS-4,PR.IP-1,PR.PT-3,DE.CM-1 |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-235025r622137_rule |
CCI-000366 |
1,2,3,7,8,9,11,12,13,14,15,16 |
NaN |
NaN |
APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS03.05,DSS05.02,DSS05.05,DSS05.07,DSS06.06 |
A.9.1.2,A.12.1.2,A.12.1.3,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.17.2.1 |
SR,1.1,SR,1.10,SR,1.11,SR,1.12,SR,1.13,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.6,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,2.2,SR,2.3,SR,2.4,SR,2.5,SR,2.6,SR,2.7,SR,6.2,SR,7.1,SR,7.2,SR,7.6 |
NaN |
NaN |
| CCE-85722-7 |
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces [ref] |
To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0 To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_redirects = 0 |
An illicit ICMP redirect message could result in a man-in-the-middle attack. |
medium |
content_rule_sysctl_net_ipv6_conf_default_accept_redirects |
SLES-15-040350 |
CM-6(b),CM-6.1(iv) |
3.1.20,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,3.3.2,4.3.4.3.2,4.3.4.3.3 |
PR.IP-1,PR.PT-3 |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-235021r622137_rule |
CCI-000366,CCI-001551 |
3,9,11,14 |
NaN |
NaN |
BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06 |
A.9.1.2,A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4 |
SR,1.1,SR,1.10,SR,1.11,SR,1.12,SR,1.13,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.6,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,2.2,SR,2.3,SR,2.4,SR,2.5,SR,2.6,SR,2.7,SR,7.6 |
BP28(R22) |
NaN |
| CCE-85653-4 |
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default [ref] |
To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0 To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_source_route = 0 |
Source-routed packets allow the source of the packet to suggest routersforward the packet along a different path than configured on the router, which canbe used to bypass network security measures. This requirement applies only to theforwarding of source-routerd traffic, such as when IPv6 forwarding is enabled andthe system is functioning as a router.Accepting source-routed packets in the IPv6 protocol has few legitimateuses. It should be disabled unless it is absolutely required. |
medium |
content_rule_sysctl_net_ipv6_conf_default_accept_source_route |
SLES-15-040321 |
CM-7(a),CM-7(b),CM-6(a),CM-6(b),CM-6.1(iv) |
3.1.20,4.3.3.4,3.3.1 |
ID.AM-3,PR.AC-5,PR.DS-5,PR.PT-4,DE.AE-1 |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-235017r622137_rule |
CCI-000366 |
1,4,6,8,9,12,13,14,15,16,18 |
NaN |
NaN |
APO01.06,APO13.01,DSS01.05,DSS03.01,DSS05.02,DSS05.04,DSS05.07,DSS06.02 |
A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3 |
SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,7.1,SR,7.6 |
BP28(R22) |
4.2.3.4,4.4.3.3 |
| CCE-85725-0 |
Disable Kernel Parameter for IPv6 Forwarding by default [ref] |
To set the runtime status of the net.ipv6.conf.default.forwarding kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.forwarding=0 To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.forwarding = 0 |
IP forwarding permits the kernel to forward packets from one networkinterface to another. The ability to forward packets between two networks isonly appropriate for systems acting as routers. |
medium |
content_rule_sysctl_net_ipv6_conf_default_forwarding |
SLES-15-040382 |
CM-6(b),CM-6.1(iv) |
NaN |
NaN |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-235026r622137_rule |
CCI-000366 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85651-8 |
Disable Accepting ICMP Redirects for All IPv4 Interfaces [ref] |
To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0 To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.accept_redirects = 0 |
ICMP redirect messages are used by routers to inform hosts that a moredirect route exists for a particular destination. These messages modify thehost's route table and are unauthenticated. An illicit ICMP redirectmessage could result in a man-in-the-middle attack.This feature of the IPv4 protocol has few legitimate uses. It should bedisabled unless absolutely required." |
medium |
content_rule_sysctl_net_ipv4_conf_all_accept_redirects |
SLES-15-040330 |
CM-7(a),CM-7(b),CM-6(a),SC-7(a) |
3.1.20,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,3.3.2,4.3.4.3.2,4.3.4.3.3 |
PR.DS-4,PR.IP-1,PR.PT-3,DE.CM-1 |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-235018r622137_rule |
CCI-000366,CCI-001503,CCI-001551 |
1,2,3,7,8,9,11,12,13,14,15,16 |
NaN |
NaN |
APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS03.05,DSS05.02,DSS05.05,DSS05.07,DSS06.06 |
A.9.1.2,A.12.1.2,A.12.1.3,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.17.2.1 |
SR,1.1,SR,1.10,SR,1.11,SR,1.12,SR,1.13,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.6,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,2.2,SR,2.3,SR,2.4,SR,2.5,SR,2.6,SR,2.7,SR,6.2,SR,7.1,SR,7.2,SR,7.6 |
BP28(R22) |
5.10.1.1 |
| CCE-85648-4 |
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces [ref] |
To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0 To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.accept_source_route = 0 |
Source-routed packets allow the source of the packet to suggest routersforward the packet along a different path than configured on the router,which can be used to bypass network security measures. This requirementapplies only to the forwarding of source-routerd traffic, such as when IPv4forwarding is enabled and the system is functioning as a router.Accepting source-routed packets in the IPv4 protocol has few legitimateuses. It should be disabled unless it is absolutely required. |
medium |
content_rule_sysctl_net_ipv4_conf_all_accept_source_route |
SLES-15-040300 |
CM-7(a),CM-7(b),CM-6(a),SC-5,SC-7(a) |
3.1.20,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,3.3.1,4.3.4.3.2,4.3.4.3.3 |
ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4,DE.AE-1,DE.CM-1 |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-235014r622137_rule |
CCI-000366 |
1,2,3,4,6,7,8,9,11,12,13,14,15,16,18 |
NaN |
NaN |
APO01.06,APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06 |
A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.1.3,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.17.2.1 |
SR,1.1,SR,1.10,SR,1.11,SR,1.12,SR,1.13,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.6,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,2.2,SR,2.3,SR,2.4,SR,2.5,SR,2.6,SR,2.7,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.2,SR,7.1,SR,7.2,SR,7.6 |
BP28(R22) |
4.2.3.4,4.4.3.3,CIP-007-3,R4,CIP-007-3,R4.1,CIP-007-3,R4.2,CIP-007-3,R5.1 |
| CCE-85652-6 |
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces [ref] |
To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0 To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_redirects = 0 |
ICMP redirect messages are used by routers to inform hosts that a moredirect route exists for a particular destination. These messages modify thehost's route table and are unauthenticated. An illicit ICMP redirectmessage could result in a man-in-the-middle attack.This feature of the IPv4 protocol has few legitimate uses. It shouldbe disabled unless absolutely required. |
medium |
content_rule_sysctl_net_ipv4_conf_default_accept_redirects |
SLES-15-040340 |
CM-7(a),CM-7(b),CM-6(a),SC-7(a) |
3.1.20,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,3.3.3,4.3.4.3.2,4.3.4.3.3 |
ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4,DE.AE-1,DE.CM-1 |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-235019r622137_rule |
CCI-000366,CCI-001551 |
1,2,3,4,6,7,8,9,11,12,13,14,15,16,18 |
NaN |
NaN |
APO01.06,APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06 |
A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.1.3,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.17.2.1 |
SR,1.1,SR,1.10,SR,1.11,SR,1.12,SR,1.13,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.6,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,2.2,SR,2.3,SR,2.4,SR,2.5,SR,2.6,SR,2.7,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.2,SR,7.1,SR,7.2,SR,7.6 |
BP28(R22) |
5.10.1.1,4.2.3.4,4.4.3.3 |
| CCE-85650-0 |
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default [ref] |
To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0 To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_source_route = 0 |
Source-routed packets allow the source of the packet to suggest routersforward the packet along a different path than configured on the router,which can be used to bypass network security measures.Accepting source-routed packets in the IPv4 protocol has few legitimateuses. It should be disabled unless it is absolutely required, such as whenIPv4 forwarding is enabled and the system is legitimately functioning as arouter. |
medium |
content_rule_sysctl_net_ipv4_conf_default_accept_source_route |
SLES-15-040320 |
CM-7(a),CM-7(b),SC-5,SC-7(a) |
3.1.20,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,3.3.1,4.3.4.3.2,4.3.4.3.3 |
ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4,DE.AE-1,DE.CM-1 |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-235016r622137_rule |
CCI-000366,CCI-001551 |
1,2,3,4,6,7,8,9,11,12,13,14,15,16,18 |
NaN |
NaN |
APO01.06,APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06 |
A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.1.3,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.17.2.1 |
SR,1.1,SR,1.10,SR,1.11,SR,1.12,SR,1.13,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.6,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,2.2,SR,2.3,SR,2.4,SR,2.5,SR,2.6,SR,2.7,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.2,SR,7.1,SR,7.2,SR,7.6 |
BP28(R22) |
5.10.1.1,4.2.3.4,4.4.3.3,CIP-007-3,R4,CIP-007-3,R4.1,CIP-007-3,R4.2,CIP-007-3,R5.1 |
| CCE-83283-2 |
Enable Kernel Parameter to Use TCP Syncookies on IPv4 Interfaces [ref] |
To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_syncookies=1 To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.tcp_syncookies = 1 |
A TCP SYN flood attack can cause a denial of service by filling asystem's TCP connection table with connections in the SYN_RCVD state.Syncookies can be used to track a connection when a subsequent ACK is received,verifying the initiator is attempting a valid connection and is not a floodsource. This feature is activated when a flood condition is detected, andenables the system to continue servicing valid connection requests. |
medium |
content_rule_sysctl_net_ipv4_tcp_syncookies |
SLES-15-010310 |
CM-7(a),CM-7(b),CM-6(a),SC-5(1),SC-5(2),SC-5(3)(a) |
3.1.20,4.3.3.4,3.3.8 |
ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.PT-4,DE.AE-1,DE.CM-1 |
SRG-OS-000480-GPOS-00227,SRG-OS-000420-GPOS-00186,SRG-OS-000142-GPOS-00071 |
NaN |
SV-234829r622137_rule |
CCI-000366,CCI-001095 |
1,2,4,6,7,8,9,12,13,14,15,16,18 |
NaN |
NaN |
APO01.06,APO13.01,BAI04.04,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.07,DSS06.02 |
A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.1.3,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.17.2.1 |
SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.2,SR,7.1,SR,7.2,SR,7.6 |
BP28(R22) |
5.10.1.1,4.2.3.4,4.4.3.3 |
| CCE-85655-9 |
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces [ref] |
To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.send_redirects=0 To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.send_redirects = 0 |
ICMP redirect messages are used by routers to inform hosts that a moredirect route exists for a particular destination. These messages contain informationfrom the system's route table possibly revealing portions of the network topology.The ability to send ICMP redirects is only appropriate for systems acting as routers. |
medium |
content_rule_sysctl_net_ipv4_conf_all_send_redirects |
SLES-15-040370 |
CM-7(a),CM-7(b),CM-6(a),SC-5,SC-7(a) |
3.1.20,3.2.2,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3 |
ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4,DE.AE-1,DE.CM-1 |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-235023r622137_rule |
CCI-000366 |
1,2,3,4,6,7,8,9,11,12,13,14,15,16,18 |
NaN |
NaN |
APO01.06,APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06 |
A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.1.3,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.17.2.1 |
SR,1.1,SR,1.10,SR,1.11,SR,1.12,SR,1.13,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.6,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,2.2,SR,2.3,SR,2.4,SR,2.5,SR,2.6,SR,2.7,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.2,SR,7.1,SR,7.2,SR,7.6 |
BP28(R22) |
5.10.1.1,4.2.3.4,4.4.3.3,CIP-007-3,R4,CIP-007-3,R4.1,CIP-007-3,R4.2,CIP-007-3,R5.1 |
| CCE-85654-2 |
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default [ref] |
To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.send_redirects=0 To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.send_redirects = 0 |
ICMP redirect messages are used by routers to inform hosts that a moredirect route exists for a particular destination. These messages contain informationfrom the system's route table possibly revealing portions of the network topology.The ability to send ICMP redirects is only appropriate for systems acting as routers. |
medium |
content_rule_sysctl_net_ipv4_conf_default_send_redirects |
SLES-15-040360 |
CM-7(a),CM-7(b),CM-6(a),SC-5,SC-7(a) |
3.1.20,3.2.2,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3 |
ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4,DE.AE-1,DE.CM-1 |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-235022r622137_rule |
CCI-000366 |
1,2,3,4,6,7,8,9,11,12,13,14,15,16,18 |
NaN |
NaN |
APO01.06,APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06 |
A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.1.3,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.17.2.1 |
SR,1.1,SR,1.10,SR,1.11,SR,1.12,SR,1.13,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.6,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,2.2,SR,2.3,SR,2.4,SR,2.5,SR,2.6,SR,2.7,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.2,SR,7.1,SR,7.2,SR,7.6 |
BP28(R22) |
5.10.1.1,4.2.3.4,4.4.3.3,CIP-007-3,R4,CIP-007-3,R4.1,CIP-007-3,R4.2,CIP-007-3,R5.1 |
| CCE-85709-4 |
Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces [ref] |
To set the runtime status of the net.ipv4.ip_forward kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.ip_forward=0 To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.ip_forward = 0Warning: Certain technologies such as virtual machines, containers, etc. rely on IPv4 forwarding to enable and use networking. Disabling IPv4 forwarding would cause those technologies to stop working. Therefore, this rule should not be used in profiles or benchmarks that target usage of IPv4 forwarding. |
Routing protocol daemons are typically used on routers to exchangenetwork topology information with other routers. If this capability is used whennot required, system network information may be unnecessarily transmitted acrossthe network. |
medium |
content_rule_sysctl_net_ipv4_ip_forward |
SLES-15-040380 |
CM-6(b),CM-6.1(iv) |
3.1.20,3.2.1,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3 |
PR.DS-4,PR.IP-1,PR.PT-3,PR.PT-4,DE.CM-1 |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-235024r622137_rule |
CCI-000366 |
1,2,3,7,8,9,11,12,13,14,15,16 |
NaN |
NaN |
APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS03.05,DSS05.02,DSS05.05,DSS05.07,DSS06.06 |
A.9.1.2,A.12.1.2,A.12.1.3,A.12.5.1,A.12.6.2,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.17.2.1 |
SR,1.1,SR,1.10,SR,1.11,SR,1.12,SR,1.13,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.6,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,2.2,SR,2.3,SR,2.4,SR,2.5,SR,2.6,SR,2.7,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.2,SR,7.1,SR,7.2,SR,7.6 |
BP28(R22) |
CIP-007-3,R4,CIP-007-3,R4.1,CIP-007-3,R4.2,CIP-007-3,R5.1 |
| CCE-83286-5 |
Deactivate Wireless Network Interfaces [ref] |
Deactivating wireless network interfaces should prevent normal usage of the wireless capability. Configure the system to disable wireless network interfaces by issuing the following command for every active <WIFI-INTERFACE> in the system: $ sudo wicked ifdown <WIFI-INTERFACE> Also remove the configuration files for every wifi adapter from /etc/wicked/ifconfig/<WIFI-INTERFACE>.xml to prevent future connections. |
The use of wireless networking can introduce many different attack vectors intothe organization's network. Common attack vectors such as malicious associationand ad hoc networks will allow an attacker to spoof a wireless access point(AP), allowing validated systems to connect to the malicious AP and enabling theattacker to monitor and record network traffic. These malicious APs can alsoserve to create a man-in-the-middle attack or be used to create a denial ofservice to valid network resources. |
medium |
content_rule_wireless_disable_interfaces |
SLES-15-010380 |
AC-18(a),AC-18(3),CM-7(a),CM-7(b),CM-6(a),MP-7 |
3.1.16,3.1.2,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3 |
PR.AC-3,PR.IP-1,PR.PT-3,PR.PT-4 |
SRG-OS-000299-GPOS-00117,SRG-OS-000300-GPOS-00118,SRG-OS-000424-GPOS-00188,SRG-OS-000481-GPOS-000481 |
NaN |
SV-234847r622137_rule |
CCI-000085,CCI-002418,CCI-002421,CCI-001444 |
3,8,9,11,12,14,15 |
NaN |
NaN |
APO13.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.04,DSS05.02,DSS05.03,DSS05.05,DSS06.06 |
A.6.2.1,A.6.2.2,A.9.1.2,A.11.2.6,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4 |
SR,1.1,SR,1.10,SR,1.11,SR,1.12,SR,1.13,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.6,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,2.2,SR,2.3,SR,2.4,SR,2.5,SR,2.6,SR,2.7,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,7.1,SR,7.6 |
NaN |
1315,1319 |
| CCE-85656-7 |
Ensure System is Not Acting as a Network Sniffer [ref] |
The system should not be acting as a network sniffer, which can capture all traffic on the network to which it is connected. Run the following to determine if any interface is running in promiscuous mode: $ ip link | grep PROMISC Promiscuous mode of an interface can be disabled with the following command: $ sudo ip link set dev device_name multicast off promisc off |
Network interfaces in promiscuous mode allow for the capture of all network trafficvisible to the system. If unauthorized individuals can access these applications, itmay allow them to collect information such as logon IDs, passwords, and key exchangesbetween systems.If the system is being used to perform a network troubleshooting function, the use of thesetools must be documented with the Information Systems Security Manager (ISSM) and restrictedto only authorized personnel. |
medium |
content_rule_network_sniffer_disabled |
SLES-15-040390 |
CM-7(a),CM-7(b),CM-6(a),CM-7(2),MA-3 |
4.3.3.3.7,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3 |
ID.AM-1,PR.IP-1,PR.MA-1,PR.PT-3,DE.DP-5 |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-235027r622137_rule |
CCI-000366 |
1,3,9,11,14 |
NaN |
NaN |
APO11.06,APO12.06,BAI03.10,BAI09.01,BAI09.02,BAI09.03,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.05,DSS04.05,DSS05.02,DSS05.05,DSS06.06 |
A.8.1.1,A.8.1.2,A.9.1.2,A.11.1.2,A.11.2.4,A.11.2.5,A.11.2.6,A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.16.1.6 |
SR,1.1,SR,1.10,SR,1.11,SR,1.12,SR,1.13,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.6,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,2.2,SR,2.3,SR,2.4,SR,2.5,SR,2.6,SR,2.7,SR,7.6,SR,7.8 |
NaN |
4.2.3.4,4.4.3.4 |
| CCE-85572-6 |
Verify Permissions and Ownership of Old Passwords File [ref] |
To properly set the owner of /etc/security/opasswd, run the command: $ sudo chown root /etc/security/opasswd To properly set the group owner of /etc/security/opasswd, run the command: $ sudo chgrp root /etc/security/opasswd To properly set the permissions of /etc/security/opasswd, run the command: $ sudo chmod 0600 /etc/security/opasswd |
The /etc/security/opasswd file stores old passwords to preventpassword reuse. Protection of this file is critical for system security. |
medium |
content_rule_file_etc_security_opasswd |
SLES-15-020240 |
NaN |
NaN |
NaN |
SRG-OS-000077-GPOS-00045 |
NaN |
SV-234893r622137_rule |
CCI-000200 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85737-5 |
Verify that Shared Library Directories Have Root Group Ownership [ref] |
System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules. All files in these directories should be group-owned by the root user. If the directories, is found to be owned by a user other than root correct its ownership with the following command: $ sudo chgrp root DIR |
Files from shared library directories are loaded into the addressspace of processes (including privileged ones) or of the kernel itself atruntime. Proper ownership of library directories is necessary to protectthe integrity of the system. |
medium |
content_rule_dir_group_ownership_library_dirs |
SLES-15-010356 |
CM-5(6),CM-5(6).1 |
NaN |
NaN |
SRG-OS-000259-GPOS-00100 |
NaN |
SV-234839r622137_rule |
CCI-001499 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85735-9 |
Verify that Shared Library Directories Have Root Ownership [ref] |
System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules. All files in these directories should be owned by the root user. If the directories, is found to be owned by a user other than root correct its ownership with the following command: $ sudo chown root DIR |
Files from shared library directories are loaded into the addressspace of processes (including privileged ones) or of the kernel itself atruntime. Proper ownership of library directories is necessary to protectthe integrity of the system. |
medium |
content_rule_dir_ownership_library_dirs |
SLES-15-010354 |
CM-5(6),CM-5(6).1 |
NaN |
NaN |
SRG-OS-000259-GPOS-00100 |
NaN |
SV-234837r622137_rule |
CCI-001499 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85753-2 |
Verify that Shared Library Directories Have Restrictive Permissions [ref] |
System-wide shared library directories, which contain are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 Kernel modules, which can be added to the kernel during runtime, are stored in /lib/modules. All sub-directories in these directories should not be group-writable or world-writable. If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command: $ sudo chmod go-w DIR |
If the operating system were to allow any user to make changes to software libraries,then those changes might be implemented without undergoing the appropriate testingand approvals that are part of a robust change management process.This requirement applies to operating systems with software libraries that are accessibleand configurable, as in the case of interpreted languages. Software libraries also includeprivileged programs which execute with escalated privileges. Only qualified and authorizedindividuals must be allowed to obtain access to information system components for purposesof initiating changes, including upgrades and modifications. |
medium |
content_rule_dir_permissions_library_dirs |
SLES-15-010352 |
CM-5,CM-5(6),CM-5(6).1 |
CIP-003-3,R6 |
NaN |
NaN |
NaN |
SV-234835r622137_rule |
CCI-001499 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85742-5 |
Verify that system commands files are group owned by root [ref] |
System commands files are stored in the following directories by default: /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin All files in these directories should be owned by the root group. If the directory, or any file in these directories, is found to be owned by a group other than root correct its ownership with the following command: $ sudo chgrp root FILE |
If the operating system allows any user to make changes to softwarelibraries, then those changes might be implemented without undergoing theappropriate testing and approvals that are part of a robust change managementprocess.This requirement applies to operating systems with software librariesthat are accessible and configurable, as in the case of interpreted languages.Software libraries also include privileged programs which execute withescalated privileges. Only qualified and authorized individuals must beallowed to obtain access to information system components for purposesof initiating changes, including upgrades and modifications. |
medium |
content_rule_file_groupownership_system_commands_dirs |
SLES-15-010361 |
CM-5(6),CM-5(6).1 |
NaN |
NaN |
SRG-OS-000259-GPOS-00100 |
NaN |
SV-234844r622137_rule |
CCI-001499 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85730-0 |
Verify that System Executables Have Root Ownership [ref] |
System executables are stored in the following directories by default: /bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sbin All files in these directories should be owned by the root user. If any file FILE in these directories is found to be owned by a user other than root, correct its ownership with the following command: $ sudo chown root FILE |
System binaries are executed by privileged users as well as system services,and restrictive permissions are necessary to ensure that theirexecution of these programs cannot be co-opted. |
medium |
content_rule_file_ownership_binary_dirs |
SLES-15-010359 |
AC-6(1),CM-5(6),CM-5(6).1,CM-6(a) |
4.3.3.7.3,CIP-003-3,R5.1.1,CIP-003-3,R5.3 |
PR.AC-4,PR.DS-5 |
SRG-OS-000259-GPOS-00100 |
NaN |
SV-234842r622137_rule |
CCI-001499 |
3,5,12,13,14,15,16,18 |
NaN |
NaN |
APO01.06,DSS05.04,DSS05.07,DSS06.02 |
A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3 |
SR,2.1,SR,5.2 |
NaN |
CIP-004-3,R2.3,CIP-007-3,R2.1,CIP-007-3,R2.2,CIP-007-3,R2.3,CIP-007-3,R5.1,CIP-007-3,R5.1.1,CIP-007-3,R5.1.2 |
| CCE-85756-5 |
Verify that Shared Library Files Have Root Ownership [ref] |
System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules. All files in these directories should be owned by the root user. If the directory, or any file in these directories, is found to be owned by a user other than root correct its ownership with the following command: $ sudo chown root FILE |
Files from shared library directories are loaded into the addressspace of processes (including privileged ones) or of the kernel itself atruntime. Proper ownership is necessary to protect the integrity of the system. |
medium |
content_rule_file_ownership_library_dirs |
SLES-15-010353 |
AC-6(1),CM-5(6),CM-5(6).1,CM-6(a) |
4.3.3.7.3,CIP-003-3,R5.1.1,CIP-003-3,R5.3 |
PR.AC-4,PR.DS-5 |
SRG-OS-000259-GPOS-00100 |
NaN |
SV-234836r622137_rule |
CCI-001499 |
3,5,12,13,14,15,16,18 |
NaN |
NaN |
APO01.06,DSS05.04,DSS05.07,DSS06.02 |
A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3 |
SR,2.1,SR,5.2 |
NaN |
CIP-004-3,R2.3,CIP-007-3,R2.1,CIP-007-3,R2.2,CIP-007-3,R2.3,CIP-007-3,R5.1,CIP-007-3,R5.1.1,CIP-007-3,R5.1.2 |
| CCE-85729-2 |
Verify that System Executables Have Restrictive Permissions [ref] |
System executables are stored in the following directories by default: /bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sbin All files in these directories should not be group-writable or world-writable. If any file FILE in these directories is found to be group-writable or world-writable, correct its permission with the following command: $ sudo chmod go-w FILE |
System binaries are executed by privileged users, as well as system services,and restrictive permissions are necessary to ensure execution of these programscannot be co-opted. |
medium |
content_rule_file_permissions_binary_dirs |
SLES-15-010358 |
AC-6(1),CM-5(6),CM-5(6).1,CM-6(a) |
4.3.3.7.3,CIP-003-3,R5.1.1,CIP-003-3,R5.3 |
PR.AC-4,PR.DS-5 |
SRG-OS-000259-GPOS-00100 |
NaN |
SV-234841r622137_rule |
CCI-001499 |
3,5,12,13,14,15,16,18 |
NaN |
NaN |
APO01.06,DSS05.04,DSS05.07,DSS06.02 |
A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3 |
SR,2.1,SR,5.2 |
NaN |
CIP-004-3,R2.3,CIP-007-3,R2.1,CIP-007-3,R2.2,CIP-007-3,R2.3,CIP-007-3,R5.1,CIP-007-3,R5.1.1,CIP-007-3,R5.1.2 |
| CCE-85670-8 |
Verify that Shared Library Files Have Restrictive Permissions [ref] |
System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 Kernel modules, which can be added to the kernel during runtime, are stored in /lib/modules. All files in these directories should not be group-writable or world-writable. If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command: $ sudo chmod go-w FILE |
Files from shared library directories are loaded into the addressspace of processes (including privileged ones) or of the kernel itself atruntime. Restrictive permissions are necessary to protect the integrity of the system. |
medium |
content_rule_file_permissions_library_dirs |
SLES-15-010351 |
AC-6(1),CM-6(a),CM-5(6),CM-5(6).1 |
4.3.3.7.3,CIP-003-3,R5.1.1,CIP-003-3,R5.3 |
PR.AC-4,PR.DS-5 |
SRG-OS-000259-GPOS-00100 |
NaN |
SV-234834r622137_rule |
CCI-001499 |
3,5,12,13,14,15,16,18 |
NaN |
NaN |
APO01.06,DSS05.04,DSS05.07,DSS06.02 |
A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3 |
SR,2.1,SR,5.2 |
NaN |
CIP-004-3,R2.3,CIP-007-3,R2.1,CIP-007-3,R2.2,CIP-007-3,R2.3,CIP-007-3,R5.1,CIP-007-3,R5.1.1,CIP-007-3,R5.1.2 |
| CCE-85738-3 |
Verify that system commands are protected from unauthorized access [ref] |
System commands are stored in the following directories by default: /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin All files in these directories should not be group-writable or world-writable. If any file FILE in these directories is found to be group-writable or world-writable, correct its permission with the following command: $ sudo chmod 755 FILE |
System binaries are executed by privileged users, as well as system services,and restrictive permissions are necessary to ensure execution of these programscannot be co-opted. |
medium |
content_rule_file_permissions_system_commands_dirs |
SLES-15-010357 |
CM-5(6),CM-5(6).1 |
NaN |
NaN |
SRG-OS-000259-GPOS-00100 |
NaN |
SV-234840r622137_rule |
CCI-001499 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85736-7 |
Verify the system-wide library files in directories"/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are owned by root. [ref] |
System-wide library files are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 All system-wide shared library files should be protected from unauthorised access. If any of these files is not owned by root, correct its owner with the following command: $ sudo chgrp root FILE |
If the operating system were to allow any user to make changes to software libraries,then those changes might be implemented without undergoing the appropriate testing andapprovals that are part of a robust change management process.This requirement applies to operating systems with software libraries that areaccessible and configurable, as in the case of interpreted languages. Software librariesalso include privileged programs which execute with escalated privileges. Only qualifiedand authorized individuals must be allowed to obtain access to information system componentsfor purposes of initiating changes, including upgrades and modifications. |
medium |
content_rule_root_permissions_syslibrary_files |
SLES-15-010355 |
CM-5(6),CM-5(6).1 |
NaN |
NaN |
SRG-OS-000259-GPOS-00100 |
NaN |
SV-234838r622137_rule |
CCI-001499 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-83282-4 |
Verify that All World-Writable Directories Have Sticky Bits Set [ref] |
When the so-called 'sticky bit' is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may remove any file in the directory. Setting the sticky bit prevents users from removing each other's files. In cases where there is no reason for a directory to be world-writable, a better solution is to remove that permission rather than to set the sticky bit. However, if a directory is used by a particular application, consult that application's documentation instead of blindly changing modes. To set the sticky bit on a world-writable directory DIR, run the following command: $ sudo chmod +t DIR |
Failing to set the sticky bit on public directories allows unauthorizedusers to delete files in the directory structure.The only authorized public directories are those temporary directoriessupplied with the system, or those designed to be temporary filerepositories. The setting is normally reserved for directories used by thesystem, by users for temporary file storage (such as /tmp), andfor directories requiring global read/write access. |
medium |
content_rule_dir_perms_world_writable_sticky_bits |
SLES-15-010300 |
AC-6(1),CM-6(a) |
4.3.3.7.3,CIP-003-3,R5.1.1,CIP-003-3,R5.3 |
PR.AC-4,PR.DS-5 |
SRG-OS-000138-GPOS-00069 |
NaN |
SV-234828r622137_rule |
CCI-001090 |
3,5,12,13,14,15,16,18 |
NaN |
NaN |
APO01.06,DSS05.04,DSS05.07,DSS06.02 |
A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3 |
SR,2.1,SR,5.2 |
BP28(R40) |
CIP-004-3,R2.3,CIP-007-3,R2.1,CIP-007-3,R2.2,CIP-007-3,R2.3,CIP-007-3,R5.1,CIP-007-3,R5.1.1,CIP-007-3,R5.1.2,1.1.22 |
| CCE-85637-7 |
Ensure All World-Writable Directories Are Group Owned by a System Account [ref] |
All directories in local partitions which are world-writable should be group owned by root or another system account. If any world-writable directories are not group owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group. |
Allowing a user account to group own a world-writable directory isundesirable because it allows the owner of that directory to removeor replace any files that may be placed in the directory by otherusers. |
medium |
content_rule_dir_perms_world_writable_system_owned_group |
SLES-15-040180 |
AC-6(1),CM-6(a) |
4.3.3.7.3 |
PR.AC-4,PR.DS-5 |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-235002r622137_rule |
CCI-000366 |
3,5,12,13,14,15,16,18 |
NaN |
NaN |
APO01.06,DSS05.04,DSS05.07,DSS06.02 |
A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3 |
SR,2.1,SR,5.2 |
NaN |
NaN |
| CCE-85743-3 |
Verify that system commands directories have root as a group owner [ref] |
System commands are stored in the following directories: by default: /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin All these directories should have root user as a group owner. If any system command directory is not group owned by a user other than root correct its ownership with the following command: $ sudo chgrp root DIR |
If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.This requirement applies to operating systems with software librariesthat are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. |
medium |
content_rule_dir_system_commands_group_root_owned |
SLES-15-010362 |
CM-5(6),CM-5(6).1 |
NaN |
NaN |
SRG-OS-000259-GPOS-00100 |
NaN |
SV-234845r622137_rule |
CCI-001499 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85741-7 |
Verify that system commands directories have root ownership [ref] |
System commands are stored in the following directories by default: /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin All these directories should be owned by the root user. If any system command directory is not owned by a user other than root correct its ownership with the following command: $ sudo chown root DIR |
If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.This requirement applies to operating systems with software librariesthat are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. |
medium |
content_rule_dir_system_commands_root_owned |
SLES-15-010360 |
CM-5(6),CM-5(6).1 |
NaN |
NaN |
SRG-OS-000259-GPOS-00100 |
NaN |
SV-234843r622137_rule |
CCI-001499 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85658-3 |
Ensure All Files Are Owned by a Group [ref] |
If any files are not owned by a group, then the cause of their lack of group-ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate group. The following command will discover and print any files on local partitions which do not belong to a valid group: $ df --local -P | awk '{if (NR!=1) print $6}' | sudo xargs -I '{}' find '{}' -xdev -nogroup To search all filesystems on a system including network mounted filesystems the following command can be run manually for each partition: $ sudo find PARTITION -xdev -nogroupWarning: This rule only considers local groups. If you have your groups defined outside /etc/group, the rule won't consider those. |
Unowned files do not directly imply a security problem, but they are generallya sign that something is amiss. They maybe caused by an intruder, by incorrect software installation ordraft software removal, or by failure to remove all files belongingto a deleted account. The files should be repaired so theywill not cause problems when accounts are created in the future,and the cause should be discovered and addressed. |
medium |
content_rule_file_permissions_ungroupowned |
SLES-15-040410 |
AC-6(1),CM-6(a) |
4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4 |
PR.AC-1,PR.AC-4,PR.AC-6,PR.AC-7,PR.DS-5,PR.PT-3 |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-235029r622137_rule |
CCI-000366,CCI-002165 |
1,3,5,11,12,13,14,15,16,18 |
NaN |
NaN |
APO01.06,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.02,DSS06.03,DSS06.06,DSS06.10 |
A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.11,SR,1.12,SR,1.13,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.6,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,2.2,SR,2.3,SR,2.4,SR,2.5,SR,2.6,SR,2.7,SR,5.2 |
NaN |
6.1.10 |
| CCE-85657-5 |
Ensure All Files Are Owned by a User [ref] |
If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate user. The following command will discover and print any files on local partitions which do not belong to a valid user: $ df --local -P | awk {'if (NR!=1) print $6'} | sudo xargs -I '{}' find '{}' -xdev -nouser To search all filesystems on a system including network mounted filesystems the following command can be run manually for each partition: $ sudo find PARTITION -xdev -nouserWarning: For this rule to evaluate centralized user accounts, getent must be working properly so that running the command getent passwd returns a list of all users in your organization. If using the System Security Services Daemon (SSSD), enumerate = true must be configured in your organization's domain to return a complete list of usersWarning: Enabling this rule will result in slower scan times depending on the size of your organization and number of centralized users. |
Unowned files do not directly imply a security problem, but they are generallya sign that something is amiss. They maybe caused by an intruder, by incorrect software installation ordraft software removal, or by failure to remove all files belongingto a deleted account. The files should be repaired so theywill not cause problems when accounts are created in the future,and the cause should be discovered and addressed. |
medium |
content_rule_no_files_unowned_by_user |
SLES-15-040400 |
AC-6(1),CM-6(a) |
4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3 |
PR.AC-4,PR.AC-6,PR.DS-5,PR.IP-1,PR.PT-3 |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-235028r622137_rule |
CCI-000366,CCI-002165 |
3,5,9,11,12,13,14,15,16,18 |
NaN |
NaN |
APO01.06,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.03,DSS06.06 |
A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.1,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4 |
SR,1.1,SR,1.10,SR,1.11,SR,1.12,SR,1.13,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.6,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,2.2,SR,2.3,SR,2.4,SR,2.5,SR,2.6,SR,2.7,SR,5.2,SR,7.6 |
NaN |
6.1.9 |
| CCE-85755-7 |
Verify permissions of log files [ref] |
Any operating system providing too much information in error messages risks compromising the data and security of the structure, and content of error messages needs to be carefully considered by the organization. Organizations carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers. |
The SUSE Linux Enterprise 15 must generate error messages that provide informationnecessary for corrective actions without revealing information that couldbe exploited by adversaries. |
medium |
content_rule_permissions_local_var_log |
SLES-15-010340 |
SI-11(a),SI-11(b),SI-11.1(iii) |
NaN |
PR.AC-4,PR.DS-5 |
SRG-OS-000205-GPOS-00083 |
NaN |
SV-234832r622137_rule |
CCI-001312 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-83278-2 |
Disable the Automounter [ref] |
The autofs daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as /misc/cd. However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS is required, it may be possible to configure filesystem mounts statically by editing /etc/fstab rather than relying on the automounter. The autofs service can be disabled with the following command: $ sudo systemctl mask --now autofs.service |
Disabling the automounter permits the administrator tostatically control filesystem mounting through /etc/fstab.Additionally, automatically mounting filesystems permits easy introduction ofunknown devices, thereby facilitating malicious activity. |
medium |
content_rule_service_autofs_disabled |
SLES-15-010240 |
CM-7(a),CM-7(b),CM-6(a),MP-7 |
4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.4,3.4.6 |
PR.AC-1,PR.AC-3,PR.AC-6,PR.AC-7 |
SRG-OS-000114-GPOS-00059,SRG-OS-000378-GPOS-00163,SRG-OS-000480-GPOS-00227 |
NaN |
SV-234823r622137_rule |
CCI-000366,CCI-000778,CCI-001958 |
1,5,12,15,16 |
NaN |
164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.310(d)(1),164.310(d)(2),164.312(a)(1),164.312(a)(2)(iv),164.312(b) |
APO13.01,DSS01.04,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 |
A.6.2.1,A.6.2.2,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3,A.11.2.6,A.13.1.1,A.13.2.1,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.13,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,2.6 |
NaN |
1.1.23 |
| CCE-83294-9 |
Disable Modprobe Loading of USB Storage Driver [ref] |
To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the usb-storage kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: install usb-storage /bin/true This will prevent the modprobe program from loading the usb-storage module, but will not prevent an administrator (or another program) from using the insmod program to load the module manually. |
USB storage devices such as thumb drives can be used to introducemalicious software. |
medium |
content_rule_kernel_module_usb-storage_disabled |
SLES-15-010480 |
CM-7(a),CM-7(b),CM-6(a),MP-7 |
3.1.21,4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.4 |
PR.AC-1,PR.AC-3,PR.AC-6,PR.AC-7 |
SRG-OS-000114-GPOS-00059,SRG-OS-000378-GPOS-00163,SRG-OS-000480-GPOS-00227 |
NaN |
SV-234856r622137_rule |
CCI-000366,CCI-000778,CCI-001958 |
1,5,12,15,16 |
NaN |
164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.310(d)(1),164.310(d)(2),164.312(a)(1),164.312(a)(2)(iv),164.312(b) |
APO13.01,DSS01.04,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 |
A.6.2.1,A.6.2.2,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3,A.11.2.6,A.13.1.1,A.13.2.1,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.13,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,2.6 |
NaN |
1.1.3 |
| CCE-85633-6 |
Add nosuid Option to /home [ref] |
The nosuid mount option can be used to prevent execution of setuid programs in /home. The SUID and SGID permissions should not be required in these user data directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /home. |
The presence of SUID and SGID executables should be tightly controlled. Usersshould not be able to execute SUID or SGID binaries from user home directory partitions. |
medium |
content_rule_mount_option_home_nosuid |
SLES-15-040140 |
AC-6,AC-6(1),CM-7(a),CM-7(b),CM-6(a),MP-7 |
4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,CIP-003-3,R5.1.1,CIP-003-3,R5.3,4.3.4.3.2,4.3.4.3.3 |
PR.IP-1,PR.PT-2,PR.PT-3 |
SRG-OS-000368-GPOS-00154,SRG-OS-000480-GPOS-00227 |
NaN |
SV-234998r622137_rule |
CCI-000366 |
3,8,9,11,13,14 |
NaN |
NaN |
APO13.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS05.06,DSS06.06 |
A.8.2.1,A.8.2.2,A.8.2.3,A.8.3.1,A.8.3.3,A.9.1.2,A.11.2.9,A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4 |
SR,1.1,SR,1.10,SR,1.11,SR,1.12,SR,1.13,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.6,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,2.2,SR,2.3,SR,2.4,SR,2.5,SR,2.6,SR,2.7,SR,7.6 |
BP28(R12) |
CIP-004-3,R2.3,CIP-007-3,R2.1,CIP-007-3,R2.2,CIP-007-3,R2.3,CIP-007-3,R5.1,CIP-007-3,R5.1.1,CIP-007-3,R5.1.2 |
| CCE-85634-4 |
Add nosuid Option to Removable Media Partitions [ref] |
The nosuid mount option prevents set-user-identifier (SUID) and set-group-identifier (SGID) permissions from taking effect. These permissions allow users to execute binaries with the same permissions as the owner and group of the file respectively. Users should not be allowed to introduce SUID and SGID files into the system via partitions mounted from removeable media. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of any removable media partitions. |
The presence of SUID and SGID executables should be tightly controlled. Allowingusers to introduce SUID or SGID binaries from partitions mounted off ofremovable media would allow them to introduce their own highly-privileged programs. |
medium |
content_rule_mount_option_nosuid_removable_partitions |
SLES-15-040150 |
AC-6,AC-6(1),CM-7(a),CM-7(b),CM-6(a),MP-7 |
4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,CIP-003-3,R5.1.1,CIP-003-3,R5.3,4.3.4.3.2,4.3.4.3.3 |
PR.AC-3,PR.AC-4,PR.AC-6,PR.DS-5,PR.IP-1,PR.PT-2,PR.PT-3 |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-234999r622137_rule |
CCI-000366 |
3,5,8,9,11,12,13,14,15,16,18 |
NaN |
NaN |
APO01.06,APO13.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.04,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.06,DSS05.07,DSS06.02,DSS06.03,DSS06.06 |
A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.1,A.8.2.2,A.8.2.3,A.8.3.1,A.8.3.3,A.9.1.1,A.9.1.2,A.9.2.1,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.11.2.6,A.11.2.9,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4 |
SR,1.1,SR,1.10,SR,1.11,SR,1.12,SR,1.13,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.6,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,2.2,SR,2.3,SR,2.4,SR,2.5,SR,2.6,SR,2.7,SR,5.2,SR,7.6 |
NaN |
CIP-004-3,R2.3,CIP-007-3,R2.1,CIP-007-3,R2.2,CIP-007-3,R2.3,CIP-007-3,R5.1,CIP-007-3,R5.1.1,CIP-007-3,R5.1.2,1.1.21 |
| CCE-83285-7 |
Verify that local /var/log/messages is not world-readable [ref] |
Files containing sensitive informations should be protected by restrictive permissions. Most of the time, there is no need that these files need to be read by any non-root user To properly set the permissions of /var/log/messages, run the command: $ sudo chmod 0640 /var/log/messages Check that "permissions.local" file contains the correct permissions rules with the following command: # grep -i messages /etc/permissions.local /var/log/messages root:root 640 |
The /var/log/messages file contains system error messages. Onlyauthorized personnel should be aware of errors and the details of theerrors. Error messages are an indicator of an organization's operationalstate or can identify the SUSE operating system or platform. Additionally,Personally Identifiable Information (PII) and operational information mustnot be revealed through error messages to unauthorized personnel or theirdesignated representatives. |
medium |
content_rule_file_permissions_local_var_log_messages |
SLES-15-010350 |
NaN |
NaN |
NaN |
SRG-OS-000206-GPOS-00084 |
NaN |
SV-234833r622137_rule |
CCI-001314 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85609-6 |
Verify Permissions of Local Logs of audit Tools [ref] |
The SUSE operating system audit tools must have the proper permissions configured to protect against unauthorized access. Check that "permissions.local" file contains the correct permissions rules with the following command: grep "^/usr/sbin/au" /etc/permissions.local /usr/sbin/audispd root:root 0750 /usr/sbin/auditctl root:root 0750 /usr/sbin/auditd root:root 0750 /usr/sbin/ausearch root:root 0755 /usr/sbin/aureport root:root 0755 /usr/sbin/autrace root:root 0750 /usr/sbin/augenrules root:root 0750 Audit tools include but are not limited to vendor-provided and open-source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. |
Protecting audit information also includes identifying and protecting thetools used to view and manipulate log data. Therefore, protecting audittools is necessary to prevent unauthorized operation on audit information.SUSE operating systems providing tools to interface with audit informationwill leverage user permissions and roles identifying the user accessing thetools and the corresponding rights the user enjoys to make access decisionsregarding the access to audit tools. |
medium |
content_rule_permissions_local_audit_binaries |
SLES-15-030620 |
NaN |
NaN |
NaN |
SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098,SRG-OS-000258-GPOS-00099 |
NaN |
SV-234961r622137_rule |
CCI-001493,CCI-001494,CCI-001495 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85607-0 |
Verify that Local Logs of the audit Daemon are not World-Readable [ref] |
Files containing sensitive informations should be protected by restrictive permissions. Most of the time, there is no need that these files need to bei read by any non-root user. Check that "permissions.local" file contains the correct permissions rules with the following command: # grep -i audit /etc/permissions.local /var/log/audit/ root:root 600 /var/log/audit/audit.log root:root 600 /etc/audit/audit.rules root:root 640 /etc/audit/rules.d/audit.rules root:root 640 |
Without the capability to restrict which roles and individuals can selectwhich events are audited, unauthorized personnel may be able to prevent theauditing of critical events. Misconfigured audits may degrade the system'sperformance by overwhelming the audit log. Misconfigured audits may alsomake it more difficult to establish, correlate, and investigate the eventsrelating to an incident or identify those responsible for one. |
medium |
content_rule_permissions_local_var_log_audit |
SLES-15-030600 |
AU-9 |
NaN |
NaN |
SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029 |
NaN |
SV-234959r622137_rule |
CCI-000164 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-83299-8 |
Restrict Exposed Kernel Pointer Addresses Access [ref] |
To set the runtime status of the kernel.kptr_restrict kernel parameter, run the following command: $ sudo sysctl -w kernel.kptr_restrict=1 To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.kptr_restrict = 1 |
Exposing kernel pointers (through procfs or seq_printf()) exposeskernel writeable structures that can contain functions pointers. If a write vulnereability occursin the kernel allowing a write access to any of this structure, the kernel can be compromise. Thisoption disallow any program withtout the CAP_SYSLOG capability from getting the kernel pointers addresses,replacing them with 0. |
medium |
content_rule_sysctl_kernel_kptr_restrict |
SLES-15-010540 |
CM-6(a),SC-30,SC-30(2),SC-30(5) |
CIP-003-3,R5.1.1,CIP-003-3,R5.3,CIP-004-3,4.1,CIP-004-3,4.2 |
NaN |
SRG-OS-000132-GPOS-00067,SRG-OS-000433-GPOS-00192,SRG-OS-000480-GPOS-00227 |
NaN |
SV-234861r622137_rule |
CCI-002824,CCI-000366 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
BP28(R23) |
CIP-002-3,R1.1,CIP-002-3,R1.2,CIP-004-3,R2.2.3,CIP-004-3,R2.2.4,CIP-004-3,R2.3,CIP-004-3,R4,CIP-005-3a,R1,CIP-005-3a,R1.1,CIP-005-3a,R1.2,CIP-007-3,R3,CIP-007-3,R3.1,CIP-007-3,R5.1,CIP-007-3,R5.1.2,CIP-007-3,R5.1.3,CIP-007-3,R5.2.1,CIP-007-3,R5.2.3,CIP-007-3,R8.4,CIP-009-3,R.1.1,CIP-009-3,R4 |
| CCE-83300-4 |
Enable Randomized Layout of Virtual Address Space [ref] |
To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command: $ sudo sysctl -w kernel.randomize_va_space=2 To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.randomize_va_space = 2 |
Address space layout randomization (ASLR) makes it more difficult for anattacker to predict the location of attack code they have introduced into aprocess's address space during an attempt at exploitation. Additionally,ASLR makes it more difficult for an attacker to know the location ofexisting code in order to re-purpose it using return oriented programming(ROP) techniques. |
medium |
content_rule_sysctl_kernel_randomize_va_space |
SLES-15-010550 |
CM-6(a),SC-30,SC-30(2) |
3.1.7,CIP-003-3,R5.1.1,CIP-003-3,R5.3,CIP-004-3,4.1,CIP-004-3,4.2 |
NaN |
SRG-OS-000433-GPOS-00193,SRG-OS-000480-GPOS-00227 |
NaN |
SV-234862r622137_rule |
CCI-000366,CCI-002824 |
NaN |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e) |
NaN |
NaN |
NaN |
BP28(R23) |
CIP-002-3,R1.1,CIP-002-3,R1.2,CIP-004-3,R2.2.3,CIP-004-3,R2.2.4,CIP-004-3,R2.3,CIP-004-3,R4,CIP-005-3a,R1,CIP-005-3a,R1.1,CIP-005-3a,R1.2,CIP-007-3,R3,CIP-007-3,R3.1,CIP-007-3,R5.1,CIP-007-3,R5.1.2,CIP-007-3,R5.1.3,CIP-007-3,R5.2.1,CIP-007-3,R5.2.3,CIP-007-3,R8.4,CIP-009-3,R.1.1,CIP-009-3,R4,1.6.3 |
| CCE-85638-5 |
Disable KDump Kernel Crash Analyzer (kdump) [ref] |
The kdump service provides a kernel crash dump analyzer. It uses the kexec system call to boot a secondary kernel ("capture" kernel) following a system crash, which can load information from the crashed kernel for analysis. The kdump service can be disabled with the following command: $ sudo systemctl mask --now kdump.service |
Kernel core dumps may contain the full contents of system memory at thetime of the crash. Kernel core dumps consume a considerable amount of diskspace and may result in denial of service by exhausting the available spaceon the target file system partition. Unless the system is used for kerneldevelopment or testing, there is little need to run the kdump service. |
medium |
content_rule_service_kdump_disabled |
SLES-15-040190 |
CM-7(a),CM-7(b),CM-6(a) |
4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3 |
PR.AC-3,PR.IP-1,PR.PT-3,PR.PT-4 |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-235003r622137_rule |
CCI-000366 |
3,8,9,11,12,14,15 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e) |
APO13.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.04,DSS05.02,DSS05.03,DSS05.05,DSS06.06 |
A.6.2.1,A.6.2.2,A.9.1.2,A.11.2.6,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4 |
SR,1.1,SR,1.10,SR,1.11,SR,1.12,SR,1.13,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.6,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,2.2,SR,2.3,SR,2.4,SR,2.5,SR,2.6,SR,2.7,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,7.1,SR,7.6 |
NaN |
FMT_SMF_EXT.1.1 |
| CCE-85700-3 |
Uninstall vsftpd Package [ref] |
The vsftpd package can be removed with the following command: $ sudo zypper remove vsftpd |
Removing the vsftpd package decreases the risk of itsaccidental activation. |
high |
content_rule_package_vsftpd_removed |
SLES-15-010030 |
CM-7(a),CM-7(b),CM-6(a),CM-7,CM-7.1(ii) |
4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3 |
PR.IP-1,PR.PT-3 |
SRG-OS-000074-GPOS-00042,SRG-OS-000095-GPOS-00049,SRG-OS-000480-GPOS-00227 |
NaN |
SV-234804r622137_rule |
CCI-000197,CCI-000366,CCI-000381 |
3,9,11,14 |
NaN |
NaN |
BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06 |
IA-5(1)(c),IA-5(1).1(v),A.9.1.2,A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4 |
SR,1.1,SR,1.10,SR,1.11,SR,1.12,SR,1.13,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.6,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,2.2,SR,2.3,SR,2.4,SR,2.5,SR,2.6,SR,2.7,SR,7.6 |
NaN |
2.2.8 |
| CCE-85605-4 |
Configure System to Forward All Mail For The Root Account [ref] |
Make sure that mails delivered to root user are forwarded to a monitored email address. Make sure that the address system.administrator@mail.mil is a valid email address reachable from the system in question. Use the following command to configure the alias: $ sudo echo "root: system.administrator@mail.mil" >> /etc/aliases $ sudo newaliases |
A number of system services utilize email messages sent to the root user tonotify system administrators of active or impending issues. These messages mustbe forwarded to at least one monitored email address. |
low |
content_rule_postfix_client_configure_mail_alias |
SLES-15-030580 |
CM-6(a) |
NaN |
NaN |
SRG-OS-000046-GPOS-00022 |
NaN |
SV-234957r622137_rule |
CCI-000139,CCI-000366 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
BP28(R49) |
NaN |
| CCE-85636-9 |
Mount Remote Filesystems with noexec [ref] |
Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts. |
The noexec mount option causes the system not to execute binary files. This option must be usedfor mounting any file system not containing approved binary files as they may be incompatible. Executingfiles from untrusted file systems increases the opportunity for unprivileged users to attain unauthorizedadministrative access. |
medium |
content_rule_mount_option_noexec_remote_filesystems |
SLES-15-040170 |
AC-6,AC-6(8),AC-6(10),CM-6(a) |
4.3.3.7.3 |
PR.AC-4,PR.DS-5 |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-235001r622137_rule |
CCI-000366 |
3,5,12,13,14,15,16,18 |
NaN |
NaN |
APO01.06,DSS05.04,DSS05.07,DSS06.02 |
A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3 |
SR,2.1,SR,5.2 |
NaN |
NaN |
| CCE-85635-1 |
Mount Remote Filesystems with nosuid [ref] |
Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts. |
NFS mounts should not present suid binaries to users. Only vendor-supplied suid executablesshould be installed to their default location on the local filesystem. |
medium |
content_rule_mount_option_nosuid_remote_filesystems |
SLES-15-040160 |
AC-6,AC-6(1) |
4.3.3.7.3 |
PR.AC-4,PR.DS-5 |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-235000r622137_rule |
CCI-000366 |
3,5,12,13,14,15,16,18 |
NaN |
NaN |
APO01.06,DSS05.04,DSS05.07,DSS06.02 |
A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3 |
SR,2.1,SR,5.2 |
NaN |
CM6(a) |
| CCE-83287-3 |
Configure Time Service Maxpoll Interval [ref] |
The maxpoll should be configured to 16 in /etc/ntp.conf or /etc/chrony.conf to continuously poll time servers. To configure maxpoll in /etc/ntp.conf or /etc/chrony.conf add the following: maxpoll 16 |
Inaccurate time stamps make it more difficult to correlateevents and can lead to an inaccurate analysis. Determining the correcttime a particular event occurred on a system is critical when conductingforensic analysis and investigating system events. Sources outside theconfigured acceptable allowance (drift) may be inaccurate. |
medium |
content_rule_chronyd_or_ntpd_set_maxpoll |
SLES-15-010400 |
AU-8(1)(b),CM-6(a) |
4.3.3.3.9,4.3.3.5.8,4.3.4.4.7 |
PR.PT-1 |
SRG-OS-000355-GPOS-00143,SRG-OS-000356-GPOS-00144,SRG-OS-000359-GPOS-00146 |
NaN |
SV-234849r622137_rule |
CCI-001891,CCI-002046 |
1,3,5,6,14,15,16 |
NaN |
NaN |
APO11.04,BAI03.05,DSS05.04,DSS05.07,MEA02.01 |
A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1 |
SR,2.10,SR,2.11,SR,2.12,SR,2.8,SR,2.9 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4 |
| CCE-85622-9 |
Remove Host-Based Authentication Files [ref] |
The shosts.equiv file list remote hosts and users that are trusted by the local system. To remove these files, run the following command to delete them from any location: $ sudo rm /[path]/[to]/[file]/shosts.equiv |
The shosts.equiv files are used to configure host-based authentication for thesystem via SSH. Host-based authentication is not sufficient for preventingunauthorized access to the system, as it does not require interactiveidentification and authentication of a connection request, or for the use oftwo-factor authentication. |
high |
content_rule_no_host_based_files |
SLES-15-040030 |
NaN |
NaN |
NaN |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-234985r622137_rule |
CCI-000366 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85621-1 |
Remove User Host-Based Authentication Files [ref] |
The ~/.shosts (in each user's home directory) files list remote hosts and users that are trusted by the local system. To remove these files, run the following command to delete them from any location: $ sudo find / -name '.shosts' -type f -delete |
The .shosts files are used to configure host-based authentication forindividual users or the system via SSH. Host-based authentication is notsufficient for preventing unauthorized access to the system, as it does notrequire interactive identification and authentication of a connection request,or for the use of two-factor authentication. |
high |
content_rule_no_user_host_based_files |
SLES-15-040020 |
NaN |
NaN |
NaN |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-234984r622137_rule |
CCI-000366 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-83273-3 |
Uninstall telnet-server Package [ref] |
The telnet-server package can be removed with the following command: $ sudo zypper remove telnet-server |
It is detrimental for operating systems to provide, or install by default,functionality exceeding requirements or mission objectives. Theseunnecessary capabilities are often overlooked and therefore may remainunsecure. They increase the risk to the platform by providing additionalattack vectors.The telnet service provides an unencrypted remote access service which doesnot provide for the confidentiality and integrity of user passwords or theremote session. If a privileged user were to login using this service, theprivileged user password could be compromised.Removing the telnet-server package decreases the risk of thetelnet service's accidental (or intentional) activation. |
high |
content_rule_package_telnet-server_removed |
SLES-15-010180 |
CM-7(a),CM-7(b),CM-6(a) |
4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3 |
PR.AC-3,PR.IP-1,PR.PT-3,PR.PT-4 |
SRG-OS-000095-GPOS-00049 |
NaN |
SV-234818r622137_rule |
CCI-000381 |
3,8,9,11,12,14,15 |
NaN |
164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) |
APO13.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.04,DSS05.02,DSS05.03,DSS05.05,DSS06.06 |
A.6.2.1,A.6.2.2,A.9.1.2,A.11.2.6,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4 |
SR,1.1,SR,1.10,SR,1.11,SR,1.12,SR,1.13,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.6,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,2.2,SR,2.3,SR,2.4,SR,2.5,SR,2.6,SR,2.7,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,7.1,SR,7.6 |
BP28(R1) |
2.2.19 |
| CCE-85647-6 |
Disable Compression Or Set Compression to delayed [ref] |
Compression is useful for slow network connections over long distances but can cause performance issues on local LANs. If use of compression is required, it should be enabled only after a user has authenticated; otherwise, it should be disabled. To disable compression or delay compression until after a user has successfully authenticated, add or correct the following line in the /etc/ssh/sshd_config file: Compression no |
If compression is allowed in an SSH connection prior to authentication,vulnerabilities in the compression software could result in compromise of thesystem from an unauthenticated connection, potentially with root privileges. |
medium |
content_rule_sshd_disable_compression |
SLES-15-040280 |
AC-17(a),CM-7(a),CM-7(b),CM-6(a) |
3.1.12,4.3.4.3.2,4.3.4.3.3 |
PR.IP-1 |
SRG-OS-000480-GPOS-00227,SRG-OS-000480-VMM-002000 |
NaN |
SV-235012r622137_rule |
CCI-000366 |
3,9,11 |
NaN |
164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) |
BAI10.01,BAI10.02,BAI10.03,BAI10.05 |
A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4 |
SR,7.6 |
NaN |
NaN |
| CCE-85667-4 |
Disable SSH Access via Empty Passwords [ref] |
To explicitly disallow SSH login from accounts with empty passwords, add or correct the following line in /etc/ssh/sshd_config: PermitEmptyPasswords no Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords. |
Configuring this setting for the SSH daemon provides additional assurancethat remote login via SSH will require a password, even in the event ofmisconfiguration elsewhere. |
high |
content_rule_sshd_disable_empty_passwords |
SLES-15-040440 |
CM-6(b),CM-6.1(iv) |
3.1.1,3.1.5,4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3 |
PR.AC-4,PR.AC-6,PR.DS-5,PR.IP-1,PR.PT-3 |
SRG-OS-000106-GPOS-00053,SRG-OS-000480-GPOS-00229,SRG-OS-000480-GPOS-00227,SRG-OS-000480-VMM-002000 |
NaN |
SV-235032r622137_rule |
CCI-000366,CCI-000766 |
3,5,9,11,12,13,14,15,16,18 |
NaN |
164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) |
APO01.06,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.03,DSS06.06 |
A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.1,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4 |
SR,1.1,SR,1.10,SR,1.11,SR,1.12,SR,1.13,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.6,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,2.2,SR,2.3,SR,2.4,SR,2.5,SR,2.6,SR,2.7,SR,5.2,SR,7.6 |
NaN |
NT007(R17),5.5.6,FIA_UAU.1,5.2.11 |
| CCE-85557-7 |
Disable SSH Root Login [ref] |
The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following line in /etc/ssh/sshd_config: PermitRootLogin no |
Even though the communications channel may be encrypted, an additional layer ofsecurity is gained by extending the policy of not logging directly on as root.In addition, logging in with a user-specific account provides individualaccountability of actions performed on the system and also helps to minimizedirect attack attempts on root's password. |
medium |
content_rule_sshd_disable_root_login |
SLES-15-020040 |
AC-6(2),AC-17(a),CM-7(a),CM-7(b),CM-6(a),IA-2,IA-2(5) |
3.1.1,3.1.5,4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,CIP-003-3,R5.1.1,CIP-003-3,R5.3 |
PR.AC-1,PR.AC-4,PR.AC-6,PR.AC-7,PR.DS-5,PR.PT-3 |
SRG-OS-000109-GPOS-00056,SRG-OS-000480-GPOS-00227,SRG-OS-000480-VMM-002000 |
NaN |
SV-234870r622137_rule |
CCI-000366,CCI-000770 |
1,3,5,11,12,13,14,15,16,18 |
NaN |
164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) |
APO01.06,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.02,DSS06.03,DSS06.06,DSS06.10 |
A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.11,SR,1.12,SR,1.13,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.6,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,2.2,SR,2.3,SR,2.4,SR,2.5,SR,2.6,SR,2.7,SR,5.2 |
BP28(R19) |
NT007(R21),5.5.6,CIP-004-3,R2.2.3,CIP-004-3,R2.3,CIP-007-3,R2.1,CIP-007-3,R2.2,CIP-007-3,R2.3,CIP-007-3,R5.1,CIP-007-3,R5.1.1,CIP-007-3,R5.1.2,CIP-007-3,R5.2,CIP-007-3,R5.3.1,CIP-007-3,R5.3.2,CIP-007-3,R5.3.3,FIA_UAU.1,5.2.10 |
| CCE-85642-7 |
Disable SSH Support for User Known Hosts [ref] |
SSH can allow system users to connect to systems if a cache of the remote systems public keys is available. This should be disabled. To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config: IgnoreUserKnownHosts yes |
Configuring this setting for the SSH daemon provides additionalassurance that remote login via SSH will require a password, evenin the event of misconfiguration elsewhere. |
medium |
content_rule_sshd_disable_user_known_hosts |
SLES-15-040230 |
AC-17(a),CM-7(a),CM-7(b),CM-6(a) |
3.1.12,4.3.4.3.2,4.3.4.3.3 |
PR.IP-1 |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-235007r622137_rule |
CCI-000366 |
3,9,11 |
NaN |
164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) |
BAI10.01,BAI10.02,BAI10.03,BAI10.05 |
A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4 |
SR,7.6 |
NaN |
FIA_UAU.1 |
| CCE-85707-8 |
Disable X11 Forwarding [ref] |
The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections. SSH has the capability to encrypt remote X11 connections when SSH's X11Forwarding option is enabled. To disable X11 Forwarding, add or correct the following line in /etc/ssh/sshd_config: X11Forwarding no |
Disable X11 forwarding unless there is an operational requirement to use X11applications directly. There is a small risk that the remote X11 servers ofusers who are logged in via SSH with X11 forwarding could be compromised byother users on the X11 server. Note that even if X11 forwarding is disabled,users can always install their own forwarders. |
medium |
content_rule_sshd_disable_x11_forwarding |
SLES-15-040290 |
CM-6.1(iv) |
NaN |
NaN |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-235013r622137_rule |
CCI-000366 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
5.2.6 |
| CCE-85666-6 |
Do Not Allow SSH Environment Options [ref] |
To ensure users are not able to override environment variables of the SSH daemon, add or correct the following line in /etc/ssh/sshd_config: PermitUserEnvironment no |
SSH environment options potentially allow users to bypassaccess restriction in some configurations. |
medium |
content_rule_sshd_do_not_permit_user_env |
SLES-15-040440 |
CM-6(b),CM-6.1(iv) |
3.1.12,4.3.4.3.2,4.3.4.3.3 |
PR.IP-1 |
SRG-OS-000480-GPOS-00229,SRG-OS-000480-VMM-002000 |
NaN |
SV-235032r622137_rule |
CCI-000366 |
3,9,11 |
NaN |
164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) |
BAI10.01,BAI10.02,BAI10.03,BAI10.05 |
A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4 |
SR,7.6 |
NaN |
5.5.6,5.2.12 |
| CCE-85645-0 |
Enable Use of Strict Mode Checking [ref] |
SSHs StrictModes option checks file and ownership permissions in the user's home directory .ssh folder before accepting login. If world- writable permissions are found, logon is rejected. To enable StrictModes in SSH, add or correct the following line in the /etc/ssh/sshd_config file: StrictModes yes |
If other users have access to modify user-specific SSH configuration files, theymay be able to log into the system as another user. |
medium |
content_rule_sshd_enable_strictmodes |
SLES-15-040260 |
AC-6,AC-17(a),CM-6(a) |
3.1.12,4.3.3.7.3,CIP-003-3,R5.1.1,CIP-003-3,R5.3 |
PR.AC-4,PR.DS-5 |
SRG-OS-000480-GPOS-00227,SRG-OS-000480-VMM-002000 |
NaN |
SV-235010r622137_rule |
CCI-000366 |
3,5,12,13,14,15,16,18 |
NaN |
164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) |
APO01.06,DSS05.04,DSS05.07,DSS06.02 |
A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3 |
SR,2.1,SR,5.2 |
NaN |
CIP-004-3,R2.3,CIP-007-3,R2.1,CIP-007-3,R2.2,CIP-007-3,R2.3,CIP-007-3,R5.1,CIP-007-3,R5.1.1,CIP-007-3,R5.1.2 |
| CCE-83263-4 |
Enable SSH Warning Banner [ref] |
To enable the warning banner and ensure it is consistent across the system, add or correct the following line in /etc/ssh/sshd_config: Banner /etc/issue Another section contains information on how to create an appropriate system-wide warning banner. |
The warning message reinforces policy awareness during the logon process andfacilitates possible legal action against attackers. Alternatively, systemswhose ownership should not be obvious should ensure usage of a banner that doesnot provide easy attribution. |
medium |
content_rule_sshd_enable_warning_banner |
SLES-15-010040 |
AC-8(a),AC-8(c),AC-17(a),CM-6(a) |
3.1.9,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9 |
PR.AC-7 |
SRG-OS-000023-GPOS-00006,SRG-OS-000024-GPOS-00007,SRG-OS-000228-GPOS-00088,SRG-OS-000023-VMM-000060,SRG-OS-000024-VMM-000070 |
NaN |
SV-234805r622137_rule |
CCI-000048,CCI-000050,CCI-001384,CCI-001385,CCI-001386,CCI-001387,CCI-001388 |
1,12,15,16 |
NaN |
164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) |
DSS05.04,DSS05.10,DSS06.10 |
A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.2,SR,1.5,SR,1.7,SR,1.8,SR,1.9 |
NaN |
5.5.6,FTA_TAB.1,5.2.18 |
| CCE-85563-5 |
Enable SSH Print Last Log [ref] |
When enabled, SSH will display the date and time of the last successful account logon. To enable LastLog in SSH, add or correct the following line in the /etc/ssh/sshd_config file: PrintLastLog yes |
Providing users feedback on when account accesses last occurred facilitates userrecognition and reporting of unauthorized account use. |
medium |
content_rule_sshd_print_last_log |
SLES-15-020120 |
AC-9,AC-17(a),CM-6(a) |
4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9 |
PR.AC-7 |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-234881r622137_rule |
CCI-000366 |
1,12,15,16 |
NaN |
NaN |
DSS05.04,DSS05.10,DSS06.10 |
A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.2,SR,1.5,SR,1.7,SR,1.8,SR,1.9 |
NaN |
NaN |
| CCE-83281-6 |
Set SSH Idle Timeout Interval [ref] |
SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out. To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as follows: ClientAliveInterval 600 The timeout interval is given in seconds. For example, have a timeout of 10 minutes, set interval to 600. If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made in /etc/ssh/sshd_config. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.Warning: SSH disconnecting idle clients will not have desired effect without also configuring ClientAliveCountMax in the SSH service configuration.Warning: Following conditions may prevent the SSH session to time out: Remote processes on the remote machine generates output. As the output has to be transferred over the network to the client, the timeout is reset every time such transfer happens.Any scp or sftp activity by the same user to the host resets the timeout. |
Terminating an idle ssh session within a short time period reduces the window ofopportunity for unauthorized personnel to take control of a management sessionenabled on the console or console port that has been let unattended. |
medium |
content_rule_sshd_set_idle_timeout |
SLES-15-010280 |
AC-17(a),AC-2(5),AC-12,AC-17(a),CM-6(a),CM-6(a),SC-10 |
3.1.11,4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.3 |
PR.AC-1,PR.AC-4,PR.AC-6,PR.AC-7,PR.IP-2,DE.CM-1,DE.CM-3 |
SRG-OS-000126-GPOS-00066,SRG-OS-000163-GPOS-00072,SRG-OS-000279-GPOS-00109,SRG-OS-000395-GPOS-00175,SRG-OS-000480-VMM-002000 |
NaN |
SV-234827r622137_rule |
CCI-000879,CCI-001133,CCI-002361 |
1,3,5,7,8,12,13,14,15,16,18 |
NaN |
NaN |
APO13.01,BAI03.01,BAI03.02,BAI03.03,DSS01.03,DSS03.05,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 |
A.6.1.2,A.6.1.5,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5,A.12.4.1,A.12.4.3,A.14.1.1,A.14.2.1,A.14.2.5,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,6.2 |
BP28(R29) |
5.5.6,CIP-004-3,R2.2.3,CIP-007-3,R5.1,CIP-007-3,R5.2,CIP-007-3,R5.3.1,CIP-007-3,R5.3.2,CIP-007-3,R5.3.3,Req-8.1.8,5.2.16 |
| CCE-83284-0 |
Set SSH Client Alive Count Max to zero [ref] |
The SSH server sends at most ClientAliveCountMax messages during a SSH session and waits for a response from the SSH client. The option ClientAliveInterval configures timeout after each ClientAliveCountMax message. If the SSH server does not receive a response from the client, then the connection is considered idle and terminated. To ensure the SSH idle timeout occurs precisely when the ClientAliveInterval is set, set the ClientAliveCountMax to value of 0. |
This ensures a user login will be terminated as soon as the ClientAliveIntervalis reached. |
medium |
content_rule_sshd_set_keepalive_0 |
SLES-15-010320 |
AC-2(5),AC-12,AC-17(a),CM-6(a),SC-10 |
3.1.11,4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.3 |
PR.AC-1,PR.AC-4,PR.AC-6,PR.AC-7,PR.IP-2,DE.CM-1,DE.CM-3 |
SRG-OS-000163-GPOS-00072,SRG-OS-000279-GPOS-00109,SRG-OS-000480-VMM-002000 |
NaN |
SV-234830r622137_rule |
CCI-000879,CCI-001133,CCI-002361 |
1,3,5,7,8,12,13,14,15,16,18 |
NaN |
164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) |
APO13.01,BAI03.01,BAI03.02,BAI03.03,DSS01.03,DSS03.05,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 |
A.6.1.2,A.6.1.5,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5,A.12.4.1,A.12.4.3,A.14.1.1,A.14.2.1,A.14.2.5,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,6.2 |
NaN |
5.5.6,CIP-004-3,R2.2.3,CIP-007-3,R5.1,CIP-007-3,R5.2,CIP-007-3,R5.3.1,CIP-007-3,R5.3.2,CIP-007-3,R5.3.3,Req-8.1.8 |
| CCE-83270-9 |
Set SSH Daemon LogLevel to VERBOSE [ref] |
The VERBOSE parameter configures the SSH daemon to record login and logout activity. To specify the log level in SSH, add or correct the following line in the /etc/ssh/sshd_config file: LogLevel VERBOSE |
SSH provides several logging levels with varying amounts of verbosity. DEBUG is specificallynot recommended other than strictly for debugging SSH communications since it providesso much data that it is difficult to identify important security information. INFO orVERBOSE level is the basic level that only records login activity of SSH users. In manysituations, such as Incident Response, it is important to determine when a particular user was activeon a system. The logout record can eliminate those users who disconnected, which helps narrow thefield. |
medium |
content_rule_sshd_set_loglevel_verbose |
SLES-15-010150 |
AC-17(a),AC-17(1),CM-6(a) |
NaN |
NaN |
SRG-OS-000032-GPOS-00013 |
NaN |
SV-234815r622137_rule |
CCI-000067 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
CIP-007-3,R7.1,5.2.5 |
| CCE-83271-7 |
Use Only FIPS 140-2 Validated Ciphers [ref] |
Limit the ciphers to those algorithms which are FIPS-approved. The following line in /etc/ssh/sshd_config demonstrates use of FIPS-approved ciphers: Ciphers aes256-ctr,aes192-ctr,aes128-ctr This rule ensures that there are configured ciphers mentioned above (or their subset), keeping the given order of algorithms.Warning: The system needs to be rebooted for these changes to take effect.Warning: System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process. |
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and thereforecannot be relied upon to provide confidentiality or integrity, and system data may be compromised.Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating tocryptographic modules.FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modulesutilize authentication that meets industry and government requirements. For government systems, this allowsSecurity Levels 1, 2, 3, or 4 for use on SUSE Linux Enterprise 15. |
medium |
content_rule_sshd_use_approved_ciphers_ordered_stig |
SLES-15-010160 |
NaN |
NaN |
NaN |
SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061,SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174 |
NaN |
SV-234816r622137_rule |
CCI-000068,CCI-000366,CCI-000803,CCI-000877,CCI-002890,CCI-003123 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-83280-8 |
Use Only FIPS 140-2 Validated MACs [ref] |
Limit the MACs to those hash algorithms which are FIPS-approved. The following line in /etc/ssh/sshd_config demonstrates use of FIPS-approved MACs: MACs hmac-sha2-512,hmac-sha2-256 This rule ensures that there are configured MACs mentioned above (or their subset), keeping the given order of algorithms.Warning: The system needs to be rebooted for these changes to take effect.Warning: System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process. |
DoD Information Systems are required to use FIPS-approved cryptographic hashfunctions. The only SSHv2 hash algorithms meeting this requirement is SHA2. |
medium |
content_rule_sshd_use_approved_macs_ordered_stig |
SLES-15-010270 |
NaN |
NaN |
NaN |
SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000394-GPOS-00174 |
NaN |
SV-234826r622137_rule |
CCI-000068,CCI-000803,CCI-000877,CCI-001453,CCI-003123 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-83297-2 |
Enable the OpenSSH Service [ref] |
The SSH server service, sshd, is commonly needed. The sshd service can be enabled with the following command: $ sudo systemctl enable sshd.service |
Without protection of the transmitted information, confidentiality, andintegrity may be compromised because unprotected communications can beintercepted and either read or altered.This checklist item applies to both internal and external networks and all typesof information system components from which information can be transmitted (e.g., servers,mobile devices, notebook computers, printers, copiers, scanners, etc). Communication pathsoutside the physical protection of a controlled boundary are exposed to the possibilityof interception and modification. |
medium |
content_rule_service_sshd_enabled |
SLES-15-010530 |
CM-6(a),SC-8,SC-8(1),SC-8(2),SC-8(3),SC-8(4) |
3.1.13,3.13.8,3.5.4 |
PR.DS-2,PR.DS-5 |
SRG-OS-000423-GPOS-00187,SRG-OS-000423-GPOS-00188,SRG-OS-000423-GPOS-00189,SRG-OS-000423-GPOS-00190 |
NaN |
SV-234860r622137_rule |
CCI-002418,CCI-002420,CCI-002421,CCI-002422 |
13,14 |
NaN |
NaN |
APO01.06,DSS05.02,DSS05.04,DSS05.07,DSS06.02,DSS06.06 |
A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3 |
SR,3.1,SR,3.8,SR,4.1,SR,4.2,SR,5.2 |
NaN |
NaN |
| CCE-85644-3 |
Verify Permissions on SSH Server Private *_key Key Files [ref] |
To properly set the permissions of /etc/ssh/*_key, run the command: $ sudo chmod 0600 /etc/ssh/*_key |
If an unauthorized user obtains the private SSH host key file, the host could beimpersonated. |
medium |
content_rule_file_permissions_sshd_private_key |
SLES-15-040250 |
AC-17(a),AC-6(1),CM-6(a) |
3.1.13,3.13.10,4.3.3.7.3,CIP-003-3,R5.1.1,CIP-003-3,R5.3 |
PR.AC-4,PR.DS-5 |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-235009r622137_rule |
CCI-000366 |
3,5,12,13,14,15,16,18 |
NaN |
NaN |
APO01.06,DSS05.04,DSS05.07,DSS06.02 |
A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3 |
SR,2.1,SR,5.2 |
BP28(R36) |
CIP-004-3,R2.3,CIP-007-3,R2.1,CIP-007-3,R2.2,CIP-007-3,R2.3,CIP-007-3,R5.1,CIP-007-3,R5.1.1,CIP-007-3,R5.1.2,5.2.2 |
| CCE-85643-5 |
Verify Permissions on SSH Server Public *.pub Key Files [ref] |
To properly set the permissions of /etc/ssh/*.pub, run the command: $ sudo chmod 0644 /etc/ssh/*.pub |
If a public host key file is modified by an unauthorized user, the SSH servicemay be compromised. |
medium |
content_rule_file_permissions_sshd_pub_key |
SLES-15-040240 |
AC-17(a),AC-6(1),CM-6(a) |
3.1.13,3.13.10,4.3.3.7.3,CIP-003-3,R5.1.1,CIP-003-3,R5.3 |
PR.AC-4,PR.DS-5 |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-235008r622137_rule |
CCI-000366 |
3,5,12,13,14,15,16,18 |
NaN |
NaN |
APO01.06,DSS05.04,DSS05.07,DSS06.02 |
A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3 |
SR,2.1,SR,5.2 |
NaN |
CIP-004-3,R2.3,CIP-007-3,R2.1,CIP-007-3,R2.2,CIP-007-3,R2.3,CIP-007-3,R5.1,CIP-007-3,R5.1.1,CIP-007-3,R5.1.2,5.2.3 |
| CCE-83295-6 |
Configure SSSD's Memory Cache to Expire [ref] |
SSSD's memory cache should be configured to set to expire records after 86400 seconds. To configure SSSD to expire memory cache, set memcache_timeout to 86400 under the [nss] section in /etc/sssd/sssd.conf. For example: [nss] memcache_timeout = 86400 |
If cached authentication information is out-of-date, the validity of theauthentication information may be questionable. |
medium |
content_rule_sssd_memcache_timeout |
SLES-15-010490 |
CM-6(a) |
4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.4 |
PR.AC-1,PR.AC-6,PR.AC-7 |
SRG-OS-000383-GPOS-00166,SRG-OS-000383-VMM-001570 |
NaN |
SV-234857r622137_rule |
CCI-002007 |
1,5,12,15,16 |
NaN |
NaN |
DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 |
IA-5(13),A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.7,SR,1.8,SR,1.9,SR,2.1 |
NaN |
NaN |
| CCE-83296-4 |
Configure SSSD to Expire Offline Credentials [ref] |
SSSD should be configured to expire offline credentials after 1 day. To configure SSSD to expire offline credentials, set offline_credentials_expiration to 1 under the [pam] section in /etc/sssd/sssd.conf. For example: [pam] offline_credentials_expiration = 1 |
If cached authentication information is out-of-date, the validity of theauthentication information may be questionable. |
medium |
content_rule_sssd_offline_cred_expiration |
SLES-15-010500 |
CM-6(a) |
4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.4 |
PR.AC-1,PR.AC-6,PR.AC-7 |
SRG-OS-000383-GPOS-00166,SRG-OS-000383-VMM-001570 |
NaN |
SV-234858r622137_rule |
CCI-002007 |
1,5,12,15,16 |
NaN |
NaN |
DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 |
IA-5(13),A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.7,SR,1.8,SR,1.9,SR,2.1 |
NaN |
NaN |