| CCE-85788-8 |
Verify File Hashes with RPM [ref] |
Without cryptographic integrity protections, system executables and files can be altered by unauthorized users without detection. The RPM package management system can check the hashes of installed software packages, including many that are important to system security. To verify that the cryptographic hash of system files and commands matches vendor values, run the following command to list which files on the system have hashes that differ from what is expected by the RPM database: $ rpm -Va --noconfig | grep '^..5' A "c" in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file was not expected to change, investigate the cause of the change using audit logs or other means. The package can then be reinstalled to restore the file. Run the following command to determine which package owns the file: $ rpm -qf FILENAME The package can be reinstalled from a zypper repository using the command: $ sudo zypper reinstall PACKAGENAME Alternatively, the package can be reinstalled from trusted media using the command: $ sudo rpm -Uvh PACKAGENAME |
The hashes of important files like system executables should match theinformation given by the RPM database. Executables with erroneous hashes couldbe a sign of nefarious activity on the system. |
high |
content_rule_rpm_verify_hashes |
NaN |
AU-9(3),CM-6(d),CM-6(c),SI-7,SI-7(1),SI-7(6) |
3.3.8,3.4.1,4.3.4.3.2,4.3.4.3.3,4.3.4.4.4 |
PR.DS-6,PR.DS-8,PR.IP-1 |
SRG-OS-000480-GPOS-00227 |
NaN |
NaN |
CCI-000366,CCI-001749 |
2,3,9,11 |
NaN |
164.308(a)(1)(ii)(D),164.312(b),164.312(c)(1),164.312(c)(2),164.312(e)(2)(i) |
APO01.06,BAI03.05,BAI06.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS06.02 |
A.11.2.4,A.12.1.2,A.12.2.1,A.12.5.1,A.12.6.2,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4 |
SR,3.1,SR,3.3,SR,3.4,SR,3.8,SR,7.6 |
NaN |
5.10.4.1,Req-11.5 |
| CCE-85782-1 |
Verify and Correct File Permissions with RPM [ref] |
The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions of system files and commands match vendor values. Check the file permissions with the following command: $ sudo rpm -Va | awk '{ if (substr($0,2,1)=="M") print $NF }' Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it: $ rpm -qf FILENAME Next, run the following command to reset its permissions to the correct values: $ sudo rpm --setperms PACKAGENAMEWarning: Profiles may require that specific files have stricter file permissions than defined by the vendor. Such files will be reported as a finding and need to be evaluated according to your policy and deployment environment. |
Permissions on system binaries and configuration files that are too generouscould allow an unauthorized user to gain privileges that they should not have.The permissions set by the vendor should be maintained. Any deviations fromthis baseline should be investigated. |
high |
content_rule_rpm_verify_permissions |
NaN |
AU-9(3),CM-6(d),CM-6(c),CM-6(a),SI-7,SI-7(1),SI-7(6) |
3.3.8,4.3.3.3.9,4.3.3.5.8,4.3.3.7.3,CIP-003-3,R4.2,CIP-003-3,R6,3.4.1,4.3.4.3.2,4.3.4.3.3,4.3.4.4.7 |
PR.AC-4,PR.DS-5,PR.IP-1,PR.PT-1 |
SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098,SRG-OS-000258-GPOS-00099,SRG-OS-000278-GPOS-00108 |
NaN |
NaN |
CCI-001493,CCI-001494,CCI-001495,CCI-001496 |
1,3,5,6,9,11,12,13,14,15,16,18 |
NaN |
164.308(a)(1)(ii)(D),164.312(b),164.312(c)(1),164.312(c)(2),164.312(e)(2)(i) |
APO01.06,APO11.04,BAI03.05,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.04,DSS05.07,DSS06.02,MEA02.01 |
A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.2,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.5.1,A.12.6.2,A.12.7.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4 |
SR,2.1,SR,2.10,SR,2.11,SR,2.12,SR,2.8,SR,2.9,SR,5.2,SR,7.6 |
NaN |
5.10.4.1,4.4.2.1,4.4.2.2,4.4.2.4,CIP-007-3,R4,CIP-007-3,R4.1,CIP-007-3,R4.2,Req-11.5,6.1.1 |
| CCE-83289-9 |
Install AIDE [ref] |
The aide package can be installed with the following command: $ sudo zypper install aide |
The AIDE package must be installed if it is to be available for integrity checking. |
medium |
content_rule_package_aide_installed |
SLES-15-010420 |
CM-6(a) |
4.3.4.3.2,4.3.4.3.3,4.3.4.4.4 |
PR.DS-1,PR.DS-6,PR.DS-8,PR.IP-1,PR.IP-3,DE.CM-1,DE.CM-7 |
SRG-OS-000363-GPOS-00150 |
NaN |
SV-234851r622137_rule |
CCI-002699,CCI-001744 |
1,2,3,5,7,8,9,11,12,13,14,15,16 |
NaN |
NaN |
APO01.06,BAI01.06,BAI02.01,BAI03.05,BAI06.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS03.05,DSS04.07,DSS05.02,DSS05.03,DSS05.05,DSS05.07,DSS06.02,DSS06.06 |
A.8.2.3,A.11.2.4,A.12.1.2,A.12.2.1,A.12.4.1,A.12.5.1,A.12.6.2,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.14.2.7,A.15.2.1 |
SR,3.1,SR,3.3,SR,3.4,SR,3.8,SR,4.1,SR,6.2,SR,7.6 |
BP28(R51) |
5.10.1.3,1034,1288,1341,1417,Req-11.5,1.4.1 |
| CCE-85787-0 |
Build and Test AIDE Database [ref] |
Run the following command to generate a new database: $ sudo /usr/sbin/aide --init By default, the database will be written to the file /var/lib/aide/aide.db.new.gz. Storing the database, the configuration file /etc/aide.conf, and the binary /usr/sbin/aide (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity. The newly-generated database can be installed as follows: $ sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz To initiate a manual check, run the following command: $ sudo /usr/sbin/aide --check If this check produces any unexpected output, investigate. |
For AIDE to be effective, an initial database of "known-good" information about filesmust be captured and it should be able to be verified against the installed files. |
medium |
content_rule_aide_build_database |
NaN |
CM-6(a) |
4.3.4.3.2,4.3.4.3.3,4.3.4.4.4 |
PR.DS-1,PR.DS-6,PR.DS-8,PR.IP-1,PR.IP-3,DE.CM-1,DE.CM-7 |
NaN |
NaN |
NaN |
NaN |
1,2,3,5,7,8,9,11,12,13,14,15,16 |
NaN |
NaN |
APO01.06,BAI01.06,BAI02.01,BAI03.05,BAI06.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS03.05,DSS04.07,DSS05.02,DSS05.03,DSS05.05,DSS05.07,DSS06.02,DSS06.06 |
A.8.2.3,A.11.2.4,A.12.1.2,A.12.2.1,A.12.4.1,A.12.5.1,A.12.6.2,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.14.2.7,A.15.2.1 |
SR,3.1,SR,3.3,SR,3.4,SR,3.8,SR,4.1,SR,6.2,SR,7.6 |
BP28(R51) |
5.10.1.3,Req-11.5,1.4.1 |
| CCE-85671-6 |
Configure Periodic Execution of AIDE [ref] |
At a minimum, AIDE should be configured to run a weekly scan. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root --check To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * 0 root --check AIDE can be executed periodically through other means; this is merely one example. The usage of cron's special time codes, such as @daily and @weekly is acceptable. |
By default, AIDE does not install itself for periodic execution. Periodicallyrunning AIDE is necessary to reveal unexpected changes in installed files.Unauthorized changes to the baseline configuration could make the system vulnerableto various attacks or allow unauthorized access to the operating system. Changes tooperating system configurations can have unintended side effects, some of which maybe relevant to security.Detecting such changes and providing an automated response can help avoid unintended,negative consequences that could ultimately affect the security state of the operatingsystem. The operating system's Information Management Officer (IMO)/Information SystemSecurity Officer (ISSO) and System Administrators (SAs) must be notified via email and/ormonitoring system trap when there is an unauthorized modification of a configuration item. |
medium |
content_rule_aide_periodic_cron_checking |
SLES-15-010570 |
SI-6(d) |
4.3.4.3.2,4.3.4.3.3,4.3.4.4.4 |
PR.DS-1,PR.DS-6,PR.DS-8,PR.IP-1,PR.IP-3,DE.CM-1,DE.CM-7 |
SRG-OS-000363-GPOS-00150,SRG-OS-000446-GPOS-00200,SRG-OS-000447-GPOS-00201 |
NaN |
SV-234864r622137_rule |
CCI-001744,CCI-002699,CCI-002702 |
1,2,3,5,7,8,9,11,12,13,14,15,16 |
NaN |
NaN |
APO01.06,BAI01.06,BAI02.01,BAI03.05,BAI06.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS03.05,DSS04.07,DSS05.02,DSS05.03,DSS05.05,DSS05.07,DSS06.02,DSS06.06 |
A.8.2.3,A.11.2.4,A.12.1.2,A.12.2.1,A.12.4.1,A.12.5.1,A.12.6.2,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.14.2.7,A.15.2.1 |
SR,3.1,SR,3.3,SR,3.4,SR,3.8,SR,4.1,SR,6.2,SR,7.6 |
BP28(R51) |
5.10.1.3,Req-11.5,1.4.2 |
| CCE-85791-2 |
Configure Libreswan to use System Crypto Policy [ref] |
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. Libreswan is supported by system crypto policy, but the Libreswan configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, ensure that the /etc/ipsec.conf includes the appropriate configuration file. In /etc/ipsec.conf, make sure that the following line is not commented out or superseded by later includes: include /etc/crypto-policies/back-ends/libreswan.config |
Overriding the system crypto policy makes the behavior of the Libreswanservice violate expectations, and makes system configuration morefragmented. |
medium |
content_rule_configure_libreswan_crypto_policy |
NaN |
CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3) |
CIP-003-3,R4.2 |
NaN |
SRG-OS-000033-GPOS-00014 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
CIP-007-3,R5.1,FCS_IPSEC_EXT.1.4,FCS_IPSEC_EXT.1.6 |
| CCE-85794-6 |
Configure OpenSSL library to use System Crypto Policy [ref] |
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSL is supported by crypto policy, but the OpenSSL configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file available under /etc/pki/tls/openssl.cnf. This file has the ini format, and it enables crypto policy support if there is a [ crypto_policy ] section that contains the .include /etc/crypto-policies/back-ends/opensslcnf.config directive. |
Overriding the system crypto policy makes the behavior of the Java runtime violates expectations,and makes system configuration more fragmented. |
medium |
content_rule_configure_openssl_crypto_policy |
NaN |
AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3) |
CIP-003-3,R4.2 |
NaN |
SRG-OS-000250-GPOS-00093 |
NaN |
NaN |
CCI-001453 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
CIP-007-3,R5.1,CIP-007-3,R7.1 |
| CCE-85795-3 |
Configure SSH to use System Crypto Policy [ref] |
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. SSH is supported by crypto policy, but the SSH configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, ensure that the CRYPTO_POLICY variable is either commented or not set at all in the /etc/sysconfig/sshd. |
Overriding the system crypto policy makes the behavior of the SSH service violate expectations,and makes system configuration more fragmented. |
medium |
content_rule_configure_ssh_crypto_policy |
NaN |
AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13 |
CIP-003-3,R4.2 |
NaN |
SRG-OS-000250-GPOS-00093 |
NaN |
NaN |
NaN |
NaN |
NaN |
164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.312(e)(1),164.312(e)(2)(ii) |
NaN |
NaN |
NaN |
NaN |
CIP-007-3,R5.1,CIP-007-3,R7.1 |
| CCE-85789-6 |
Install Intrusion Detection Software [ref] |
The base SUSE Linux Enterprise 15 platform already includes a sophisticated auditing system that can detect intruder activity, as well as SELinux, which provides host-based intrusion prevention capabilities by confining privileged programs and user sessions which may become compromised.Warning: In DoD environments, supplemental intrusion detection and antivirus tools, such as the McAfee Host-based Security System, are available to integrate with existing infrastructure. Per DISA guidance, when these supplemental tools interfere with proper functioning of SELinux, SELinux takes precedence. Should further clarification be required, DISA contact information is published publicly at https://public.cyber.mil/stigs/ |
Host-based intrusion detection tools provide a system-level defense when anintruder gains access to a system or network. |
high |
content_rule_install_hids |
NaN |
CM-6(a) |
4.3.3.4 |
PR.AC-5,PR.DS-5,PR.PT-4,DE.CM-1 |
NaN |
NaN |
NaN |
CCI-001263 |
1,7,8,9,12,13,14,15,16,18 |
NaN |
NaN |
APO01.06,APO13.01,DSS01.03,DSS01.05,DSS03.05,DSS05.02,DSS05.04,DSS05.07,DSS06.02 |
A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3 |
SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.2,SR,7.1,SR,7.6 |
NaN |
Req-11.4 |
| CCE-85783-9 |
Enable GNOME3 Screensaver Idle Activation [ref] |
To activate the screensaver in the GNOME3 desktop after a period of inactivity, add or set idle-activation-enabled to true in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/desktop/screensaver] idle-activation-enabled=true Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/screensaver/idle-activation-enabled After the settings have been set, run dconf update. |
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediatephysical vicinity of the information system but does not logout because of the temporary nature of the absence.Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,GNOME desktops can be configured to identify when a user's session has idled and take action to initiate thesession lock.Enabling idle activation of the screensaver ensures the screensaver willbe activated after the idle delay. Applications requiring continuous,real-time screen display (such as network management products) require thelogin session does not have administrator rights and the display station is located in acontrolled-access area. |
medium |
content_rule_dconf_gnome_screensaver_idle_activation_enabled |
NaN |
AC-11(a),CM-6(a) |
3.1.10,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9 |
PR.AC-7 |
SRG-OS-000029-GPOS-00010 |
NaN |
NaN |
CCI-000057 |
1,12,15,16 |
NaN |
NaN |
DSS05.04,DSS05.10,DSS06.10 |
A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.2,SR,1.5,SR,1.7,SR,1.8,SR,1.9 |
NaN |
5.5.5,FMT_MOF_EXT.1,Req-8.1.8 |
| CCE-85669-0 |
Set GNOME3 Screensaver Inactivity Timeout [ref] |
The idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/local.d directory and locked in /etc/dconf/db/local.d/locks directory to prevent user modification. For example, to configure the system for a 15 minute delay, add the following to /etc/dconf/db/local.d/00-security-settings: [org/gnome/desktop/session] idle-delay=uint32 900 Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/session/idle-delay After the settings have been set, run dconf update. |
A session time-out lock is a temporary action taken when a user stops work and moves away fromthe immediate physical vicinity of the information system but does not logout because of thetemporary nature of the absence. Rather than relying on the user to manually lock their operatingsystem session prior to vacating the vicinity, GNOME3 can be configured to identify whena user's session has idled and take action to initiate a session lock. |
medium |
content_rule_dconf_gnome_screensaver_idle_delay |
SLES-15-010120 |
AC-11(a),AC-11.1,(ii) |
3.1.10,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9 |
PR.AC-7 |
SRG-OS-000029-GPOS-00010 |
NaN |
SV-234812r622137_rule |
CCI-000057 |
1,12,15,16 |
NaN |
NaN |
DSS05.04,DSS05.10,DSS06.10 |
A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.2,SR,1.5,SR,1.7,SR,1.8,SR,1.9 |
NaN |
5.5.5,FMT_MOF_EXT.1,Req-8.1.8 |
| CCE-85766-4 |
Enable GNOME3 Screensaver Lock After Idle Period [ref] |
To activate locking of the screensaver in the GNOME3 desktop when it is activated, run the following command to configure the SUSE operating system to allow the user to lock the GUI: gsettings set org.gnome.desktop.lockdown disable-lock-screen false Validate that disable-lock-screen has been set to false with the command: gsettings get org.gnome.desktop.lockdown disable-lock-screen |
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinityof the information system but does not want to logout because of the temporary nature of the absense. |
medium |
content_rule_dconf_gnome_screensaver_lock_enabled |
SLES-15-010100 |
CM-6(a) |
3.1.10,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9 |
PR.AC-7 |
SRG-OS-000028-GPOS-00009,SRG-OS-000030-GPOS-00011 |
NaN |
SV-234810r622137_rule |
CCI-000056,CCI-000058,CCI-000060 |
1,12,15,16 |
NaN |
NaN |
DSS05.04,DSS05.10,DSS06.10 |
A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.2,SR,1.5,SR,1.7,SR,1.8,SR,1.9 |
NaN |
5.5.5,FMT_MOF_EXT.1,Req-8.1.8 |
| CCE-85715-1 |
Implement Blank Screensaver [ref] |
On SUSE users should set the screensaver to use publicly viewable images or blank screen by doing the following: Find the Settings menu and then navigate to the Background selection section - Click "Activities" on the top left. - Click "Show Applications" at the bottom of the Activities menu. - Click the "Settings" icon. - Click "Background" from left hand menu. - Select image and set the Lock Screen image to the user's choice. - Exit Settings Dialog. To set the screensaver mode in the GNOME3 desktop to a blank screen, add or set picture-uri to string '' in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/desktop/screensaver] picture-uri='' Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/screensaver/picture-uri After the settings have been set, run dconf update. |
Setting the screensaver mode to blank-only conceals thecontents of the display from passersby. |
medium |
content_rule_dconf_gnome_screensaver_mode_blank |
SLES-15-010140 |
AC-11(1),AC-11(1).1,CM-6(a) |
3.1.10,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9 |
PR.AC-7 |
SRG-OS-000031-GPOS-00012 |
NaN |
SV-234814r622137_rule |
CCI-000060 |
1,12,15,16 |
NaN |
NaN |
DSS05.04,DSS05.10,DSS06.10 |
A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.2,SR,1.5,SR,1.7,SR,1.8,SR,1.9 |
NaN |
5.5.5,FMT_MOF_EXT.1,Req-8.1.8 |
| CCE-83288-1 |
Make sure that the dconf databases are up-to-date with regards to respective keyfiles [ref] |
By default, DConf uses a binary database as a data backend. The system-level database is compiled from keyfiles in the /etc/dconf/db/ directory by the dconf update command. |
Unlike text-based keyfiles, the binary database is impossible to check by OVAL.Therefore, in order to evaluate dconf configuration, both have to be true at the same time -configuration files have to be compliant, and the database needs to be more recent than those keyfiles,which gives confidence that it reflects them. |
high |
content_rule_dconf_db_up_to_date |
NaN |
NaN |
NaN |
NaN |
SRG-OS-000480-GPOS-00227 |
NaN |
NaN |
NaN |
NaN |
NaN |
164.308(a)(1)(ii)(B),164.308(a)(5)(ii)(A) |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-83290-7 |
Ensure gpgcheck Enabled In Main zypper Configuration [ref] |
The gpgcheck option controls whether RPM packages' signatures are always checked prior to installation. To configure zypper to check package signatures before installing them, ensure the following line appears in /etc/zypp/zypp.conf in the [main] section: gpgcheck=1 |
Changes to any software components can have significant effects on theoverall security of the operating system. This requirement ensures thesoftware has not been tampered with and that it has been provided by atrusted vendor.Accordingly, patches, service packs, device drivers, or operating systemcomponents must be signed with a certificate recognized and approved by theorganization.Verifying the authenticity of the software prior to installationvalidates the integrity of the patch or upgrade received from a vendor.This ensures the software has not been tampered with and that it has beenprovided by a trusted vendor. Self-signed certificates are disallowed bythis requirement. Certificates used to verify the software must be from anapproved Certificate Authority (CA). |
high |
content_rule_ensure_gpgcheck_globally_activated |
SLES-15-010430 |
CM-5(3),CM-6(a),CM-11(a),CM-11(b),SA-12,SC-12,SC-12(3),SI-7 |
3.4.8,4.3.4.3.2,4.3.4.3.3,4.3.4.4.4 |
PR.DS-6,PR.DS-8,PR.IP-1 |
SRG-OS-000366-GPOS-00153,SRG-OS-000366-VMM-001430,SRG-OS-000370-VMM-001460,SRG-OS-000404-VMM-001650 |
NaN |
SV-234852r622137_rule |
CCI-001749 |
2,3,9,11 |
NaN |
164.308(a)(1)(ii)(D),164.312(b),164.312(c)(1),164.312(c)(2),164.312(e)(2)(i) |
APO01.06,BAI03.05,BAI06.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS06.02 |
A.11.2.4,A.12.1.2,A.12.2.1,A.12.5.1,A.12.6.2,SA-12(10),A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4 |
SR,3.1,SR,3.3,SR,3.4,SR,3.8,SR,7.6 |
BP28(R15) |
5.10.4.1,FPT_TUD_EXT.1,FPT_TUD_EXT.2,Req-6.2,1.2.3 |
| CCE-85797-9 |
Ensure gpgcheck Enabled for All zypper Package Repositories [ref] |
To ensure signature checking is not disabled for any repos, remove any lines from files in /etc/yum.repos.d of the form: gpgcheck=0 |
Verifying the authenticity of the software prior to installation validatesthe integrity of the patch or upgrade received from a vendor. This ensuresthe software has not been tampered with and that it has been provided by atrusted vendor. Self-signed certificates are disallowed by thisrequirement. Certificates used to verify the software must be from anapproved Certificate Authority (CA)." |
high |
content_rule_ensure_gpgcheck_never_disabled |
NaN |
CM-5(3),CM-6(a),CM-11(a),CM-11(b),SA-12,SC-12,SC-12(3),SI-7 |
3.4.8,4.3.4.3.2,4.3.4.3.3,4.3.4.4.4 |
PR.DS-6,PR.DS-8,PR.IP-1 |
SRG-OS-000366-GPOS-00153,SRG-OS-000366-VMM-001430,SRG-OS-000370-VMM-001460,SRG-OS-000404-VMM-001650 |
NaN |
NaN |
CCI-001749 |
2,3,9,11 |
NaN |
164.308(a)(1)(ii)(D),164.312(b),164.312(c)(1),164.312(c)(2),164.312(e)(2)(i) |
APO01.06,BAI03.05,BAI06.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS06.02 |
A.11.2.4,A.12.1.2,A.12.2.1,A.12.5.1,A.12.6.2,SA-12(10),A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4 |
SR,3.1,SR,3.3,SR,3.4,SR,3.8,SR,7.6 |
BP28(R15) |
5.10.4.1,FPT_TUD_EXT.1,FPT_TUD_EXT.2,Req-6.2,1.2.3 |
| CCE-85796-1 |
Ensure SUSE GPG Key Installed [ref] |
To ensure the system can cryptographically verify base software packages come from SUSE (and to connect to the SUSE to receive them), the SUSE GPG key must properly be installed. To install the SUSE GPG key, run: $ sudo zypper install suse-build-key If the system is not connected to the Internet or an RHN Satellite, then install the SUSE GPG key from trusted media such as the SUSE installation CD-ROM or DVD. Assuming the disc is mounted in /media/cdrom, use the following command as the root user to import it into the keyring: $ sudo rpm --import /media/cdrom/content.key or $ sudo rpm --import /media/cdrom/repodata/repomd.xml.key Alternatively, the key may be pre-loaded during the SUSE installation. In such cases, one can use the repository cache files to install the key, for example by running the following command: sudo rpm --import /var/cache/zypp/raw/Basesystem_Module_15_SP2_x86_64:SLE-Module-Basesystem15-SP2-Pool/repodata/repomd.xml.key |
Changes to software components can have significant effects on the overallsecurity of the operating system. This requirement ensures the software hasnot been tampered with and that it has been provided by a trusted vendor.The SUSE GPG key is necessary to cryptographically verify packages arefrom SUSE. |
high |
content_rule_ensure_suse_gpgkey_installed |
NaN |
CM-5(3),CM-6(a),SC-12,SC-12(3),SI-7 |
CIP-003-3,R4.2,CIP-003-3,R6,3.4.8,4.3.4.3.2,4.3.4.3.3,4.3.4.4.4 |
PR.DS-6,PR.DS-8,PR.IP-1 |
SRG-OS-000366-GPOS-00153,SRG-OS-000366-VMM-001430,SRG-OS-000370-VMM-001460,SRG-OS-000404-VMM-001650 |
NaN |
NaN |
CCI-001749 |
2,3,9,11 |
NaN |
164.308(a)(1)(ii)(D),164.312(b),164.312(c)(1),164.312(c)(2),164.312(e)(2)(i) |
APO01.06,BAI03.05,BAI06.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS06.02 |
A.11.2.4,A.12.1.2,A.12.2.1,A.12.5.1,A.12.6.2,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4 |
SR,3.1,SR,3.3,SR,3.4,SR,3.8,SR,7.6 |
BP28(R15) |
5.10.4.1,CIP-007-3,R4,CIP-007-3,R4.1,CIP-007-3,R4.2,CIP-007-3,R5.1,FPT_TUD_EXT.1,FPT_TUD_EXT.2,Req-6.2 |
| CCE-83261-8 |
Ensure Software Patches Installed [ref] |
If the system is configured for online updates, invoking the following command will list available security updates: $ sudo zypper refresh && sudo zypper list-patches -g security NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy dictates. |
Installing software updates is a fundamental mitigation againstthe exploitation of publicly-known vulnerabilities. If the mostrecent security patches and updates are not installed, unauthorizedusers may take advantage of weaknesses in the unpatched software. Thelack of prompt attention to patching could result in a system compromise. |
high |
content_rule_security_patches_up_to_date |
SLES-15-010010 |
CM-6(a),SI-2(5),SI-2(c) |
4.2.3.12 |
ID.RA-1,PR.IP-12 |
SRG-OS-000480-GPOS-00227,SRG-OS-000480-VMM-002000 |
NaN |
SV-234802r622137_rule |
CCI-000366,CCI-001227 |
4,18,20 |
NaN |
NaN |
APO12.01,APO12.02,APO12.03,APO12.04,BAI03.10,DSS05.01,DSS05.02 |
A.12.6.1,A.14.2.3,A.16.1.3,A.18.2.2,A.18.2.3 |
NaN |
BP28(R08) |
5.10.4.1,4.2.3,4.2.3.7,4.2.3.9,FMT_MOF_EXT.1,Req-6.2 |
| CCE-85678-1 |
Limit Password Reuse [ref] |
Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules. In the file /etc/pam.d/system-auth, append remember=5 to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below: for the pam_unix.so case: password sufficient pam_unix.so ...existing_options... remember=5 for the pam_pwhistory.so case: password requisite pam_pwhistory.so ...existing_options... remember=5 The DoD STIG requirement is 5 passwords. |
Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user. |
medium |
content_rule_accounts_password_pam_unix_remember |
SLES-15-020250 |
NaN |
4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.4,3.5.8 |
PR.AC-1,PR.AC-6,PR.AC-7 |
SRG-OS-000077-GPOS-00045,SRG-OS-000077-VMM-000440 |
NaN |
SV-234894r622137_rule |
CCI-000200 |
1,5,12,15,16 |
NaN |
NaN |
DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 |
IA-5(1)(e),IA-5(1).1(v),A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.7,SR,1.8,SR,1.9,SR,2.1 |
BP28(R18) |
5.6.2.1.1,Req-8.2.5 |
| CCE-85842-3 |
Set Deny For Failed Password Attempts [ref] |
To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny=6 unlock_time=1800 fail_interval=900 add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny=6 unlock_time=1800 fail_interval=900 add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so |
Locking out user accounts after a number of incorrect attemptsprevents direct password guessing attacks. |
medium |
content_rule_accounts_passwords_pam_faillock_deny |
NaN |
AC-7(a),CM-6(a) |
3.1.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9 |
PR.AC-7 |
SRG-OS-000329-GPOS-00128,SRG-OS-000021-GPOS-00005,SRG-OS-000021-VMM-000050 |
NaN |
NaN |
CCI-000044,CCI-002236,CCI-002237,CCI-002238 |
1,12,15,16 |
NaN |
NaN |
DSS05.04,DSS05.10,DSS06.10 |
A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.2,SR,1.5,SR,1.7,SR,1.8,SR,1.9 |
BP28(R18) |
5.5.3,0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561,FIA_AFL.1,Req-8.1.6 |
| CCE-85841-5 |
Set Lockout Time for Failed Password Attempts [ref] |
To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: add the following line immediately before the pam_unix.so statement in the AUTH section: auth required pam_faillock.so preauth silent deny=6 unlock_time=1800 fail_interval=900 add the following line immediately after the pam_unix.so statement in the AUTH section: auth [default=die] pam_faillock.so authfail deny=6 unlock_time=1800 fail_interval=900 add the following line immediately before the pam_unix.so statement in the ACCOUNT section: account required pam_faillock.so If unlock_time is set to 0, manual intervention by an administrator is required to unlock a user. |
Locking out user accounts after a number of incorrect attemptsprevents direct password guessing attacks. Ensuring that an administrator isinvolved in unlocking locked accounts draws appropriate attention to suchsituations. |
medium |
content_rule_accounts_passwords_pam_faillock_unlock_time |
NaN |
AC-7(b),CM-6(a) |
3.1.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9 |
PR.AC-7 |
SRG-OS-000329-GPOS-00128,SRG-OS-000021-GPOS-00005,SRG-OS-000329-VMM-001180 |
NaN |
NaN |
CCI-000044,CCI-002236,CCI-002237,CCI-002238 |
1,12,15,16 |
NaN |
NaN |
DSS05.04,DSS05.10,DSS06.10 |
A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.2,SR,1.5,SR,1.7,SR,1.8,SR,1.9 |
BP28(R18) |
5.5.3,0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561,FIA_AFL.1,Req-8.1.7 |
| CCE-85840-7 |
Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters [ref] |
The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords. |
Use of a complex password helps to increase the time and resources requiredto compromise the password. Password complexity, or strength, is a measure ofthe effectiveness of a password in resisting attempts at guessing and brute-forceattacks.Password complexity is one factor of several that determines how long it takesto crack a password. The more complex the password, the greater the number ofpossble combinations that need to be tested before the password is compromised.Requiring a minimum number of lowercase characters makes password guessing attacksmore difficult by ensuring a larger search space. |
medium |
content_rule_accounts_password_pam_lcredit |
NaN |
CM-6(a) |
4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.4 |
PR.AC-1,PR.AC-6,PR.AC-7 |
SRG-OS-000070-GPOS-00038,SRG-OS-000070-VMM-000370 |
NaN |
NaN |
CCI-000193 |
1,5,12,15,16 |
NaN |
NaN |
DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 |
IA-5(c),IA-5(1)(a),IA-5(4),A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.7,SR,1.8,SR,1.9,SR,2.1 |
BP28(R18) |
0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561,FMT_MOF_EXT.1,Req-8.2.3,5.3.1 |
| CCE-85754-0 |
Set PAM's Common Authentication Hashing Algorithm [ref] |
The PAM system service can be configured to only store encrypted representations of passwords. In /etc/pam.d/common-auth, the auth section of the file controls which PAM modules execute during a password change. Set the pam_unix.so module in the auth section to include the argument sha512, as shown below: auth required pam_unix.so sha512 other arguments... This will help ensure when local users change their authentication method, hashes for the new authentications will be generated using the SHA-512 algorithm. This is the default. |
Unapproved mechanisms used for authentication to the cryptographic moduleare not verified and therefore cannot be relied on to provideconfidentiality or integrity, and data may be compromised.This setting ensures user and group account administration utilities areconfigured to store only encrypted representations of passwords.Additionally, the crypt_style configuration option ensures the useof a strong hashing algorithm that makes password cracking attacks moredifficult. |
medium |
content_rule_set_password_hashing_algorithm_commonauth |
SLES-15-010250 |
IA-7 |
NaN |
NaN |
SRG-OS-000120-GPOS-00061,SRG-OS-000480-VMM-002000 |
NaN |
SV-234824r622137_rule |
CCI-000803 |
NaN |
NaN |
NaN |
NaN |
IA-7.1 |
NaN |
NaN |
NaN |
| CCE-85798-7 |
Set Password Hashing Algorithm in /etc/libuser.conf [ref] |
In /etc/libuser.conf, add or correct the following line in its [defaults] section to ensure the system will use the SHA-512 algorithm for password hashing: crypt_style = sha512 |
Passwords need to be protected at all times, and encryption is the standardmethod for protecting passwords. If passwords are not encrypted, they canbe plainly read (i.e., clear text) and easily compromised. Passwords thatare encrypted with a weak algorithm are no more protected than if they arekepy in plain text.This setting ensures user and group account administration utilities areconfigured to store only encrypted representations of passwords.Additionally, the crypt_style configuration option ensures the useof a strong hashing algorithm that makes password cracking attacks moredifficult. |
medium |
content_rule_set_password_hashing_algorithm_libuserconf |
NaN |
CM-6(a) |
3.13.11,4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.4 |
PR.AC-1,PR.AC-6,PR.AC-7 |
SRG-OS-000073-GPOS-00041,SRG-OS-000480-VMM-002000 |
NaN |
NaN |
CCI-000196 |
1,5,12,15,16 |
NaN |
NaN |
DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 |
IA-5(c),IA-5(1)(c),A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.7,SR,1.8,SR,1.9,SR,2.1 |
NaN |
5.6.2.2,0418,1055,1402,Req-8.2.1 |
| CCE-83279-0 |
Set Password Hashing Algorithm in /etc/login.defs [ref] |
In /etc/login.defs, add or correct the following line to ensure the system will use SHA-512 as the hashing algorithm: ENCRYPT_METHOD SHA512 |
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords.If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwordsthat are encrypted with a weak algorithm are no more protected than if they are kept in plain text.Using a stronger hashing algorithm makes password cracking attacks more difficult. |
medium |
content_rule_set_password_hashing_algorithm_logindefs |
SLES-15-010260 |
CM-6(a) |
3.13.11,4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.4 |
PR.AC-1,PR.AC-6,PR.AC-7 |
SRG-OS-000073-GPOS-00041 |
NaN |
SV-234825r622137_rule |
CCI-000196 |
1,5,12,15,16 |
NaN |
NaN |
DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 |
IA-5(c),IA-5(1)(c),A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.7,SR,1.8,SR,1.9,SR,2.1 |
BP28(R32) |
5.6.2.2,0418,1055,1402,Req-8.2.1,5.4.1.2 |
| CCE-85560-1 |
Ensure PAM Displays Last Logon/Access Notification [ref] |
To configure the system to notify users of last logon/access using pam_lastlog, add or correct the pam_lastlog settings in /etc/pam.d/login to read as follows: session required pam_lastlog.so showfailed And make sure that the silent option is not set. |
Users need to be aware of activity that occurs regardingtheir account. Providing users with information regarding the numberof unsuccessful attempts that were made to login to their accountallows the user to determine if any unauthorized activity has occurredand gives them an opportunity to notify administrators. |
low |
content_rule_display_login_attempts |
SLES-15-020080 |
AC-9(1),CM-6(a) |
4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9 |
PR.AC-7 |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-234873r622137_rule |
CCI-000366 |
1,12,15,16 |
NaN |
NaN |
DSS05.04,DSS05.10,DSS06.10 |
A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.2,SR,1.5,SR,1.7,SR,1.8,SR,1.9 |
NaN |
5.5.2,0582,0584,05885,0586,0846,0957,Req-10.2.4 |
| CCE-83292-3 |
Install Smart Card Packages For Multifactor Authentication [ref] |
Configure the operating system to implement multifactor authentication by installing the required package with the following command: The pam_pkcs11 package can be installed with the following command: $ sudo zypper install pam_pkcs11 The mozilla-nss package can be installed with the following command: $ sudo zypper install mozilla-nss The mozilla-nss-tools package can be installed with the following command: $ sudo zypper install mozilla-nss-tools The pcsc-ccid package can be installed with the following command: $ sudo zypper install pcsc-ccid The pcsc-lite package can be installed with the following command: $ sudo zypper install pcsc-lite The pcsc-tools package can be installed with the following command: $ sudo zypper install pcsc-tools The opensc package can be installed with the following command: $ sudo zypper install opensc |
Using an authentication device, such as a CAC or token that is separate fromthe information system, ensures that even if the information system iscompromised, that compromise will not affect credentials stored on theauthentication device.Multifactor solutions that require devices separate frominformation systems gaining access include, for example, hardware tokensproviding time-based or challenge-response authenticators and smart cards suchas the U.S. Government Personal Identity Verification card and the DoD CommonAccess Card. |
medium |
content_rule_install_smartcard_packages |
SLES-15-010460 |
CM-6(a) |
NaN |
NaN |
SRG-OS-000105-GPOS-00052,SRG-OS-000375-GPOS-00160,SRG-OS-000375-GPOS-00161,SRG-OS-000377-GPOS-00162 |
NaN |
SV-234854r622137_rule |
CCI-000765,CCI-001948,CCI-001953,CCI-001954 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85844-9 |
Enable the pcscd Service [ref] |
The pcscd service can be enabled with the following command: $ sudo systemctl enable pcscd.service |
Using an authentication device, such as a CAC or token that is separate fromthe information system, ensures that even if the information system iscompromised, that compromise will not affect credentials stored on theauthentication device.Multifactor solutions that require devices separate frominformation systems gaining access include, for example, hardware tokensproviding time-based or challenge-response authenticators and smart cards suchas the U.S. Government Personal Identity Verification card and the DoD CommonAccess Card. |
medium |
content_rule_service_pcscd_enabled |
NaN |
CM-6(a),IA-2(1),IA-2(2),IA-2(3),IA-2(4),IA-2(6),IA-2(7),IA-2(11) |
NaN |
NaN |
SRG-OS-000375-GPOS-00160,SRG-OS-000377-VMM-001530 |
NaN |
NaN |
CCI-001954 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
1382,1384,1386 |
| CCE-85843-1 |
Configure opensc Smart Card Drivers [ref] |
The OpenSC smart card tool can auto-detect smart card drivers; however, setting the smart card drivers in use by your organization helps to prevent users from using unauthorized smart cards. The default smart card driver for this profile is cac. To configure the OpenSC driver, edit the /etc/opensc.conf and add the following line into the file in the app default block, so it will look like: app default { ... card_drivers = cac; } |
Smart card login provides two-factor authentication stronger thanthat provided by a username and password combination. Smart cards leverage PKI(public key infrastructure) in order to provide and verify credentials.Configuring the smart card driver in use by your organization helps to preventusers from using unauthorized smart cards. |
medium |
content_rule_configure_opensc_card_drivers |
NaN |
CM-6(a),IA-2(1),IA-2(2),IA-2(3),IA-2(4),IA-2(6),IA-2(7),IA-2(11) |
4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.4 |
PR.AC-1,PR.AC-6,PR.AC-7 |
SRG-OS-000104-GPOS-00051,SRG-OS-000106-GPOS-00053,SRG-OS-000107-GPOS-00054,SRG-OS-000109-GPOS-00056,SRG-OS-000108-GPOS-00055,SRG-OS-000108-GPOS-00057,SRG-OS-000108-GPOS-00058,SRG-OS-000376-VMM-001520 |
NaN |
NaN |
CCI-000765,CCI-000766,CCI-000767,CCI-000768,CCI-000771,CCI-000772,CCI-000884 |
1,5,12,15,16 |
NaN |
NaN |
DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 |
A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.7,SR,1.8,SR,1.9,SR,2.1 |
NaN |
1382,1384,1386,Req-8.3 |
| CCE-85827-4 |
Force opensc To Use Defined Smart Card Driver [ref] |
The OpenSC smart card middleware can auto-detect smart card drivers; however by forcing the smart card driver in use by your organization, opensc will no longer autodetect or use other drivers unless specified. This helps to prevent users from using unauthorized smart cards. The default smart card driver for this profile is cac. To force the OpenSC driver, edit the /etc/opensc.conf. Look for a line similar to: # force_card_driver = customcos; and change it to: force_card_driver = cac; |
Smart card login provides two-factor authentication stronger thanthat provided by a username and password combination. Smart cards leverage PKI(public key infrastructure) in order to provide and verify credentials.Forcing the smart card driver in use by your organization helps to preventusers from using unauthorized smart cards. |
medium |
content_rule_force_opensc_card_drivers |
NaN |
CM-6(a),IA-2(1),IA-2(2),IA-2(3),IA-2(4),IA-2(6),IA-2(7),IA-2(11) |
4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.4 |
PR.AC-1,PR.AC-6,PR.AC-7 |
SRG-OS-000104-GPOS-00051,SRG-OS-000106-GPOS-00053,SRG-OS-000107-GPOS-00054,SRG-OS-000109-GPOS-00056,SRG-OS-000108-GPOS-00055,SRG-OS-000108-GPOS-00057,SRG-OS-000108-GPOS-00058,SRG-OS-000376-VMM-001520 |
NaN |
NaN |
CCI-000765,CCI-000766,CCI-000767,CCI-000768,CCI-000771,CCI-000772,CCI-000884 |
1,5,12,15,16 |
NaN |
NaN |
DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 |
A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.7,SR,1.8,SR,1.9,SR,2.1 |
NaN |
1382,1384,1386,Req-8.3 |
| CCE-85558-5 |
Set Account Expiration Following Inactivity [ref] |
To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following line in /etc/default/useradd: INACTIVE=90 If a password is currently on the verge of expiration, then 90 day(s) remain(s) until the account is automatically disabled. However, if the password will not expire for another 60 days, then 60 days plus 90 day(s) could elapse until the account would be automatically disabled. See the useradd man page for more information. |
Disabling inactive accounts ensures that accounts which may nothave been responsibly removed are not available to attackerswho may have compromised their credentials. |
medium |
content_rule_account_disable_post_pw_expiration |
SLES-15-020050 |
AC-2(3),CM-6(a),IA-4(e) |
4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,3.5.6 |
PR.AC-1,PR.AC-4,PR.AC-6,PR.AC-7,DE.CM-1,DE.CM-3 |
SRG-OS-000118-GPOS-00060,SRG-OS-000003-VMM-000030,SRG-OS-000118-VMM-000590 |
NaN |
SV-234871r622137_rule |
CCI-000017,CCI-000795 |
1,3,5,7,8,12,13,14,15,16,18 |
NaN |
NaN |
DSS01.03,DSS03.05,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 |
A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5,A.12.4.1,A.12.4.3,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,6.2 |
NaN |
5.6.2.1.1,CIP-004-3,R2.2.2,CIP-004-3,R2.2.3,CIP-007-3,R.1.3,CIP-007-3,R5,CIP-007-3,R5.1.1,CIP-007-3,R5.1.3,CIP-007-3,R5.2.1,CIP-007-3,R5.2.3,Req-8.1.4,5.4.1.5 |
| CCE-85845-6 |
Ensure All Accounts on the System Have Unique Names [ref] |
Ensure accounts on the system have unique names. To ensure all accounts have unique names, run the following command: $ sudo getent passwd | awk -F: '{ print $1}' | uniq -d If a username is returned, change or delete the username. |
Unique usernames allow for accountability on the system. |
medium |
content_rule_account_unique_name |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
CCI-000770,CCI-000804 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
5.5.2,Req-8.1.1,6.2.16 |
| CCE-85570-0 |
Set Password Maximum Age [ref] |
To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line: PASS_MAX_DAYS 90 A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is 90. |
Any password, no matter how complex, can eventually be cracked. Therefore, passwordsneed to be changed periodically. If the operating system does not limit the lifetimeof passwords and force users to change their passwords, there is the risk that theoperating system passwords could be compromised.Setting the password maximum age ensures users are required toperiodically change their passwords. Requiring shorter password lifetimesincreases the risk of users writing down the password in a convenientlocation subject to physical compromise. |
medium |
content_rule_accounts_maximum_age_login_defs |
SLES-15-020220 |
CM-6(a) |
4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.4,3.5.6 |
PR.AC-1,PR.AC-6,PR.AC-7 |
SRG-OS-000076-GPOS-00044 |
NaN |
SV-234891r622137_rule |
CCI-000199 |
1,5,12,15,16 |
NaN |
NaN |
DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 |
IA-5(f),IA-5(1)(d),A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.7,SR,1.8,SR,1.9,SR,2.1 |
BP28(R18) |
5.6.2.1,0418,1055,1402,Req-8.2.4,5.4.1.2 |
| CCE-85846-4 |
Verify All Account Password Hashes are Shadowed [ref] |
If any password hashes are stored in /etc/passwd (in the second field, instead of an x or *), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account should be deleted entirely. |
The hashes for all user account passwords should be stored inthe file /etc/shadow and never in /etc/passwd,which is readable by all users. |
medium |
content_rule_accounts_password_all_shadowed |
NaN |
CM-6(a) |
4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.4,3.5.10 |
PR.AC-1,PR.AC-6,PR.AC-7 |
NaN |
NaN |
NaN |
NaN |
1,5,12,15,16 |
NaN |
NaN |
DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 |
IA-5(h),A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.7,SR,1.8,SR,1.9,SR,2.1 |
NaN |
5.5.2,1410,Req-8.2.1,6.2.1 |
| CCE-85847-2 |
All GIDs referenced in /etc/passwd must be defined in /etc/group [ref] |
Add a group to the system for each GID referenced without a corresponding group. |
If a user is assigned the Group Identifier (GID) of a group not existing on the system, and a groupwith the Gruop Identifier (GID) is subsequently created, the user may have unintended rights toany files associated with the group. |
low |
content_rule_gid_passwd_group_same |
NaN |
CM-6(a),IA-2 |
4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.4,CIP-003-3,R5.1.1,CIP-003-3,R5.3 |
PR.AC-1,PR.AC-6,PR.AC-7 |
SRG-OS-000104-GPOS-00051 |
NaN |
NaN |
CCI-000764 |
1,5,12,15,16 |
NaN |
NaN |
DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 |
A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.7,SR,1.8,SR,1.9,SR,2.1 |
NaN |
5.5.2,CIP-004-3,R2.2.3,CIP-004-3,R2.3,CIP-007-3,R5.1,CIP-007-3,R5.1.2,CIP-007-3,R5.2,CIP-007-3,R5.3.1,CIP-007-3,R5.3.2,CIP-007-3,R5.3.3,Req-8.5.a,6.2.13 |
| CCE-85576-7 |
Prevent Login to Accounts With Empty Password [ref] |
If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok in password authentication configurations in /etc/pam.d/ to prevent logins with empty passwords. Note that this rule is not applicable for systems running within a container. Having user with empty password within a container is not considered a risk, because it should not be possible to directly login into a container anyway. |
If an account has an empty password, anyone could log in andrun commands with the privileges of that account. Accounts withempty passwords should never be used in operational environments. |
high |
content_rule_no_empty_passwords |
SLES-15-020300 |
CM-6(a) |
3.1.1,3.1.5,4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4 |
PR.AC-1,PR.AC-4,PR.AC-6,PR.AC-7,PR.DS-5 |
SRG-OS-000480-GPOS-00227 |
NaN |
SV-234898r622137_rule |
CCI-000366 |
1,3,5,12,13,14,15,16,18 |
NaN |
164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii) |
APO01.06,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.02,DSS06.03,DSS06.10 |
IA-5(1)(a),IA-5(c),A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,5.2 |
NaN |
5.5.2,FIA_UAU.1,Req-8.2.3 |
| CCE-85693-0 |
Record Events that Modify the System's Discretionary Access Controls - chmod [ref] |
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_modWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. |
The changing of file permissions could indicate that a user is attempting togain access to information that would otherwise be disallowed. Auditing DAC modificationscan facilitate the identification of patterns of abuse among both authorized andunauthorized users. |
medium |
content_rule_audit_rules_dac_modification_chmod |
SLES-15-030290 |
AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 |
NaN |
SV-234928r622137_rule |
CCI-000126,CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.5.5,4.1.9 |
| CCE-85690-6 |
Record Events that Modify the System's Discretionary Access Controls - chown [ref] |
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_modWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. |
The changing of file permissions could indicate that a user is attempting togain access to information that would otherwise be disallowed. Auditing DAC modificationscan facilitate the identification of patterns of abuse among both authorized andunauthorized users. |
medium |
content_rule_audit_rules_dac_modification_chown |
SLES-15-030250 |
AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 |
NaN |
SV-234924r622137_rule |
CCI-000126,CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.5.5,4.1.9 |
| CCE-85694-8 |
Record Events that Modify the System's Discretionary Access Controls - fchmod [ref] |
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_modWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. |
The changing of file permissions could indicate that a user is attempting togain access to information that would otherwise be disallowed. Auditing DAC modificationscan facilitate the identification of patterns of abuse among both authorized andunauthorized users. |
medium |
content_rule_audit_rules_dac_modification_fchmod |
SLES-15-030300 |
AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 |
NaN |
SV-234929r622137_rule |
CCI-000126,CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.5.5,4.1.9 |
| CCE-85695-5 |
Record Events that Modify the System's Discretionary Access Controls - fchmodat [ref] |
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_modWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. |
The changing of file permissions could indicate that a user is attempting togain access to information that would otherwise be disallowed. Auditing DAC modificationscan facilitate the identification of patterns of abuse among both authorized andunauthorized users. |
medium |
content_rule_audit_rules_dac_modification_fchmodat |
SLES-15-030310 |
AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 |
NaN |
SV-234930r622137_rule |
CCI-000126,CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.5.5,4.1.9 |
| CCE-85721-9 |
Record Events that Modify the System's Discretionary Access Controls - fchown [ref] |
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_modWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. |
The changing of file permissions could indicate that a user is attempting togain access to information that would otherwise be disallowed. Auditing DAC modificationscan facilitate the identification of patterns of abuse among both authorized andunauthorized users. |
medium |
content_rule_audit_rules_dac_modification_fchown |
SLES-15-030260 |
AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 |
NaN |
SV-234925r622137_rule |
CCI-000126,CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.5.5,4.1.9 |
| CCE-85692-2 |
Record Events that Modify the System's Discretionary Access Controls - fchownat [ref] |
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_modWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. |
The changing of file permissions could indicate that a user is attempting togain access to information that would otherwise be disallowed. Auditing DAC modificationscan facilitate the identification of patterns of abuse among both authorized andunauthorized users. |
medium |
content_rule_audit_rules_dac_modification_fchownat |
SLES-15-030280 |
AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 |
NaN |
SV-234927r622137_rule |
CCI-000126,CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.5.5,4.1.9 |
| CCE-85686-4 |
Record Events that Modify the System's Discretionary Access Controls - fremovexattr [ref] |
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_modWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. |
The changing of file permissions could indicate that a user is attempting togain access to information that would otherwise be disallowed. Auditing DAC modificationscan facilitate the identification of patterns of abuse among both authorized andunauthorized users. |
medium |
content_rule_audit_rules_dac_modification_fremovexattr |
SLES-15-030210 |
AU-12(a),AU-12.1(ii),AU-12(c),AU-12.1(iv),AU-3,AU-3.1,MA-4(1)(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033,SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 |
NaN |
SV-234920r622137_rule |
CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.5.5,4.1.9 |
| CCE-85688-0 |
Record Events that Modify the System's Discretionary Access Controls - fsetxattr [ref] |
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_modWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. |
The changing of file permissions could indicate that a user is attempting togain access to information that would otherwise be disallowed. Auditing DAC modificationscan facilitate the identification of patterns of abuse among both authorized andunauthorized users. |
medium |
content_rule_audit_rules_dac_modification_fsetxattr |
SLES-15-030230 |
AU-12(a),AU-12.1(ii),AU-12(c),AU-12.1(iv),AU-3,AU-3.1,MA-4(1)(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000064-GPOS-00033,SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 |
NaN |
SV-234922r622137_rule |
CCI-000126,CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.5.5,4.1.9 |
| CCE-85691-4 |
Record Events that Modify the System's Discretionary Access Controls - lchown [ref] |
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_modWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. |
The changing of file permissions could indicate that a user is attempting togain access to information that would otherwise be disallowed. Auditing DAC modificationscan facilitate the identification of patterns of abuse among both authorized andunauthorized users. |
medium |
content_rule_audit_rules_dac_modification_lchown |
SLES-15-030270 |
AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 |
NaN |
SV-234926r622137_rule |
CCI-000126,CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.5.5,4.1.9 |
| CCE-85685-6 |
Record Events that Modify the System's Discretionary Access Controls - lremovexattr [ref] |
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_modWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. |
The changing of file permissions could indicate that a user is attempting togain access to information that would otherwise be disallowed. Auditing DAC modificationscan facilitate the identification of patterns of abuse among both authorized andunauthorized users. |
medium |
content_rule_audit_rules_dac_modification_lremovexattr |
SLES-15-030200 |
AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033,SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 |
NaN |
SV-234919r622137_rule |
CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.5.5,4.1.9 |
| CCE-85689-8 |
Record Events that Modify the System's Discretionary Access Controls - lsetxattr [ref] |
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_modWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. |
The changing of file permissions could indicate that a user is attempting togain access to information that would otherwise be disallowed. Auditing DAC modificationscan facilitate the identification of patterns of abuse among both authorized andunauthorized users. |
medium |
content_rule_audit_rules_dac_modification_lsetxattr |
SLES-15-030240 |
AU-12(a),AU-12.1(ii),AU-12(c),AU-12.1(iv),AU-3,AU-3.1,MA-4(1)(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000064-GPOS-00033,SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 |
NaN |
SV-234923r622137_rule |
CCI-000126,CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.5.5,4.1.9 |
| CCE-85684-9 |
Record Events that Modify the System's Discretionary Access Controls - removexattr [ref] |
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_modWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. |
The changing of file permissions could indicate that a user is attempting togain access to information that would otherwise be disallowed. Auditing DAC modificationscan facilitate the identification of patterns of abuse among both authorized andunauthorized users. |
medium |
content_rule_audit_rules_dac_modification_removexattr |
SLES-15-030190 |
AU-12(a),AU-12.1(ii),AU-12(c),AU-12.1(iv),AU-3,AU-3.1,MA-4(1)(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033,SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 |
NaN |
SV-234918r622137_rule |
CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.5.5,4.1.9 |
| CCE-85687-2 |
Record Events that Modify the System's Discretionary Access Controls - setxattr [ref] |
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_modWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. |
The changing of file permissions could indicate that a user is attempting togain access to information that would otherwise be disallowed. Auditing DAC modificationscan facilitate the identification of patterns of abuse among both authorized andunauthorized users. |
medium |
content_rule_audit_rules_dac_modification_setxattr |
SLES-15-030220 |
AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 |
NaN |
SV-234921r622137_rule |
CCI-000126,CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.5.5,4.1.9 |
| CCE-85768-0 |
Ensure auditd Collects File Deletion Events by User - rename [ref] |
At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete |
Auditing file deletions will create an audit trail for files that are removedfrom the system. The audit trail could aid in system troubleshooting, as well as, detectingmalicious processes that attempt to delete log files to conceal their presence. |
medium |
content_rule_audit_rules_file_deletion_events_rename |
NaN |
AU-2(d),AU-12(c),CM-6(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.MA-2,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212,SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890 |
NaN |
NaN |
CCI-000169,CCI-000172,CCI-000366,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.4,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.1.1,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.2.7,4.1.13 |
| CCE-85769-8 |
Ensure auditd Collects File Deletion Events by User - renameat [ref] |
At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete |
Auditing file deletions will create an audit trail for files that are removedfrom the system. The audit trail could aid in system troubleshooting, as well as, detectingmalicious processes that attempt to delete log files to conceal their presence. |
medium |
content_rule_audit_rules_file_deletion_events_renameat |
NaN |
AU-2(d),AU-12(c),CM-6(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.MA-2,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212,SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890 |
NaN |
NaN |
CCI-000169,CCI-000172,CCI-000366,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.4,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.1.1,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.2.7,4.1.13 |
| CCE-85770-6 |
Ensure auditd Collects File Deletion Events by User - rmdir [ref] |
At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete |
Auditing file deletions will create an audit trail for files that are removedfrom the system. The audit trail could aid in system troubleshooting, as well as, detectingmalicious processes that attempt to delete log files to conceal their presence. |
medium |
content_rule_audit_rules_file_deletion_events_rmdir |
NaN |
AU-2(d),AU-12(c),CM-6(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.MA-2,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212,SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890 |
NaN |
NaN |
CCI-000169,CCI-000172,CCI-000366,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.4,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.1.1,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.2.7 |
| CCE-85771-4 |
Ensure auditd Collects File Deletion Events by User - unlink [ref] |
At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete |
Auditing file deletions will create an audit trail for files that are removedfrom the system. The audit trail could aid in system troubleshooting, as well as, detectingmalicious processes that attempt to delete log files to conceal their presence. |
medium |
content_rule_audit_rules_file_deletion_events_unlink |
NaN |
AU-2(d),AU-12(c),CM-6(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.MA-2,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212,SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890 |
NaN |
NaN |
CCI-000169,CCI-000172,CCI-000366,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.4,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.1.1,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.2.7,4.1.13 |
| CCE-85772-2 |
Ensure auditd Collects File Deletion Events by User - unlinkat [ref] |
At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete |
Auditing file deletions will create an audit trail for files that are removedfrom the system. The audit trail could aid in system troubleshooting, as well as, detectingmalicious processes that attempt to delete log files to conceal their presence. |
medium |
content_rule_audit_rules_file_deletion_events_unlinkat |
NaN |
AU-2(d),AU-12(c),CM-6(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.MA-2,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212,SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890 |
NaN |
NaN |
CCI-000169,CCI-000172,CCI-000366,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.4,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.1.1,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.2.7,4.1.13 |
| CCE-85681-5 |
Record Unsuccessful Access Attempts to Files - creat [ref] |
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. |
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditingthese events could serve as evidence of potential system compromise. |
medium |
content_rule_audit_rules_unsuccessful_file_modification_creat |
SLES-15-030160 |
AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12(c),AU-12.1(iv),MA-4(1)(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000458-VMM-001810,SRG-OS-000461-VMM-001830 |
NaN |
SV-234915r622137_rule |
CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.2.4,Req-10.2.1,4.1.10 |
| CCE-85696-3 |
Record Unsuccessful Access Attempts to Files - ftruncate [ref] |
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S ftruncate -F exiu=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. |
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditingthese events could serve as evidence of potential system compromise. |
medium |
content_rule_audit_rules_unsuccessful_file_modification_ftruncate |
SLES-15-030320 |
AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000458-VMM-001810,SRG-OS-000461-VMM-001830 |
NaN |
SV-234931r622137_rule |
CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.2.4,Req-10.2.1,4.1.10 |
| CCE-85680-7 |
Record Unsuccessful Access Attempts to Files - open [ref] |
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. |
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditingthese events could serve as evidence of potential system compromise. |
medium |
content_rule_audit_rules_unsuccessful_file_modification_open |
SLES-15-030150 |
AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),AU-3,AU-3.1,MA-4(1)(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000458-VMM-001810,SRG-OS-000461-VMM-001830 |
NaN |
SV-234914r622137_rule |
CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.2.4,Req-10.2.1,4.1.10 |
| CCE-85683-1 |
Record Unsuccessful Access Attempts to Files - open_by_handle_at [ref] |
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. |
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditingthese events could serve as evidence of potential system compromise. |
medium |
content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at |
SLES-15-030180 |
AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000458-VMM-001810,SRG-OS-000461-VMM-001830 |
NaN |
SV-234917r622137_rule |
CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.2.4,Req-10.2.1 |
| CCE-85682-3 |
Record Unsuccessful Access Attempts to Files - openat [ref] |
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. |
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditingthese events could serve as evidence of potential system compromise. |
medium |
content_rule_audit_rules_unsuccessful_file_modification_openat |
SLES-15-030170 |
AU-12(a),AU-12.1(ii),AU-12(c),AU-12.1(iv),AU-3,AU-3.1,MA-4(1)(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000458-VMM-001810,SRG-OS-000461-VMM-001830 |
NaN |
SV-234916r622137_rule |
CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.2.4,Req-10.2.1,4.1.10 |
| CCE-85608-8 |
Record Unsuccessful Access Attempts to Files - truncate [ref] |
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessWarning: Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient. |
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditingthese events could serve as evidence of potential system compromise. |
medium |
content_rule_audit_rules_unsuccessful_file_modification_truncate |
SLES-15-030610 |
AU-2(d),AU-12(c),CM-6(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000458-VMM-001810,SRG-OS-000461-VMM-001830 |
NaN |
SV-234960r622137_rule |
CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.2.4,Req-10.2.1,4.1.10 |
| CCE-85748-2 |
Ensure auditd Collects Information on Kernel Module Unloading - delete_module [ref] |
To capture kernel module unloading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S delete_module -F key=modules Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules. |
The removal of kernel modules can be used to alter the behavior ofthe kernel and potentially introduce malicious code into kernel space. It is importantto have an audit trail of modules that have been introduced into the kernel. |
medium |
content_rule_audit_rules_kernel_module_loading_delete |
SLES-15-030520 |
AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12.1(iv),MA-4(1)(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222,SRG-OS-000477-VMM-001970 |
NaN |
SV-234951r622137_rule |
CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.2.7,4.1.16 |
| CCE-85749-0 |
Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module [ref] |
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S finit_module -F key=modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S finit_module -F key=modules |
The addition/removal of kernel modules can be used to alter the behavior ofthe kernel and potentially introduce malicious code into kernel space. It is importantto have an audit trail of modules that have been introduced into the kernel. |
medium |
content_rule_audit_rules_kernel_module_loading_finit |
SLES-15-030530 |
AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12.1(iv),MA-4(1)(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222,SRG-OS-000477-VMM-001970 |
NaN |
SV-234952r622137_rule |
CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.2.7 |
| CCE-85750-8 |
Ensure auditd Collects Information on Kernel Module Loading - init_module [ref] |
To capture kernel module loading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S init_module -F key=modules Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules. |
The addition of kernel modules can be used to alter the behavior ofthe kernel and potentially introduce malicious code into kernel space. It is importantto have an audit trail of modules that have been introduced into the kernel. |
medium |
content_rule_audit_rules_kernel_module_loading_init |
SLES-15-030540 |
AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12.1(iv),MA-4(1)(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222,SRG-OS-000477-VMM-001970 |
NaN |
SV-234953r622137_rule |
CCI-000130,CCI-000169,CCI-000172,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.2.7,4.1.16 |
| CCE-85814-2 |
Record attempts to alter time through adjtimex [ref] |
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules |
Arbitrary changes to the system time can be used to obfuscatenefarious activities in log files, as well as to confuse network services thatare highly dependent upon an accurate system time (such as sshd). All changesto the system time should be audited. |
medium |
content_rule_audit_rules_time_adjtimex |
NaN |
AC-6(9),AU-2(d),AU-12(c),CM-6(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
NaN |
NaN |
NaN |
CCI-001487,CCI-000169 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,Req-10.4.2.b,4.1.3 |
| CCE-85816-7 |
Record Attempts to Alter Time Through clock_settime [ref] |
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules |
Arbitrary changes to the system time can be used to obfuscatenefarious activities in log files, as well as to confuse network services thatare highly dependent upon an accurate system time (such as sshd). All changesto the system time should be audited. |
medium |
content_rule_audit_rules_time_clock_settime |
NaN |
AC-6(9),AU-2(d),AU-12(c),CM-6(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
NaN |
NaN |
NaN |
CCI-001487,CCI-000169 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,Req-10.4.2.b |
| CCE-85813-4 |
Record attempts to alter time through settimeofday [ref] |
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules |
Arbitrary changes to the system time can be used to obfuscatenefarious activities in log files, as well as to confuse network services thatare highly dependent upon an accurate system time (such as sshd). All changesto the system time should be audited. |
medium |
content_rule_audit_rules_time_settimeofday |
NaN |
AC-6(9),AU-2(d),AU-12(c),CM-6(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
NaN |
NaN |
NaN |
CCI-001487,CCI-000169 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,Req-10.4.2.b,4.1.3 |
| CCE-85815-9 |
Record Attempts to Alter Time Through stime [ref] |
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d for both 32 bit and 64 bit systems: -a always,exit -F arch=b32 -S stime -F key=audit_time_rules Since the 64 bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32 bit and 64 bit systems). If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file for both 32 bit and 64 bit systems: -a always,exit -F arch=b32 -S stime -F key=audit_time_rules Since the 64 bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32 bit and 64 bit systems). The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined system calls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules |
Arbitrary changes to the system time can be used to obfuscatenefarious activities in log files, as well as to confuse network services thatare highly dependent upon an accurate system time (such as sshd). All changesto the system time should be audited. |
medium |
content_rule_audit_rules_time_stime |
NaN |
AC-6(9),AU-2(d),AU-12(c),CM-6(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
NaN |
NaN |
NaN |
CCI-001487,CCI-000169 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,Req-10.4.2.b,4.1.3 |
| CCE-85812-6 |
Record Attempts to Alter the localtime File [ref] |
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/localtime -p wa -k audit_time_rules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used. |
Arbitrary changes to the system time can be used to obfuscatenefarious activities in log files, as well as to confuse network services thatare highly dependent upon an accurate system time (such as sshd). All changesto the system time should be audited. |
medium |
content_rule_audit_rules_time_watch_localtime |
NaN |
AC-6(9),AU-2(d),AU-12(c),CM-6(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
NaN |
NaN |
NaN |
CCI-001487,CCI-000169 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,Req-10.4.2.b,4.1.3 |
| CCE-85831-6 |
Make the auditd Configuration Immutable [ref] |
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d in order to make the auditd configuration immutable: -e 2 If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file in order to make the auditd configuration immutable: -e 2 With this setting, a reboot will be required to change any audit rules. |
Making the audit configuration immutable prevents accidental aswell as malicious modification of the audit rules, although it may beproblematic if legitimate changes are needed during systemoperation |
medium |
content_rule_audit_rules_immutable |
NaN |
AC-6(9),CM-6(a) |
4.2.3.10,4.3.2.6.7,3.3.1,4.3.3.3.9,4.3.3.5.8,4.3.3.7.3,3.4.3,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-4,PR.DS-5,PR.PT-1,DE.AE-3,DE.AE-5,RS.AN-1,RS.AN-4 |
SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029 |
NaN |
NaN |
CCI-000162 |
1,3,4,5,6,7,8,11,12,13,14,15,16,18,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.310(a)(2)(iv),164.312(d),164.310(d)(2)(iii),164.312(b),164.312(e) |
APO01.06,APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,BAI03.05,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,DSS06.02,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,2.1,SR,2.10,SR,2.11,SR,2.12,SR,2.8,SR,2.9,SR,5.2,SR,6.1 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,Req-10.5.2,4.1.17 |
| CCE-85830-8 |
Record Events that Modify the System's Mandatory Access Controls [ref] |
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/selinux/ -p wa -k MAC-policy If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/selinux/ -p wa -k MAC-policy |
The system's mandatory access policy (SELinux) should not bearbitrarily changed by anything other than administrator action. All changes toMAC policy should be audited. |
medium |
content_rule_audit_rules_mac_modification |
NaN |
AU-2(d),AU-12(c),CM-6(a) |
3.1.8,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
NaN |
NaN |
NaN |
NaN |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.5.5,4.1.6 |
| CCE-85718-5 |
Ensure auditd Collects Information on Exporting to Media (successful) [ref] |
At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export |
The unauthorized exportation of data to external media could result in an information leakwhere classified information, Privacy Act information, and intellectual property could be lost. An audittrail should be created each time a filesystem is mounted to help identify and guard against informationloss. |
medium |
content_rule_audit_rules_media_export |
SLES-15-030350 |
AC-6(9),AU-2(d),AU-12(c),CM-6(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 |
NaN |
SV-234934r622137_rule |
CCI-000135,CCI-000169,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,Req-10.2.7,4.1.12 |
| CCE-85828-2 |
Record Events that Modify the System's Network Environment [ref] |
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification |
The network environment should not be modified by anything otherthan administrator action. Any change to network parameters should beaudited. |
medium |
content_rule_audit_rules_networkconfig_modification |
NaN |
AC-6(9),AU-2(d),AU-12(c),CM-6(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
NaN |
NaN |
NaN |
NaN |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,Req-10.5.5,4.1.5 |
| CCE-85829-0 |
Record Attempts to Alter Process and Session Initiation Information [ref] |
The audit system already collects process information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing such process information: -w /var/run/utmp -p wa -k session -w /var/log/btmp -p wa -k session -w /var/log/wtmp -p wa -k session If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for attempted manual edits of files involved in storing such process information: -w /var/run/utmp -p wa -k session -w /var/log/btmp -p wa -k session -w /var/log/wtmp -p wa -k session |
Manual editing of these files may indicate nefarious activity, suchas an attacker attempting to remove evidence of an intrusion. |
medium |
content_rule_audit_rules_session_events |
NaN |
AU-2(d),AU-12(c),CM-6(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
NaN |
NaN |
NaN |
NaN |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,0582,0584,05885,0586,0846,0957,FAU_GEN.1.1.c,Req-10.2.3,4.1.8 |
| CCE-85679-9 |
Ensure auditd Collects System Administrator Actions [ref] |
At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions |
The actions taken by system administrators should be audited to keep a recordof what was executed on the system, as well as, for accountability purposes. |
medium |
content_rule_audit_rules_sysadmin_actions |
SLES-15-030140 |
AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12.1(iv),MA-4(1)(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.8,4.3.3.6.6,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-1,PR.AC-3,PR.AC-4,PR.AC-6,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221,SRG-OS-000462-VMM-001840,SRG-OS-000471-VMM-001910 |
NaN |
SV-234913r622137_rule |
CCI-000126,CCI-000130,CCI-000135,CCI-000169,CCI-000172,CCI-002884,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,18,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.1,SR,1.13,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.2.2,Req-10.2.5.b,4.1.14 |
| CCE-85578-3 |
Record Events that Modify User/Group Information - /etc/group [ref] |
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/group -p wa -k audit_rules_usergroup_modification |
In addition to auditing new user and group accounts, these watcheswill alert the system administrator(s) to any modifications. Any unexpectedusers, groups, or modifications should be investigated for legitimacy. |
medium |
content_rule_audit_rules_usergroup_modification_group |
SLES-15-030010 |
AC-2(4),AC-6(9),AU-2(d),AU-12(c),CM-6(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.8,4.3.3.6.6,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-1,PR.AC-3,PR.AC-4,PR.AC-6,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221,SRG-OS-000004-VMM-000040,SRG-OS-000239-VMM-000810,SRG-OS-000240-VMM-000820,SRG-OS-000241-VMM-000830,SRG-OS-000274-VMM-000960,SRG-OS-000275-VMM-000970,SRG-OS-000276-VMM-000980,SRG-OS-000277-VMM-000990,SRG-OS-000303-VMM-001090,SRG-OS-000304-VMM-001100,SRG-OS-000476-VMM-001960 |
NaN |
SV-234900r622137_rule |
CCI-000018,CCI-000169,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132,CCI-002884 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,18,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.1,SR,1.13,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,CIP-004-3,R2.2.2,CIP-004-3,R2.2.3,CIP-007-3,R.1.3,CIP-007-3,R5,CIP-007-3,R5.1.1,CIP-007-3,R5.1.3,CIP-007-3,R5.2.1,CIP-007-3,R5.2.3,FAU_GEN.1.1.c,Req-10.2.5,4.1.4 |
| CCE-85580-9 |
Record Events that Modify User/Group Information - /etc/gshadow [ref] |
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/gshadow -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/gshadow -p wa -k audit_rules_usergroup_modification |
In addition to auditing new user and group accounts, these watcheswill alert the system administrator(s) to any modifications. Any unexpectedusers, groups, or modifications should be investigated for legitimacy. |
medium |
content_rule_audit_rules_usergroup_modification_gshadow |
SLES-15-030040 |
AC-2(4),AC-6(9),AU-2(d),AU-12(c),CM-6(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.8,4.3.3.6.6,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-1,PR.AC-3,PR.AC-4,PR.AC-6,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221,SRG-OS-000004-VMM-000040,SRG-OS-000239-VMM-000810,SRG-OS-000240-VMM-000820,SRG-OS-000241-VMM-000830,SRG-OS-000274-VMM-000960,SRG-OS-000275-VMM-000970,SRG-OS-000276-VMM-000980,SRG-OS-000277-VMM-000990,SRG-OS-000303-VMM-001090,SRG-OS-000304-VMM-001100,SRG-OS-000476-VMM-001960 |
NaN |
SV-234903r622137_rule |
CCI-000018,CCI-000169,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,18,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.1,SR,1.13,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,CIP-004-3,R2.2.2,CIP-004-3,R2.2.3,CIP-007-3,R.1.3,CIP-007-3,R5,CIP-007-3,R5.1.1,CIP-007-3,R5.1.3,CIP-007-3,R5.2.1,CIP-007-3,R5.2.3,FAU_GEN.1.1.c,Req-10.2.5,4.1.4 |
| CCE-85728-4 |
Record Events that Modify User/Group Information - /etc/security/opasswd [ref] |
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification |
In addition to auditing new user and group accounts, these watcheswill alert the system administrator(s) to any modifications. Any unexpectedusers, groups, or modifications should be investigated for legitimacy. |
medium |
content_rule_audit_rules_usergroup_modification_opasswd |
SLES-15-030030 |
AC-2(4).1(i&ii),AU-12.1(iv) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.8,4.3.3.6.6,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-1,PR.AC-3,PR.AC-4,PR.AC-6,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,SRG-OS-000476-GPOS-00221,SRG-OS-000463-GPOS-00207,SRG-OS-000004-VMM-000040,SRG-OS-000239-VMM-000810,SRG-OS-000240-VMM-000820,SRG-OS-000241-VMM-000830,SRG-OS-000274-VMM-000960,SRG-OS-000275-VMM-000970,SRG-OS-000276-VMM-000980,SRG-OS-000277-VMM-000990,SRG-OS-000303-VMM-001090,SRG-OS-000304-VMM-001100,SRG-OS-000476-VMM-001960 |
NaN |
SV-234902r622137_rule |
CCI-000018,CCI-000169,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,18,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.1,SR,1.13,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,CIP-004-3,R2.2.2,CIP-004-3,R2.2.3,CIP-007-3,R.1.3,CIP-007-3,R5,CIP-007-3,R5.1.1,CIP-007-3,R5.1.3,CIP-007-3,R5.2.1,CIP-007-3,R5.2.3,FAU_GEN.1.1.c,Req-10.2.5,4.1.4 |
| CCE-85577-5 |
Record Events that Modify User/Group Information - /etc/passwd [ref] |
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/passwd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/passwd -p wa -k audit_rules_usergroup_modification |
In addition to auditing new user and group accounts, these watcheswill alert the system administrator(s) to any modifications. Any unexpectedusers, groups, or modifications should be investigated for legitimacy. |
medium |
content_rule_audit_rules_usergroup_modification_passwd |
SLES-15-030000 |
AC-2(4),AC-6(9),AU-2(d),AU-12(c),CM-6(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.8,4.3.3.6.6,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-1,PR.AC-3,PR.AC-4,PR.AC-6,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221,SRG-OS-000274-GPOS-00104,SRG-OS-000275-GPOS-00105,SRG-OS-000276-GPOS-00106,SRG-OS-000277-GPOS-00107,SRG-OS-000004-VMM-000040,SRG-OS-000239-VMM-000810,SRG-OS-000240-VMM-000820,SRG-OS-000241-VMM-000830,SRG-OS-000274-VMM-000960,SRG-OS-000275-VMM-000970,SRG-OS-000276-VMM-000980,SRG-OS-000277-VMM-000990,SRG-OS-000303-VMM-001090,SRG-OS-000304-VMM-001100,SRG-OS-000476-VMM-001960 |
NaN |
SV-234899r622137_rule |
CCI-000018,CCI-000169,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,18,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.1,SR,1.13,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,CIP-004-3,R2.2.2,CIP-004-3,R2.2.3,CIP-007-3,R.1.3,CIP-007-3,R5,CIP-007-3,R5.1.1,CIP-007-3,R5.1.3,CIP-007-3,R5.2.1,CIP-007-3,R5.2.3,FAU_GEN.1.1.c,Req-10.2.5,4.1.4 |
| CCE-85579-1 |
Record Events that Modify User/Group Information - /etc/shadow [ref] |
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: -w /etc/shadow -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: -w /etc/shadow -p wa -k audit_rules_usergroup_modification |
In addition to auditing new user and group accounts, these watcheswill alert the system administrator(s) to any modifications. Any unexpectedusers, groups, or modifications should be investigated for legitimacy. |
medium |
content_rule_audit_rules_usergroup_modification_shadow |
SLES-15-030020 |
AC-2(4),AC-6(9),AU-2(d),AU-12(c),CM-6(a) |
3.1.7,4.2.3.10,4.3.2.6.7,4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.8,4.3.3.6.6,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-1,PR.AC-3,PR.AC-4,PR.AC-6,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221,SRG-OS-000004-VMM-000040,SRG-OS-000239-VMM-000810,SRG-OS-000240-VMM-000820,SRG-OS-000241-VMM-000830,SRG-OS-000274-VMM-000960,SRG-OS-000275-VMM-000970,SRG-OS-000276-VMM-000980,SRG-OS-000277-VMM-000990,SRG-OS-000303-VMM-001090,SRG-OS-000304-VMM-001100,SRG-OS-000476-VMM-001960 |
NaN |
SV-234901r622137_rule |
CCI-000018,CCI-000169,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,18,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.1,SR,1.13,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,CIP-004-3,R2.2.2,CIP-004-3,R2.2.3,CIP-007-3,R.1.3,CIP-007-3,R5,CIP-007-3,R5.1.1,CIP-007-3,R5.1.3,CIP-007-3,R5.2.1,CIP-007-3,R5.2.3,FAU_GEN.1.1.c,Req-10.2.5,4.1.4 |
| CCE-85810-0 |
System Audit Logs Must Be Owned By Root [ref] |
All audit logs must be owned by root user and group. By default, the path for audit log is /var/log/audit/. To properly set the owner of /var/log/audit, run the command: $ sudo chown root /var/log/audit To properly set the owner of /var/log/audit/*, run the command: $ sudo chown root /var/log/audit/* |
Unauthorized disclosure of audit records can reveal system and configuration data toattackers, thus compromising its confidentiality. |
medium |
content_rule_file_ownership_var_log_audit |
NaN |
AC-6(1),AU-9(4),CM-6(a) |
4.2.3.10,3.3.1,4.3.3.3.9,4.3.3.5.8,4.3.3.7.3,CIP-003-3,R5.1.1,CIP-003-3,R5.3,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
PR.AC-4,PR.DS-5,PR.PT-1,DE.AE-3,DE.AE-5,RS.AN-1,RS.AN-4 |
SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000206-GPOS-00084 |
NaN |
NaN |
CCI-000162,CCI-000163,CCI-000164,CCI-001314 |
1,3,4,5,6,7,8,11,12,13,14,15,16,18,19 |
NaN |
NaN |
APO01.06,APO11.04,APO12.06,BAI03.05,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,DSS06.02,MEA02.01 |
A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,2.1,SR,2.10,SR,2.11,SR,2.12,SR,2.8,SR,2.9,SR,5.2,SR,6.1 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,CIP-004-3,R2.3,CIP-007-3,R2.1,CIP-007-3,R2.2,CIP-007-3,R2.3,CIP-007-3,R5.1,CIP-007-3,R5.1.1,CIP-007-3,R5.1.2,Req-10.5.1 |
| CCE-85811-8 |
System Audit Logs Must Have Mode 0640 or Less Permissive [ref] |
If log_group in /etc/audit/auditd.conf is set to a group other than the root group account, change the mode of the audit log files with the following command: $ sudo chmod 0640 audit_file Otherwise, change the mode of the audit log files with the following command: $ sudo chmod 0600 audit_file |
If users can write to audit logs, audit trails can be modified or destroyed. |
medium |
content_rule_file_permissions_var_log_audit |
NaN |
AC-6(1),AU-9(4),CM-6(a) |
4.2.3.10,3.3.1,4.3.3.3.9,4.3.3.5.8,4.3.3.7.3,CIP-003-3,R5.1.1,CIP-003-3,R5.3,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
PR.AC-4,PR.DS-5,PR.PT-1,DE.AE-3,DE.AE-5,RS.AN-1,RS.AN-4 |
SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000206-GPOS-00084 |
NaN |
NaN |
CCI-000162,CCI-000163,CCI-000164,CCI-001314 |
1,3,4,5,6,7,8,11,12,13,14,15,16,18,19 |
NaN |
NaN |
APO01.06,APO11.04,APO12.06,BAI03.05,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,DSS06.02,MEA02.01 |
A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,2.1,SR,2.10,SR,2.11,SR,2.12,SR,2.8,SR,2.9,SR,5.2,SR,6.1 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,CIP-004-3,R2.3,CIP-007-3,R2.1,CIP-007-3,R2.2,CIP-007-3,R2.3,CIP-007-3,R5.1,CIP-007-3,R5.1.1,CIP-007-3,R5.1.2,Req-10.5 |
| CCE-85779-7 |
Configure auditd to use audispd's syslog plugin [ref] |
To configure the auditd service to use the syslog plug-in of the audispd audit event multiplexor, set the active line in /etc/audisp/plugins.d/syslog.conf to yes. Restart the auditd service: $ sudo service auditd restart |
The auditd service does not include the ability to send auditrecords to a centralized server for management directly. It does, however,include a plug-in for audit event multiplexor (audispd) to pass audit recordsto the local syslog server |
medium |
content_rule_auditd_audispd_syslog_plugin_activated |
NaN |
AU-4(1),CM-6(a) |
4.2.3.10,3.3.1,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
PR.PT-1,DE.AE-3,DE.AE-5,RS.AN-1,RS.AN-4 |
SRG-OS-000479-GPOS-00224,SRG-OS-000342-GPOS-00133,SRG-OS-000051-VMM-000230,SRG-OS-000058-VMM-000270,SRG-OS-000059-VMM-000280,SRG-OS-000479-VMM-001990,SRG-OS-000479-VMM-001990 |
NaN |
NaN |
CCI-000136 |
1,3,4,5,6,7,8,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(5)(ii)(B),164.308(a)(5)(ii)(C),164.308(a)(6)(ii),164.308(a)(8),164.310(d)(2)(iii),164.312(b),164.314(a)(2)(i)(C),164.314(a)(2)(iii) |
APO11.04,APO12.06,BAI03.05,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,MEA02.01 |
A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,2.10,SR,2.11,SR,2.12,SR,2.8,SR,2.9,SR,6.1 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,FAU_GEN.1.1.c,Req-10.5.3 |
| CCE-85604-7 |
Configure auditd mail_acct Action on Low Disk Space [ref] |
The auditd service can be configured to send email to a designated account in certain situations. Add or correct the following line in /etc/audit/auditd.conf to ensure that administrators are notified via email for those situations: action_mail_acct = root |
Email sent to the root account is typically aliased to theadministrators of the system, who can take appropriate action. |
medium |
content_rule_auditd_data_retention_action_mail_acct |
SLES-15-030570 |
AU-5(a),AU-5(2),CM-6(a) |
4.2.3.10,3.3.1,4.3.3.3.9,4.3.3.5.8,CIP-003-3,R1.3,CIP-003-3,R3,CIP-003-3,R3.1,CIP-003-3,R3.2,CIP-003-3,R3.3,CIP-003-3,R5.1.1,CIP-003-3,R5.3,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
PR.DS-4,PR.PT-1,DE.AE-3,DE.AE-5,RS.AN-1,RS.AN-4 |
SRG-OS-000046-GPOS-00022,SRG-OS-000343-GPOS-00134,SRG-OS-000046-VMM-000210,SRG-OS-000343-VMM-001240 |
NaN |
SV-234956r622137_rule |
CCI-000139,CCI-001855 |
1,2,3,4,5,6,7,8,11,12,13,14,15,16,19 |
NaN |
164.312(a)(2)(ii) |
APO11.04,APO12.06,APO13.01,BAI03.05,BAI04.04,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,MEA02.01 |
IA-5(1),A.12.1.3,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.16.1.4,A.16.1.5,A.16.1.7,A.17.2.1 |
SR,2.10,SR,2.11,SR,2.12,SR,2.8,SR,2.9,SR,6.1,SR,7.1,SR,7.2 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,CIP-004-3,R2.2.3,CIP-004-3,R2.3,CIP-007-3,R5.1,CIP-007-3,R5.1.2,CIP-007-3,R5.2,CIP-007-3,R5.3.1,CIP-007-3,R5.3.2,CIP-007-3,R5.3.3,Req-10.7.a,4.1.2.3 |
| CCE-85824-1 |
Configure auditd admin_space_left Action on Low Disk Space [ref] |
The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately: admin_space_left_action = ACTION Set this value to single to cause the system to switch to single user mode for corrective action. Acceptable values also include suspend and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page. |
Administrators should be made aware of an inability to recordaudit records. If a separate partition or logical volume of adequate sizeis used, running low on space for audit records should never occur. |
medium |
content_rule_auditd_data_retention_admin_space_left_action |
NaN |
AU-5(b),AU-5(2),AU-5(1),AU-5(4),CM-6(a) |
4.2.3.10,3.3.1,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
PR.DS-4,PR.PT-1,DE.AE-3,DE.AE-5,RS.AN-1,RS.AN-4 |
SRG-OS-000343-GPOS-00134 |
NaN |
NaN |
CCI-000140,CCI-001343,CCI-001855 |
1,2,3,4,5,6,7,8,11,12,13,14,15,16,19 |
NaN |
164.312(a)(2)(ii) |
APO11.04,APO12.06,APO13.01,BAI03.05,BAI04.04,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,MEA02.01 |
A.12.1.3,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.16.1.4,A.16.1.5,A.16.1.7,A.17.2.1 |
SR,2.10,SR,2.11,SR,2.12,SR,2.8,SR,2.9,SR,6.1,SR,7.1,SR,7.2 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,Req-10.7,4.1.2.3 |
| CCE-85825-8 |
Configure auditd Max Log File Size [ref] |
Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting the correct value of 6 for STOREMB: max_log_file = STOREMB Set the value to 6 (MB) or higher for general-purpose systems. Larger values, of course, support retention of even more audit data. |
The total storage for audit log files must be large enough to retainlog information over the period required. This is a function of the maximumlog file size and the number of logs retained. |
medium |
content_rule_auditd_data_retention_max_log_file |
NaN |
AU-11,CM-6(a) |
4.2.3.10,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
PR.PT-1,DE.AE-3,DE.AE-5,RS.AN-1,RS.AN-4 |
NaN |
NaN |
NaN |
NaN |
1,3,4,5,6,7,8,11,12,13,14,15,16,19 |
NaN |
NaN |
APO11.04,APO12.06,BAI03.05,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,MEA02.01 |
A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,2.10,SR,2.11,SR,2.12,SR,2.8,SR,2.9,SR,6.1 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,CIP-004-3,R2.2.3,CIP-004-3,R3.3,CIP-007-3,R5.2,CIP-007-3,R5.3.1,CIP-007-3,R5.3.2,CIP-007-3,R5.3.3,CIP-007-3,R6.5,Req-10.7,4.1.2.1 |
| CCE-85778-9 |
Configure auditd max_log_file_action Upon Reaching Maximum Log Size [ref] |
The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action taken by auditd, add or correct the line in /etc/audit/auditd.conf: max_log_file_action = ACTION Possible values for ACTION are described in the auditd.conf man page. These include: syslogsuspendrotatekeep_logs Set the ACTION to rotate to ensure log rotation occurs. This is the default. The setting is case-insensitive. |
Automatically rotating logs (by setting this to rotate)minimizes the chances of the system unexpectedly running out of disk space bybeing overwhelmed with log data. However, for systems that must never discardlog data, or which use external processes to transfer it and reclaim space,keep_logs can be employed. |
medium |
content_rule_auditd_data_retention_max_log_file_action |
NaN |
AU-5(b),AU-5(2),AU-5(1),AU-5(4),CM-6(a) |
4.2.3.10,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
PR.DS-4,PR.PT-1,DE.AE-3,DE.AE-5,RS.AN-1,RS.AN-4 |
SRG-OS-000047-GPOS-00023 |
NaN |
NaN |
CCI-000140 |
1,2,3,4,5,6,7,8,11,12,13,14,15,16,19 |
NaN |
164.312(a)(2)(ii) |
APO11.04,APO12.06,APO13.01,BAI03.05,BAI04.04,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,MEA02.01 |
A.12.1.3,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.16.1.4,A.16.1.5,A.16.1.7,A.17.2.1 |
SR,2.10,SR,2.11,SR,2.12,SR,2.8,SR,2.9,SR,6.1,SR,7.1,SR,7.2 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,Req-10.7,4.1.2.2 |
| CCE-85780-5 |
Configure auditd Number of Logs Retained [ref] |
Determine how many log files auditd should retain when it rotates logs. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting NUMLOGS with the correct value of 5: num_logs = NUMLOGS Set the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation. |
The total storage for audit log files must be large enough to retainlog information over the period required. This is a function of the maximum logfile size and the number of logs retained. |
medium |
content_rule_auditd_data_retention_num_logs |
NaN |
AU-11,CM-6(a) |
4.2.3.10,3.3.1,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
PR.PT-1,DE.AE-3,DE.AE-5,RS.AN-1,RS.AN-4 |
NaN |
NaN |
NaN |
NaN |
1,3,4,5,6,7,8,11,12,13,14,15,16,19 |
NaN |
NaN |
APO11.04,APO12.06,BAI03.05,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,MEA02.01 |
A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,2.10,SR,2.11,SR,2.12,SR,2.8,SR,2.9,SR,6.1 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,CIP-004-3,R2.2.3,CIP-004-3,R3.3,CIP-007-3,R5.2,CIP-007-3,R5.3.1,CIP-007-3,R5.3.2,CIP-007-3,R5.3.3,CIP-007-3,R6.5,Req-10.7 |
| CCE-85823-3 |
Configure auditd space_left Action on Low Disk Space [ref] |
The auditd service can be configured to take an action when disk space starts to run low. Edit the file /etc/audit/auditd.conf. Modify the following line, substituting ACTION appropriately: space_left_action = ACTION Possible values for ACTION are described in the auditd.conf man page. These include: syslogemailexecsuspendsinglehalt Set this to email (instead of the default, which is suspend) as it is more likely to get prompt attention. Acceptable values also include suspend, single, and halt. |
Notifying administrators of an impending disk space problem mayallow them to take corrective action prior to any disruption. |
medium |
content_rule_auditd_data_retention_space_left_action |
NaN |
AU-5(b),AU-5(2),AU-5(1),AU-5(4),CM-6(a) |
4.2.3.10,3.3.1,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
PR.DS-4,PR.PT-1,DE.AE-3,DE.AE-5,RS.AN-1,RS.AN-4 |
SRG-OS-000343-GPOS-00134,SRG-OS-000343-VMM-001240 |
NaN |
NaN |
CCI-001855 |
1,2,3,4,5,6,7,8,11,12,13,14,15,16,19 |
NaN |
164.312(a)(2)(ii) |
APO11.04,APO12.06,APO13.01,BAI03.05,BAI04.04,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,MEA02.01 |
A.12.1.3,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.16.1.4,A.16.1.5,A.16.1.7,A.17.2.1 |
SR,2.10,SR,2.11,SR,2.12,SR,2.8,SR,2.9,SR,6.1,SR,7.1,SR,7.2 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,Req-10.7,4.1.2.3 |
| CCE-85613-8 |
Ensure the default plugins for the audit dispatcher are Installed [ref] |
The audit-audispd-plugins package should be installed. |
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. |
medium |
content_rule_package_audit-audispd-plugins_installed |
SLES-15-030670 |
NaN |
NaN |
NaN |
SRG-OS-000342-GPOS-00133 |
NaN |
SV-234966r622137_rule |
CCI-001851 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-85581-7 |
Enable auditd Service [ref] |
The auditd service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The auditd service can be enabled with the following command: $ sudo systemctl enable auditd.service |
Without establishing what type of events occurred, it would be difficultto establish, correlate, and investigate the events leading up to an outage or attack.Ensuring the auditd service is active ensures audit recordsgenerated by the kernel are appropriately recorded.Additionally, a properly configured audit subsystem ensures that actions ofindividual system users can be uniquely traced to those users so theycan be held accountable for their actions. |
medium |
content_rule_service_auditd_enabled |
SLES-15-030050 |
AC-2(g),AC-6(9),AU-3,AU-10,AU-2(d),AU-12(c),AU-14(1),CM-6(a),SI-4(23) |
4.2.3.10,4.3.2.6.7,3.3.1,3.3.2,3.3.6,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000038-GPOS-00016,SRG-OS-000039-GPOS-00017,SRG-OS-000040-GPOS-00018,SRG-OS-000041-GPOS-00019,SRG-OS-000042-GPOS-00021,SRG-OS-000051-GPOS-00024,SRG-OS-000054-GPOS-00025,SRG-OS-000122-GPOS-00063,SRG-OS-000254-GPOS-00095,SRG-OS-000255-GPOS-00096,SRG-OS-000365-GPOS-00152,SRG-OS-000392-GPOS-00172,SRG-OS-000480-GPOS-00227,SRG-OS-000062-GPOS-00031,SRG-OS-000037-VMM-000150,SRG-OS-000063-VMM-000310,SRG-OS-000038-VMM-000160,SRG-OS-000039-VMM-000170,SRG-OS-000040-VMM-000180,SRG-OS-000041-VMM-000190 |
NaN |
SV-234904r622137_rule |
CCI-000126,CCI-000130,CCI-000131,CCI-000132,CCI-000133,CCI-000134,CCI-000135,CCI-000154,CCI-000158,CCI-000366,CCI-001464,CCI-001487,CCI-001814,CCI-001876,CCI-002884,CCI-000169 |
1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(5)(ii)(C),164.310(a)(2)(iv),164.310(d)(2)(iii),164.312(b) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,6.2,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,CIP-004-3,R3.3,CIP-007-3,R6.5,Req-10.1,4.1.1.2 |
| CCE-85832-4 |
Enable Auditing for Processes Which Start Prior to the Audit Daemon [ref] |
To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument audit=1 to the default GRUB 2 command line for the Linux operating system in /boot/grub2/grubenv, in the manner below: # grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit=1"Warning: The GRUB 2 configuration file, grub.cfg, is automatically updated each time a new kernel is installed. Note that any changes to /etc/default/grub require rebuilding the grub.cfg file. To update the GRUB 2 configuration file manually, use the grub2-mkconfig -o command as follows: On BIOS-based machines, issue the following command as root: ~]# grub2-mkconfig -o /boot/grub2/grub.cfgOn UEFI-based machines, issue the following command as root: ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg |
Each process on the system carries an "auditable" flag which indicates whetherits activities can be audited. Although auditd takes care of enablingthis for all processes which launch after it does, adding the kernel argumentensures it is set for every process during boot. |
medium |
content_rule_grub2_audit_argument |
NaN |
AC-17(1),AU-14(1),AU-10,CM-6(a),IR-5(1) |
4.2.3.10,4.3.2.6.7,3.3.1,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8 |
ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,DE.AE-3,DE.AE-5,RS.AN-1,RS.AN-4 |
SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000473-GPOS-00218,SRG-OS-000254-GPOS-00095,SRG-OS-000254-VMM-000880 |
NaN |
NaN |
CCI-001464,CCI-000130,CCI-000169 |
1,3,4,5,6,7,8,11,12,13,14,15,16,19 |
NaN |
164.308(a)(1)(ii)(D),164.308(a)(5)(ii)(C),164.310(a)(2)(iv),164.310(d)(2)(iii),164.312(b) |
APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.02,DSS05.03,DSS05.04,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 |
A.6.2.1,A.6.2.2,A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7 |
SR,1.13,SR,2.10,SR,2.11,SR,2.12,SR,2.6,SR,2.8,SR,2.9,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,6.1,SR,7.1,SR,7.6 |
NaN |
5.4.1.1,4.4.2.1,4.4.2.2,4.4.2.4,Req-10.3,4.1.1.3 |
| CCE-85849-8 |
Verify /boot/grub2/grub.cfg Group Ownership [ref] |
The file /boot/grub2/grub.cfg should be group-owned by the root group to prevent destruction or modification of the file. To properly set the group owner of {{{ grub2_boot_path }}}/grub.cfg, run the command: $ sudo chgrp root {{{ grub2_boot_path }}}/grub.cfg |
The root group is a highly-privileged group. Furthermore, the group-owner of thisfile should not have any access privileges anyway. |
medium |
content_rule_file_groupowner_grub2_cfg |
NaN |
AC-6(1),CM-6(a) |
4.3.3.7.3,3.4.5 |
PR.AC-4,PR.DS-5 |
NaN |
NaN |
NaN |
CCI-000225 |
3,5,12,13,14,15,16,18 |
NaN |
164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii) |
APO01.06,DSS05.04,DSS05.07,DSS06.02 |
A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3 |
SR,2.1,SR,5.2 |
NaN |
5.5.2.2,Req-7.1,1.5.2 |
| CCE-85848-0 |
Verify /boot/grub2/grub.cfg User Ownership [ref] |
The file /boot/grub2/grub.cfg should be owned by the root user to prevent destruction or modification of the file. To properly set the owner of {{{ grub2_boot_path }}}/grub.cfg, run the command: $ sudo chown root {{{ grub2_boot_path }}}/grub.cfg |
Only root should be able to modify important boot parameters. |
medium |
content_rule_file_owner_grub2_cfg |
NaN |
AC-6(1),CM-6(a) |
4.3.3.7.3,3.4.5 |
PR.AC-4,PR.DS-5 |
NaN |
NaN |
NaN |
CCI-000225 |
3,5,12,13,14,15,16,18 |
NaN |
164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii) |
APO01.06,DSS05.04,DSS05.07,DSS06.02 |
A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3 |
SR,2.1,SR,5.2 |
NaN |
5.5.2.2,Req-7.1,1.5.2 |
| CCE-85838-1 |
Ensure Log Files Are Owned By Appropriate Group [ref] |
The group-owner of all log files written by rsyslog should be root. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's group owner: $ ls -l LOGFILE If the owner is not root, run the following command to correct this: $ sudo chgrp root LOGFILE |
The log files generated by rsyslog contain valuable information regarding systemconfiguration, user authentication, and other such information. Log files should beprotected from unauthorized access. |
medium |
content_rule_rsyslog_files_groupownership |
NaN |
AC-6(1),CM-6(a) |
4.3.3.7.3,CIP-003-3,R5.1.1,CIP-003-3,R5.3 |
PR.AC-4,PR.DS-5 |
NaN |
NaN |
NaN |
CCI-001314 |
3,5,12,13,14,15,16,18 |
NaN |
NaN |
APO01.06,DSS05.04,DSS05.07,DSS06.02 |
A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3 |
SR,2.1,SR,5.2 |
BP28(R46),BP28(R5) |
0988,1405,CIP-004-3,R2.3,CIP-007-3,R2.1,CIP-007-3,R2.2,CIP-007-3,R2.3,CIP-007-3,R5.1,CIP-007-3,R5.1.1,CIP-007-3,R5.1.2,Req-10.5.1,Req-10.5.2 |
| CCE-85839-9 |
Ensure Log Files Are Owned By Appropriate User [ref] |
The owner of all log files written by rsyslog should be root. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's owner: $ ls -l LOGFILE If the owner is not root, run the following command to correct this: $ sudo chown root LOGFILE |
The log files generated by rsyslog contain valuable information regarding systemconfiguration, user authentication, and other such information. Log files should beprotected from unauthorized access. |
medium |
content_rule_rsyslog_files_ownership |
NaN |
AC-6(1),CM-6(a) |
4.3.3.7.3,CIP-003-3,R5.1.1,CIP-003-3,R5.3 |
PR.AC-4,PR.DS-5 |
NaN |
NaN |
NaN |
CCI-001314 |
3,5,12,13,14,15,16,18 |
NaN |
NaN |
APO01.06,DSS05.04,DSS05.07,DSS06.02 |
A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3 |
SR,2.1,SR,5.2 |
BP28(R46),BP28(R5) |
0988,1405,CIP-004-3,R2.3,CIP-007-3,R2.1,CIP-007-3,R2.2,CIP-007-3,R2.3,CIP-007-3,R5.1,CIP-007-3,R5.1.1,CIP-007-3,R5.1.2,Req-10.5.1,Req-10.5.2 |
| CCE-85837-3 |
Ensure System Log Files Have Correct Permissions [ref] |
The file permissions for all log files written by rsyslog should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's permissions: $ ls -l LOGFILE If the permissions are not 600 or more restrictive, run the following command to correct this: $ sudo chmod 0600 LOGFILE" |
Log files can contain valuable information regarding systemconfiguration. If the system log files are not protected unauthorizedusers could change the logged data, eliminating their forensic value. |
medium |
content_rule_rsyslog_files_permissions |
NaN |
AC-6(1),CM-6(a) |
CIP-003-3,R5.1.1,CIP-003-3,R5.3 |
NaN |
NaN |
NaN |
NaN |
CCI-001314 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
BP28(R36) |
0988,1405,CIP-004-3,R2.3,CIP-007-3,R2.1,CIP-007-3,R2.2,CIP-007-3,R2.3,CIP-007-3,R5.1,CIP-007-3,R5.1.1,CIP-007-3,R5.1.2,Req-10.5.1,Req-10.5.2 |
| CCE-85850-6 |
Ensure Logrotate Runs Periodically [ref] |
The logrotate utility allows for the automatic rotation of log files. The frequency of rotation is specified in /etc/logrotate.conf, which triggers a cron task. To configure logrotate to run daily, add or correct the following line in /etc/logrotate.conf: # rotate log files frequency daily |
Log files that are not properly rotated run the risk of growing so largethat they fill up the /var/log partition. Valuable logging information could be lostif the /var/log partition becomes full. |
medium |
content_rule_ensure_logrotate_activated |
NaN |
CM-6(a) |
4.3.3.3.9,4.3.3.5.8,4.3.4.4.7 |
PR.PT-1 |
NaN |
NaN |
NaN |
CCI-000366 |
1,3,5,6,14,15,16 |
NaN |
NaN |
APO11.04,BAI03.05,DSS05.04,DSS05.07,MEA02.01 |
A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1 |
SR,2.10,SR,2.11,SR,2.12,SR,2.8,SR,2.9 |
BP28(R43) |
NT12(R18),4.4.2.1,4.4.2.2,4.4.2.4,Req-10.7 |
| CCE-85836-5 |
Install strongswan Package [ref] |
The Strongswan package provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. The strongswan package can be installed with the following command: $ sudo zypper install strongswan |
Providing the ability for remote users or systemsto initiate a secure VPN connection protects information when it istransmitted over a wide area network. |
medium |
content_rule_package_strongswan_installed |
NaN |
CM-6(a) |
4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8 |
PR.AC-3,PR.MA-2,PR.PT-4 |
SRG-OS-000480-GPOS-00227,SRG-OS-000120-GPOS-00061 |
NaN |
NaN |
CCI-001130,CCI-001131 |
3,5,8,12,15 |
NaN |
NaN |
APO13.01,DSS01.04,DSS05.02,DSS05.03,DSS05.04 |
A.6.2.1,A.6.2.2,A.11.2.4,A.11.2.6,A.13.1.1,A.13.2.1,A.14.1.3,A.15.1.1,A.15.2.1 |
SR,1.13,SR,2.6,SR,3.1,SR,3.5,SR,3.8,SR,4.1,SR,4.3,SR,5.1,SR,5.2,SR,5.3,SR,7.1,SR,7.6 |
NaN |
Req-4.1 |
| CCE-85801-9 |
Verify Group Who Owns group File [ref] |
To properly set the group owner of /etc/group, run the command: $ sudo chgrp root /etc/group |
The /etc/group file contains information regarding groups that are configuredon the system. Protection of this file is important for system security. |
medium |
content_rule_file_groupowner_etc_group |
NaN |
AC-6(1),CM-6(a) |
4.3.3.7.3,CIP-003-3,R5.1.1,CIP-003-3,R5.3 |
PR.AC-4,PR.DS-5 |
NaN |
NaN |
NaN |
NaN |
3,5,12,13,14,15,16,18 |
NaN |
NaN |
APO01.06,DSS05.04,DSS05.07,DSS06.02 |
A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3 |
SR,2.1,SR,5.2 |
NaN |
5.5.2.2,CIP-004-3,R2.3,CIP-007-3,R2.1,CIP-007-3,R2.2,CIP-007-3,R2.3,CIP-007-3,R5.1,CIP-007-3,R5.1.1,CIP-007-3,R5.1.2,Req-8.7.c,6.1.4 |
| CCE-85809-2 |
Verify Group Who Owns passwd File [ref] |
To properly set the group owner of /etc/passwd, run the command: $ sudo chgrp root /etc/passwd |
The /etc/passwd file contains information about the users that are configured onthe system. Protection of this file is critical for system security. |
medium |
content_rule_file_groupowner_etc_passwd |
NaN |
AC-6(1),CM-6(a) |
4.3.3.7.3,CIP-003-3,R5.1.1,CIP-003-3,R5.3 |
PR.AC-4,PR.DS-5 |
NaN |
NaN |
NaN |
NaN |
3,5,12,13,14,15,16,18 |
NaN |
NaN |
APO01.06,DSS05.04,DSS05.07,DSS06.02 |
A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3 |
SR,2.1,SR,5.2 |
NaN |
5.5.2.2,CIP-004-3,R2.3,CIP-007-3,R2.1,CIP-007-3,R2.2,CIP-007-3,R2.3,CIP-007-3,R5.1,CIP-007-3,R5.1.1,CIP-007-3,R5.1.2,Req-8.7.c,6.1.2 |
| CCE-85808-4 |
Verify Group Who Owns shadow File [ref] |
To properly set the group owner of /etc/shadow, run the command: $ sudo chgrp root /etc/shadow |
The /etc/shadow file stores password hashes. Protection of this file iscritical for system security. |
medium |
content_rule_file_groupowner_etc_shadow |
NaN |
AC-6(1),CM-6(a) |
4.3.3.7.3,CIP-003-3,R5.1.1,CIP-003-3,R5.3 |
PR.AC-4,PR.DS-5 |
NaN |
NaN |
NaN |
NaN |
3,5,12,13,14,15,16,18 |
NaN |
NaN |
APO01.06,DSS05.04,DSS05.07,DSS06.02 |
A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3 |
SR,2.1,SR,5.2 |
NaN |
5.5.2.2,CIP-004-3,R2.3,CIP-007-3,R2.1,CIP-007-3,R2.2,CIP-007-3,R2.3,CIP-007-3,R5.1,CIP-007-3,R5.1.1,CIP-007-3,R5.1.2,Req-8.7.c,6.1.3 |
| CCE-85803-5 |
Verify Permissions on group File [ref] |
To properly set the permissions of /etc/passwd, run the command: $ sudo chmod 0644 /etc/passwd |
The /etc/group file contains information regarding groups that are configuredon the system. Protection of this file is important for system security. |
medium |
content_rule_file_permissions_etc_group |
NaN |
AC-6(1),CM-6(a) |
4.3.3.7.3,CIP-003-3,R5.1.1,CIP-003-3,R5.3 |
PR.AC-4,PR.DS-5 |
NaN |
NaN |
NaN |
NaN |
3,5,12,13,14,15,16,18 |
NaN |
NaN |
APO01.06,DSS05.04,DSS05.07,DSS06.02 |
A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3 |
SR,2.1,SR,5.2 |
BP28(R36) |
5.5.2.2,CIP-004-3,R2.3,CIP-007-3,R2.1,CIP-007-3,R2.2,CIP-007-3,R2.3,CIP-007-3,R5.1,CIP-007-3,R5.1.1,CIP-007-3,R5.1.2,Req-8.7.c,6.1.4 |
| CCE-85805-0 |
Verify Permissions on passwd File [ref] |
To properly set the permissions of /etc/passwd, run the command: $ sudo chmod 0644 /etc/passwd |
If the /etc/passwd file is writable by a group-owner or theworld the risk of its compromise is increased. The file contains the list ofaccounts on the system and associated information, and protection of this fileis critical for system security. |
medium |
content_rule_file_permissions_etc_passwd |
NaN |
AC-6(1),CM-6(a) |
4.3.3.7.3,CIP-003-3,R5.1.1,CIP-003-3,R5.3 |
PR.AC-4,PR.DS-5 |
NaN |
NaN |
NaN |
NaN |
3,5,12,13,14,15,16,18 |
NaN |
NaN |
APO01.06,DSS05.04,DSS05.07,DSS06.02 |
A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3 |
SR,2.1,SR,5.2 |
BP28(R36) |
5.5.2.2,CIP-004-3,R2.3,CIP-007-3,R2.1,CIP-007-3,R2.2,CIP-007-3,R2.3,CIP-007-3,R5.1,CIP-007-3,R5.1.1,CIP-007-3,R5.1.2,Req-8.7.c,6.1.2 |
| CCE-85804-3 |
Verify Permissions on shadow File [ref] |
To properly set the permissions of /etc/shadow, run the command: $ sudo chmod 0640 /etc/shadow |
The /etc/shadow file contains the list of localsystem accounts and stores password hashes. Protection of this file iscritical for system security. Failure to give ownership of this fileto root provides the designated owner with access to sensitive informationwhich could weaken the system security posture. |
medium |
content_rule_file_permissions_etc_shadow |
NaN |
AC-6(1),CM-6(a) |
4.3.3.7.3,CIP-003-3,R5.1.1,CIP-003-3,R5.3 |
PR.AC-4,PR.DS-5 |
NaN |
NaN |
NaN |
NaN |
3,5,12,13,14,15,16,18 |
NaN |
NaN |
APO01.06,DSS05.04,DSS05.07,DSS06.02 |
A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3 |
SR,2.1,SR,5.2 |
BP28(R36) |
5.5.2.2,CIP-004-3,R2.3,CIP-007-3,R2.1,CIP-007-3,R2.2,CIP-007-3,R2.3,CIP-007-3,R5.1,CIP-007-3,R5.1.1,CIP-007-3,R5.1.2,Req-8.7.c,6.1.3 |
| CCE-85835-7 |
Enable the NTP Daemon [ref] |
Run the following command to determine the current status of the chronyd service: $ systemctl is-active chronyd If the service is running, it should return the following: active Note: The chronyd daemon is enabled by default. Run the following command to determine the current status of the ntpd service: $ systemctl is-active ntpd If the service is running, it should return the following: active Note: The ntpd daemon is not enabled by default. Though as mentioned in the previous sections in certain environments the ntpd daemon might be preferred to be used rather than the chronyd one. Refer to: https://documentation.suse.com/sles/15-SP1/html/SLES-all/cha-ntp.html for guidance which NTP daemon to choose depending on the environment used. |
Enabling some of chronyd or ntpd services ensuresthat the NTP daemon will be running and that the system will synchronize itstime to any servers specified. This is important whether the system isconfigured to be a client (and synchronize only its own clock) or it is alsoacting as an NTP server to other systems. Synchronizing time is essential forauthentication services such as Kerberos, but it is also important formaintaining accurate logs and auditing possible security breaches.The chronyd and ntpd NTP daemons offer all of thefunctionality of ntpdate, which is now deprecated. |
medium |
content_rule_service_chronyd_or_ntpd_enabled |
NaN |
AU-8(1)(a),CM-6(a) |
3.3.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7 |
PR.PT-1 |
SRG-OS-000356-VMM-001340 |
NaN |
NaN |
CCI-000160 |
1,3,5,6,14,15,16 |
NaN |
NaN |
APO11.04,BAI03.05,DSS05.04,DSS05.07,MEA02.01 |
A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1 |
SR,2.10,SR,2.11,SR,2.12,SR,2.8,SR,2.9 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4,0988,1405,Req-10.4 |
| CCE-85834-0 |
Specify Additional Remote NTP Servers [ref] |
Depending on specific functional requirements of a concrete production environment, the SUSE Linux Enterprise 15 system can be configured to utilize the services of the chronyd NTP daemon (the default), or services of the ntpd NTP daemon. Refer to https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite for more detailed comparison of the features of both of the choices, and for further guidance how to choose between the two NTP daemons. Additional NTP servers can be specified for time synchronization. To do so, perform the following: if the system is configured to use the chronyd as the NTP daemon (the default), edit the file /etc/chrony.conf as follows, if the system is configured to use the ntpd as the NTP daemon, edit the file /etc/ntp.conf as documented below. Add additional lines of the following form, substituting the IP address or hostname of a remote NTP server for ntpserver: server ntpserver |
Specifying additional NTP servers increases the availability ofaccurate time data, in the event that one of the specified servers becomesunavailable. This is typical for a system acting as an NTP server forother systems. |
medium |
content_rule_chronyd_or_ntpd_specify_multiple_servers |
NaN |
AU-8(1)(a),AU-8(2),CM-6(a) |
4.3.3.3.9,4.3.3.5.8,4.3.4.4.7 |
PR.PT-1 |
NaN |
NaN |
NaN |
NaN |
1,3,5,6,14,15,16 |
NaN |
NaN |
APO11.04,BAI03.05,DSS05.04,DSS05.07,MEA02.01 |
A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1 |
SR,2.10,SR,2.11,SR,2.12,SR,2.8,SR,2.9 |
NaN |
4.4.2.1,4.4.2.2,4.4.2.4,0988,1405,Req-10.4.3 |
| CCE-85833-2 |
A remote time server for Chrony is configured [ref] |
Chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at http://chrony.tuxfamily.org/. Chrony can be configured to be a client and/or a server. Add or edit server or pool lines to /etc/chrony.conf as appropriate: server <remote-server> Multiple servers may be configured. |
If chrony is in use on the system proper configuration is vital to ensuring timesynchronization is working properly. |
medium |
content_rule_chronyd_specify_remote_server |
NaN |
AU-8(1)(a),CM-6(a) |
NaN |
NaN |
NaN |
NaN |
NaN |
CCI-000160,CCI-001891 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
BP28(R43) |
0988,1405,Req-10.4.3,2.2.1.3 |
| CCE-83281-6 |
Set SSH Idle Timeout Interval [ref] |
SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out. To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as follows: ClientAliveInterval 900 The timeout interval is given in seconds. For example, have a timeout of 10 minutes, set interval to 600. If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made in /etc/ssh/sshd_config. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.Warning: SSH disconnecting idle clients will not have desired effect without also configuring ClientAliveCountMax in the SSH service configuration.Warning: Following conditions may prevent the SSH session to time out: Remote processes on the remote machine generates output. As the output has to be transferred over the network to the client, the timeout is reset every time such transfer happens.Any scp or sftp activity by the same user to the host resets the timeout. |
Terminating an idle ssh session within a short time period reduces the window ofopportunity for unauthorized personnel to take control of a management sessionenabled on the console or console port that has been let unattended. |
medium |
content_rule_sshd_set_idle_timeout |
SLES-15-010280 |
AC-17(a),AC-2(5),AC-12,AC-17(a),CM-6(a),CM-6(a),SC-10 |
3.1.11,4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.3 |
PR.AC-1,PR.AC-4,PR.AC-6,PR.AC-7,PR.IP-2,DE.CM-1,DE.CM-3 |
SRG-OS-000126-GPOS-00066,SRG-OS-000163-GPOS-00072,SRG-OS-000279-GPOS-00109,SRG-OS-000395-GPOS-00175,SRG-OS-000480-VMM-002000 |
NaN |
SV-234827r622137_rule |
CCI-000879,CCI-001133,CCI-002361 |
1,3,5,7,8,12,13,14,15,16,18 |
NaN |
NaN |
APO13.01,BAI03.01,BAI03.02,BAI03.03,DSS01.03,DSS03.05,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 |
A.6.1.2,A.6.1.5,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5,A.12.4.1,A.12.4.3,A.14.1.1,A.14.2.1,A.14.2.5,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,6.2 |
BP28(R29) |
5.5.6,CIP-004-3,R2.2.3,CIP-007-3,R5.1,CIP-007-3,R5.2,CIP-007-3,R5.3.1,CIP-007-3,R5.3.2,CIP-007-3,R5.3.3,Req-8.1.8,5.2.16 |
| CCE-83284-0 |
Set SSH Client Alive Count Max to zero [ref] |
The SSH server sends at most ClientAliveCountMax messages during a SSH session and waits for a response from the SSH client. The option ClientAliveInterval configures timeout after each ClientAliveCountMax message. If the SSH server does not receive a response from the client, then the connection is considered idle and terminated. To ensure the SSH idle timeout occurs precisely when the ClientAliveInterval is set, set the ClientAliveCountMax to value of 0. |
This ensures a user login will be terminated as soon as the ClientAliveIntervalis reached. |
medium |
content_rule_sshd_set_keepalive_0 |
SLES-15-010320 |
AC-2(5),AC-12,AC-17(a),CM-6(a),SC-10 |
3.1.11,4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.3 |
PR.AC-1,PR.AC-4,PR.AC-6,PR.AC-7,PR.IP-2,DE.CM-1,DE.CM-3 |
SRG-OS-000163-GPOS-00072,SRG-OS-000279-GPOS-00109,SRG-OS-000480-VMM-002000 |
NaN |
SV-234830r622137_rule |
CCI-000879,CCI-001133,CCI-002361 |
1,3,5,7,8,12,13,14,15,16,18 |
NaN |
164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) |
APO13.01,BAI03.01,BAI03.02,BAI03.03,DSS01.03,DSS03.05,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 |
A.6.1.2,A.6.1.5,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5,A.12.4.1,A.12.4.3,A.14.1.1,A.14.2.1,A.14.2.5,A.18.1.4 |
SR,1.1,SR,1.10,SR,1.2,SR,1.3,SR,1.4,SR,1.5,SR,1.7,SR,1.8,SR,1.9,SR,2.1,SR,6.2 |
NaN |
5.5.6,CIP-004-3,R2.2.3,CIP-007-3,R5.1,CIP-007-3,R5.2,CIP-007-3,R5.3.1,CIP-007-3,R5.3.2,CIP-007-3,R5.3.3,Req-8.1.8 |
| CCE-85826-6 |
Enable Smartcards in SSSD [ref] |
SSSD should be configured to authenticate access to the system using smart cards. To enable smart cards in SSSD, set pam_cert_auth to true under the [pam] section in /etc/sssd/sssd.conf. For example: [pam] pam_cert_auth = true |
Using an authentication device, such as a CAC or token that is separate fromthe information system, ensures that even if the information system iscompromised, that compromise will not affect credentials stored on theauthentication device.Multifactor solutions that require devices separate frominformation systems gaining access include, for example, hardware tokensproviding time-based or challenge-response authenticators and smart cards suchas the U.S. Government Personal Identity Verification card and the DoD CommonAccess Card. |
medium |
content_rule_sssd_enable_smartcards |
NaN |
NaN |
NaN |
NaN |
SRG-OS-000375-GPOS-00160,SRG-OS-000105-GPOS-00052,SRG-OS-000107-VMM-000530 |
NaN |
NaN |
CCI-001954,CCI-000765 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561 |