DISA STIG for SUSE Linux Enterprise 15
This profile contains configuration checks that align to the DISA STIG for SUSE Linux Enterprise 15 V1R2.


ID Severity Title Discussion (Rationale) Fix Text (Description) Check Text (OCIL Check) SRG Refs CCI Refs 800-53 Refs
account_disable_post_pw_expiration medium Set Account Expiration Following Inactivity Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials. To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following line in /etc/default/useradd:
INACTIVE=
If a password is currently on the verge of expiration, then day(s) remain(s) until the account is automatically disabled. However, if the password will not expire for another 60 days, then 60 days plus day(s) could elapse until the account would be automatically disabled. See the useradd man page for more information.
SRG-OS-000118-GPOS-00060
CCI-000017
CCI-000795
account_emergency_admin medium Never Automatically Remove or Disable Emergency Administrator Accounts Emergency accounts are different from infrequently used accounts (i.e., local logon accounts used by the organization's system administrators when network or normal logon/access is not available). Infrequently used accounts are not subject to automatic termination dates. Emergency accounts are accounts created in response to crisis situations, usually for use by maintenance personnel. The automatic expiration or disabling time period may be extended as needed until the crisis is resolved; however, it must not be extended indefinitely. A permanent account should be established for privileged users who need long-term maintenance accounts. To address access requirements the SUSE operating system can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements. Emergency accounts are privileged accounts that are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. Check to see if an emergency administrator account password or account expires with the following command:
# sudo chage -l [Emergency_Administrator]

Password expires:never
If Password expires or Account expires is set to anything other than never, this is a finding.
SRG-OS-000123-GPOS-00064
CCI-001682
account_temp_expire_date medium Assign Expiration Date to Temporary Accounts If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation.
Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts. In the event temporary or emergency accounts are required, configure the system to terminate them after a documented time period. For every temporary and emergency account, run the following command to set an expiration date on it, substituting USER and YYYY-MM-DD appropriately:
$ sudo chage -E YYYY-MM-DD USER
YYYY-MM-DD indicates the documented expiration date for the account. For U.S. Government systems, the operating system must be configured to automatically terminate these types of accounts after a period of 72 hours.
SRG-OS-000002-GPOS-00002
SRG-OS-000123-GPOS-00064
CCI-000016
CCI-001682
account_unique_id medium Ensure All Accounts on the System Have Unique User IDs To assure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system. Change user IDs (UIDs), or delete accounts, so each has a unique name. SRG-OS-000104-GPOS-00051
SRG-OS-000121-GPOS-00062
CCI-000764
CCI-000804
accounts_authorized_local_users medium Only Authorized Local User Accounts Exist on Operating System Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system. Enterprise Application tends to use the server or virtual machine exclusively. Besides the default operating system user, there should be only authorized local users required by the installed softoware groups and applications that exist on the operating system. The authorized user list can be customized in the refine value variable var_accounts_authorized_local_users_regex. OVAL regular expression is used for the user list. Configure the system so all accounts on the system are assigned to an active system, application, or user account. Remove accounts that do not support approved system activities or that allow for a normal user to perform administrative-level actions. To remove unauthorized system accounts, use the following command:
$ sudo userdel unauthorized_user
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
accounts_have_homedir_login_defs medium Ensure Home Directories are Created for New Users If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. All local interactive user accounts, upon creation, should be assigned a home directory.

Configure the operating system to assign home directories to all new local interactive users by setting the CREATE_HOME parameter in /etc/login.defs to yes as follows:

CREATE_HOME yes
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
accounts_max_concurrent_login_sessions low Limit the Number of Concurrent Login Sessions Allowed Per User Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions. Limiting the number of allowed users and sessions per user can limit risks related to Denial of Service attacks. This addresses concurrent sessions for a single account and does not address concurrent sessions by a single user via multiple accounts. To set the number of concurrent sessions per user add the following line in /etc/security/limits.conf or a file under /etc/security/limits.d/:
* hard maxlogins 
SRG-OS-000027-GPOS-00008
CCI-000054
accounts_maximum_age_login_defs medium Set Password Maximum Age Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.

Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise.
To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line:
PASS_MAX_DAYS 
A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is .
SRG-OS-000076-GPOS-00044
CCI-000199
accounts_no_uid_except_zero high Verify Only Root Has UID 0 An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner. If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed.
If the account is associated with system commands or applications the UID should be changed to one greater than "0" but less than "1000." Otherwise assign a UID greater than "1000" that has not already been assigned.
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
accounts_password_all_shadowed_sha512 medium Verify All Account Password Hashes are Shadowed with SHA512 The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy. Verify the operating system requires the shadow password suite configuration be set to encrypt interactive user passwords using a strong cryptographic hash. Check that the interactive user account passwords are using a strong password hash with the following command:
# sudo cut -d: -f2 /etc/shadow
$6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/
Password hashes ! or * indicate inactive accounts not available for logon and are not evaluated. If any interactive user password hash does not begin with $6, this is a finding.
SRG-OS-000073-GPOS-00041
SRG-OS-000120-GPOS-00061
CCI-000196
CCI-000803
accounts_password_pam_unix_remember medium Limit Password Reuse Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user. Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules.

In the file /etc/pam.d/system-auth, append remember= to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below:
  • for the pam_unix.so case:
    password sufficient pam_unix.so ...existing_options... remember=
  • for the pam_pwhistory.so case:
    password requisite pam_pwhistory.so ...existing_options... remember=
The DoD STIG requirement is 5 passwords.
SRG-OS-000077-GPOS-00045
CCI-000200
accounts_password_set_max_life_existing medium Set Existing Passwords Maximum Age Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction by running the following command:
$ sudo chage -M 60 USER
SRG-OS-000076-GPOS-00044
CCI-000199
accounts_password_set_min_life_existing medium Set Existing Passwords Minimum Age Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime by running the following command:
$ sudo chage -m 1 USER
SRG-OS-000075-GPOS-00043
CCI-000198
accounts_passwords_pam_faildelay_delay medium Enforce Delay After Failed Logon Attempts Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account. To configure the system to introduce a delay after failed logon attempts, add or correct the pam_faildelay settings in /etc/pam.d/common-auth to make sure its delay parameter is at least or greater. For example:
auth required pam_faildelay.so delay=
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
accounts_passwords_pam_tally2 medium Set Deny For Failed Password Attempts By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. To configure the operating system to lock an account after three unsuccessful consecutive access attempts using pam_tally2.so, modify the content of both /etc/pam.d/common-auth and /etc/pam.d/common-account as follows:

  • add or modify the pam_tally2.so module line in /etc/pam.d/common-auth to ensure both onerr=fail and deny= are present. For example:
    auth required pam_tally2.so onerr=fail silent audit deny=
  • add or modify the following line in /etc/pam.d/common-account:
    account required pam_tally2.so
The SUSE Linux Enterprise 15 operating system must lock an account after - at most - consecutive invalid access attempts. SRG-OS-000021-GPOS-00005
CCI-000044
accounts_tmout medium Set Interactive Session Timeout Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. Setting the TMOUT option in /etc/profile ensures that all user sessions will terminate based on inactivity. The TMOUT setting in /etc/profile.d/autologout.sh should read as follows:
TMOUT=
readonly TMOUT export TMOUT
SRG-OS-000029-GPOS-00010
SRG-OS-000163-GPOS-00072
SRG-OS-000279-GPOS-00109
CCI-000057
CCI-001133
CCI-002361
accounts_umask_etc_login_defs medium Ensure the Default Umask is Set Correctly in login.defs The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and written to by unauthorized users. To ensure the default umask controlled by /etc/login.defs is set properly, add or correct the UMASK setting in /etc/login.defs to read as follows:
UMASK 
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
accounts_user_dot_no_world_writable_programs medium User Initialization Files Must Not Run World-Writable Programs If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level. Set the mode on files being executed by the user initialization files with the following command:
$ sudo chmod 0755 FILE
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
accounts_user_home_paths_only medium Ensure that Users Path Contains Only Local Directories The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the users home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO). Ensure that all interactive user initialization files executable search path statements do not contain statements that will reference a working directory other than the users home directory. SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
accounts_user_interactive_home_directory_defined medium All Interactive Users Must Have A Home Directory Defined If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. Assign home directories to all interactive users that currently do not have a home directory assigned. SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
accounts_user_interactive_home_directory_exists medium All Interactive Users Home Directories Must Exist If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access. Create home directories to all interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in /etc/passwd:
$ sudo mkdir /home/USER
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
aide_check_audit_tools medium Configure AIDE to Verify the Audit Tools Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Audit tools include but are not limited to vendor-provided and open-source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. It is not uncommon for attackers to replace the audit tools or inject code into the existing tools to provide the capability to hide or erase system activity from the audit logs. To address this risk, audit tools must be cryptographically signed to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files. The operating system file integrity tool must be configured to protect the integrity of the audit tools. SRG-OS-000278-GPOS-00108
CCI-001496
aide_periodic_cron_checking medium Configure Periodic Execution of AIDE By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files.

Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.

Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
At a minimum, AIDE should be configured to run a weekly scan. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
05 4 * * * root  --check
To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
05 4 * * 0 root  --check
AIDE can be executed periodically through other means; this is merely one example. The usage of cron's special time codes, such as @daily and @weekly is acceptable.
SRG-OS-000363-GPOS-00150
SRG-OS-000446-GPOS-00200
SRG-OS-000447-GPOS-00201
CCI-001744
CCI-002699
CCI-002702
aide_verify_acls low Configure AIDE to Verify Access Control Lists (ACLs) ACLs can provide permissions beyond those permitted through the file mode and must be verified by the file integrity tools. By default, the acl option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the acl option is missing, add acl to the appropriate ruleset. For example, add acl to the following line in /etc/aide.conf:
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. The remediation provided with this rule adds acl to all rule sets available in /etc/aide.conf
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
aide_verify_ext_attributes low Configure AIDE to Verify Extended Attributes Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications. By default, the xattrs option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the xattrs option is missing, add xattrs to the appropriate ruleset. For example, add xattrs to the following line in /etc/aide.conf:
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. The remediation provided with this rule adds xattrs to all rule sets available in /etc/aide.conf
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
apparmor_configured medium Ensure AppArmor is Active and Configured Using a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities.

The organization must identify authorized software programs and permit execution of authorized software by adding each authorized program to the "pam_apparmor" exception policy. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.

Verification of whitelisted software occurs prior to execution or at system startup.

Users' home directories/folders may contain information of a sensitive nature. Nonprivileged users should coordinate any sharing of information with a System Administrator (SA) through shared resources.

Apparmor can confine users to their home directory, not allowing them to make any changes outside of their own home directories. Confining users to their home directory will minimize the risk of sharing information.
Verify that the Apparmor tool is configured to control whitelisted applications and user home directory access control.

The apparmor service can be enabled with the following command:
$ sudo systemctl enable apparmor.service
SRG-OS-000368-GPOS-00154
SRG-OS-000370-GPOS-00155
SRG-OS-000312-GPOS-00122
SRG-OS-000312-GPOS-00123
SRG-OS-000312-GPOS-00124
SRG-OS-000326-GPOS-00126
SRG-OS-000324-GPOS-00125
CCI-001764
CCI-001774
CCI-002165
CCI-002233
CCI-002235
audit_rules_dac_modification_chmod medium Record Events that Modify the System's Discretionary Access Controls - chmod The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000126
CCI-000130
CCI-000169
CCI-000172
CCI-002884
audit_rules_dac_modification_chown medium Record Events that Modify the System's Discretionary Access Controls - chown The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000126
CCI-000130
CCI-000169
CCI-000172
CCI-002884
audit_rules_dac_modification_fchmod medium Record Events that Modify the System's Discretionary Access Controls - fchmod The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000126
CCI-000130
CCI-000169
CCI-000172
CCI-002884
audit_rules_dac_modification_fchmodat medium Record Events that Modify the System's Discretionary Access Controls - fchmodat The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000126
CCI-000130
CCI-000169
CCI-000172
CCI-002884
audit_rules_dac_modification_fchown medium Record Events that Modify the System's Discretionary Access Controls - fchown The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000126
CCI-000130
CCI-000169
CCI-000172
CCI-002884
audit_rules_dac_modification_fchownat medium Record Events that Modify the System's Discretionary Access Controls - fchownat The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000126
CCI-000130
CCI-000169
CCI-000172
CCI-002884
audit_rules_dac_modification_fremovexattr medium Record Events that Modify the System's Discretionary Access Controls - fremovexattr The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000169
CCI-000172
CCI-002884
audit_rules_dac_modification_fsetxattr medium Record Events that Modify the System's Discretionary Access Controls - fsetxattr The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000126
CCI-000130
CCI-000169
CCI-000172
CCI-002884
audit_rules_dac_modification_lchown medium Record Events that Modify the System's Discretionary Access Controls - lchown The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000126
CCI-000130
CCI-000169
CCI-000172
CCI-002884
audit_rules_dac_modification_lremovexattr medium Record Events that Modify the System's Discretionary Access Controls - lremovexattr The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000169
CCI-000172
CCI-002884
audit_rules_dac_modification_lsetxattr medium Record Events that Modify the System's Discretionary Access Controls - lsetxattr The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000126
CCI-000130
CCI-000169
CCI-000172
CCI-002884
audit_rules_dac_modification_removexattr medium Record Events that Modify the System's Discretionary Access Controls - removexattr The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000169
CCI-000172
CCI-002884
audit_rules_dac_modification_setxattr medium Record Events that Modify the System's Discretionary Access Controls - setxattr The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000126
CCI-000130
CCI-000169
CCI-000172
CCI-002884
audit_rules_dac_modification_umount medium Record Events that Modify the System's Discretionary Access Controls - umount The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. At a minimum, the audit system should collect file system umount changes. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -F key=perm_mod
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000169
CCI-000172
CCI-002884
audit_rules_dac_modification_umount2 medium Record Events that Modify the System's Discretionary Access Controls - umount2 The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. At a minimum, the audit system should collect file system umount2 changes. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000169
CCI-000172
CCI-002884
audit_rules_enable_syscall_auditing medium Remove Default Configuration to Disable Syscall Auditing Audit rules for syscalls do not take effect unless this line is removed. By default, SUSE Linux Enterprise 15 ships an audit rule to disable syscall auditing for performance reasons. To make sure that syscall auditing works, this line must be removed from /etc/audit/rules.d/audit.rules and /etc/audit/audit.rules:
-a task,never
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
audit_rules_execution_chacl medium Record Any Attempts to Run chacl Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect any execution attempt of the chacl command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000169
CCI-000172
CCI-002884
audit_rules_execution_chcon medium Record Any Attempts to Run chcon Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect any execution attempt of the chcon command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000169
CCI-000172
CCI-002884
audit_rules_execution_chmod medium Record Any Attempts to Run chmod Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect any execution attempt of the chmod command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000169
CCI-000172
CCI-002884
audit_rules_execution_rm medium Record Any Attempts to Run rm Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect any execution attempt of the rm command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000169
CCI-000172
CCI-002884
audit_rules_execution_setfacl medium Record Any Attempts to Run setfacl Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect any execution attempt of the setfacl command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000169
CCI-000172
CCI-002884
audit_rules_kernel_module_loading_delete medium Ensure auditd Collects Information on Kernel Module Unloading - delete_module The removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. To capture kernel module unloading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S delete_module -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules.
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000169
CCI-000172
CCI-002884
audit_rules_kernel_module_loading_finit medium Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S finit_module -F key=modules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S finit_module -F key=modules
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000169
CCI-000172
CCI-002884
audit_rules_kernel_module_loading_init medium Ensure auditd Collects Information on Kernel Module Loading - init_module The addition of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. To capture kernel module loading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S init_module -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules.
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000169
CCI-000172
CCI-002884
audit_rules_login_events_lastlog medium Record Attempts to Alter Logon and Logout Events - lastlog Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events:
-w /var/log/lastlog -p wa -k logins
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events:
-w /var/log/lastlog -p wa -k logins
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000126
CCI-000169
CCI-000172
CCI-002884
audit_rules_login_events_tallylog medium Record Attempts to Alter Logon and Logout Events - tallylog Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events:
-w /var/log/tallylog -p wa -k logins
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events:
-w /var/log/tallylog -p wa -k logins
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000172
CCI-002884
CCI-000126
audit_rules_media_export medium Ensure auditd Collects Information on Exporting to Media (successful) The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss. At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000392-GPOS-00172
CCI-000135
CCI-000169
CCI-002884
audit_rules_privileged_commands_chage medium Ensure auditd Collects Information on the Use of Privileged Commands - chage Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_privileged_commands_chfn medium Ensure auditd Collects Information on the Use of Privileged Commands - chfn Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000169
CCI-000172
CCI-002884
audit_rules_privileged_commands_chsh medium Ensure auditd Collects Information on the Use of Privileged Commands - chsh Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_privileged_commands_crontab medium Ensure auditd Collects Information on the Use of Privileged Commands - crontab Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_privileged_commands_gpasswd medium Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_privileged_commands_insmod medium Ensure auditd Collects Information on the Use of Privileged Commands - insmod Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-w /sbin/insmod -p x -k modules
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000169
CCI-000172
CCI-002884
audit_rules_privileged_commands_kmod medium Ensure auditd Collects Information on the Use of Privileged Commands - kmod Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-w /usr/bin/kmod -p x -k modules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-w /usr/bin/kmod -p x -k modules
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000169
CCI-000172
CCI-002884
audit_rules_privileged_commands_modprobe medium Ensure auditd Collects Information on the Use of Privileged Commands - modprobe Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-w /sbin/modprobe -p x -k modules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-w /sbin/modprobe -p x -k modules
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000169
CCI-000172
CCI-002884
audit_rules_privileged_commands_newgrp medium Ensure auditd Collects Information on the Use of Privileged Commands - newgrp Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000169
CCI-000135
CCI-000172
CCI-002884
audit_rules_privileged_commands_pam_timestamp_check medium Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/sbin/pam_timestamp_check
-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/sbin/pam_timestamp_check
-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_privileged_commands_passmass medium Ensure auditd Collects Information on the Use of Privileged Commands - passmass Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/passmass -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/passmass -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000169
CCI-000172
CCI-002884
audit_rules_privileged_commands_passwd medium Ensure auditd Collects Information on the Use of Privileged Commands - passwd Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_privileged_commands_rmmod medium Ensure auditd Collects Information on the Use of Privileged Commands - rmmod Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-w /sbin/rmmod -p x -k modules
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000169
CCI-000172
CCI-002884
audit_rules_privileged_commands_ssh_agent medium Record Any Attempts to Run ssh-agent Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect any execution attempt of the ssh-agent command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
CCI-000130
CCI-000169
CCI-000172
audit_rules_privileged_commands_ssh_keysign medium Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/lib/ssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/lib/ssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_privileged_commands_su medium Ensure auditd Collects Information on the Use of Privileged Commands - su Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_privileged_commands_sudo medium Ensure auditd Collects Information on the Use of Privileged Commands - sudo Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_privileged_commands_sudoedit medium Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/sudoedit -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/sudoedit -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_privileged_commands_unix2_chkpwd medium Ensure auditd Collects Information on the Use of Privileged Commands - unix2_chkpwd Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/sbin/unix2_chkpwd -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/sbin/unix2_chkpwd -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_privileged_commands_unix_chkpwd medium Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_privileged_commands_usermod medium Ensure auditd Collects Information on the Use of Privileged Commands - usermod Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000169
CCI-000172
CCI-002884
audit_rules_session_events_btmp medium Record Attempts to Alter Process and Session Initiation Information btmp Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. The audit system already collects process information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing such process information:
-w /var/log/btmp -p wa -k session
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for attempted manual edits of files involved in storing such process information:
-w /var/log/btmp -p wa -k session
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
CCI-000172
audit_rules_session_events_utmp medium Record Attempts to Alter Process and Session Initiation Information utmp Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. The audit system already collects process information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing such process information:
-w /run/utmp -p wa -k session
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for attempted manual edits of files involved in storing such process information:
-w /run/utmp -p wa -k session
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
CCI-000172
audit_rules_session_events_wtmp medium Record Attempts to Alter Process and Session Initiation Information wtmp Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. The audit system already collects process information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing such process information:
 -w /var/log/wtmp -p wa -k session
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for attempted manual edits of files involved in storing such process information:
 -w /var/log/wtmp -p wa -k session
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
CCI-000172
audit_rules_suid_privilege_function medium Record Events When Privileged Executables Are Run Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. Verify the system generates an audit record when privileged functions are executed.
# grep -iw execve /etc/audit/audit.rules
-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid
-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid
If both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding. If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding.
SRG-OS-000365-GPOS-00152
SRG-OS-000354-GPOS-00142
SRG-OS-000358-GPOS-00145
SRG-OS-000352-GPOS-00140
SRG-OS-000353-GPOS-00141
SRG-OS-000350-GPOS-00138
SRG-OS-000351-GPOS-00139
SRG-OS-000348-GPOS-00136
SRG-OS-000349-GPOS-00137
SRG-OS-000337-GPOS-00129
SRG-OS-000327-GPOS-00127
CCI-001814
CCI-001882
CCI-001889
CCI-001880
CCI-001881
CCI-001878
CCI-001879
CCI-001875
CCI-001877
CCI-001914
CCI-002234
audit_rules_sysadmin_actions medium Ensure auditd Collects System Administrator Actions The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes. At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000126
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_unsuccessful_file_modification_creat medium Record Unsuccessful Access Attempts to Files - creat Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000169
CCI-000172
CCI-002884
audit_rules_unsuccessful_file_modification_ftruncate medium Record Unsuccessful Access Attempts to Files - ftruncate Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S ftruncate -F exiu=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000169
CCI-000172
CCI-002884
audit_rules_unsuccessful_file_modification_open medium Record Unsuccessful Access Attempts to Files - open Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000169
CCI-000172
CCI-002884
audit_rules_unsuccessful_file_modification_open_by_handle_at medium Record Unsuccessful Access Attempts to Files - open_by_handle_at Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000169
CCI-000172
CCI-002884
audit_rules_unsuccessful_file_modification_openat medium Record Unsuccessful Access Attempts to Files - openat Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000169
CCI-000172
CCI-002884
audit_rules_unsuccessful_file_modification_rename medium Record Unsuccessul Delete Attempts to Files - rename Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. The audit system should collect unsuccessful file deletion attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000172
CCI-002884
audit_rules_unsuccessful_file_modification_renameat medium Record Unsuccessul Delete Attempts to Files - renameat Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. The audit system should collect unsuccessful file deletion attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000172
CCI-002884
audit_rules_unsuccessful_file_modification_renameat2 medium Record Unsuccessul Delete Attempts to Files - renameat2 Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. The audit system should collect unsuccessful file deletion attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S renameat2 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S renameat2 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S renameat2 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S renameat2 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
CCI-000172
audit_rules_unsuccessful_file_modification_truncate medium Record Unsuccessful Access Attempts to Files - truncate Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000169
CCI-000172
CCI-002884
audit_rules_unsuccessful_file_modification_unlink medium Record Unsuccessul Delete Attempts to Files - unlink Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. The audit system should collect unsuccessful file deletion attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000172
CCI-002884
audit_rules_unsuccessful_file_modification_unlinkat medium Record Unsuccessul Delete Attempts to Files - unlinkat Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. The audit system should collect unsuccessful file deletion attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000392-GPOS-00172
CCI-000172
CCI-002884
audit_rules_usergroup_modification_group medium Record Events that Modify User/Group Information - /etc/group In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes:

-w /etc/group -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-w /etc/group -p wa -k audit_rules_usergroup_modification
SRG-OS-000004-GPOS-00004
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000239-GPOS-00089
SRG-OS-000240-GPOS-00090
SRG-OS-000241-GPOS-00091
SRG-OS-000274-GPOS-00104
SRG-OS-000275-GPOS-00105
SRG-OS-000276-GPOS-00106
SRG-OS-000277-GPOS-00107
SRG-OS-000303-GPOS-00120
SRG-OS-000304-GPOS-00121
CCI-000018
CCI-000169
CCI-000172
CCI-001403
CCI-001404
CCI-001405
CCI-001683
CCI-001684
CCI-001685
CCI-001686
CCI-002130
CCI-002132
audit_rules_usergroup_modification_gshadow medium Record Events that Modify User/Group Information - /etc/gshadow In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes:

-w /etc/gshadow -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
SRG-OS-000004-GPOS-00004
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000239-GPOS-00089
SRG-OS-000240-GPOS-00090
SRG-OS-000241-GPOS-00091
SRG-OS-000274-GPOS-00104
SRG-OS-000275-GPOS-00105
SRG-OS-000276-GPOS-00106
SRG-OS-000277-GPOS-00107
SRG-OS-000303-GPOS-00120
SRG-OS-000304-GPOS-00121
CCI-000018
CCI-000169
CCI-000172
CCI-001403
CCI-001404
CCI-001405
CCI-001683
CCI-001684
CCI-001685
CCI-001686
CCI-002130
CCI-002132
audit_rules_usergroup_modification_opasswd medium Record Events that Modify User/Group Information - /etc/security/opasswd In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes:

-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
SRG-OS-000004-GPOS-00004
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000239-GPOS-00089
SRG-OS-000240-GPOS-00090
SRG-OS-000241-GPOS-00091
SRG-OS-000274-GPOS-00104
SRG-OS-000275-GPOS-00105
SRG-OS-000276-GPOS-00106
SRG-OS-000277-GPOS-00107
SRG-OS-000303-GPOS-00120
SRG-OS-000304-GPOS-00121
CCI-000018
CCI-000169
CCI-000172
CCI-001403
CCI-001404
CCI-001405
CCI-001683
CCI-001684
CCI-001685
CCI-001686
CCI-002130
CCI-002132
audit_rules_usergroup_modification_passwd medium Record Events that Modify User/Group Information - /etc/passwd In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes:

-w /etc/passwd -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-w /etc/passwd -p wa -k audit_rules_usergroup_modification
SRG-OS-000004-GPOS-00004
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000239-GPOS-00089
SRG-OS-000240-GPOS-00090
SRG-OS-000241-GPOS-00091
SRG-OS-000274-GPOS-00104
SRG-OS-000275-GPOS-00105
SRG-OS-000276-GPOS-00106
SRG-OS-000277-GPOS-00107
SRG-OS-000303-GPOS-00120
SRG-OS-000304-GPOS-00121
CCI-000018
CCI-000169
CCI-000172
CCI-001403
CCI-001404
CCI-001405
CCI-001683
CCI-001684
CCI-001685
CCI-001686
CCI-002130
CCI-002132
audit_rules_usergroup_modification_shadow medium Record Events that Modify User/Group Information - /etc/shadow In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes:

-w /etc/shadow -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-w /etc/shadow -p wa -k audit_rules_usergroup_modification
SRG-OS-000004-GPOS-00004
SRG-OS-000062-GPOS-00031
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000239-GPOS-00089
SRG-OS-000240-GPOS-00090
SRG-OS-000241-GPOS-00091
SRG-OS-000274-GPOS-00104
SRG-OS-000275-GPOS-00105
SRG-OS-000276-GPOS-00106
SRG-OS-000277-GPOS-00107
SRG-OS-000303-GPOS-00120
SRG-OS-000304-GPOS-00121
CCI-000018
CCI-000169
CCI-000172
CCI-001403
CCI-001404
CCI-001405
CCI-001683
CCI-001684
CCI-001685
CCI-001686
CCI-002130
CCI-002132
auditd_audispd_configure_sufficiently_large_partition medium Configure a Sufficiently Large Partition for Audit Logs Information stored in one location is vulnerable to accidental or incidental deletion or alteration.Off-loading is a common process in information systems with limited audit storage capacity. The SUSE Linux Enterprise 15 operating system must allocate audit record storage capacity to store at least one weeks worth of audit records when audit records are not immediately sent to a central audit record storage facility. The partition size needed to capture a week's worth of audit records is based on the activity level of the system and the total storage capacity available. In normal circumstances, 10.0 GB of storage space for audit records will be sufficient. Determine which partition the audit records are being written to with the following command:
# grep log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log
Check the size of the partition that audit records are written to with the following command:
# df -h /var/log/audit/
/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit
SRG-OS-000341-GPOS-00132
CCI-001849
auditd_audispd_disk_full_action medium Configure audispd's Plugin disk_full_action When Disk Is Full Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records. Configure the action the operating system takes if the disk the audit records are written to becomes full. Edit the file /etc/audisp/audisp-remote.conf. Add or modify the following line, substituting ACTION appropriately:
disk_full_action = ACTION
Set this value to single to cause the system to switch to single user mode for corrective action. Acceptable values also include syslog and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined.
SRG-OS-000479-GPOS-00224
SRG-OS-000342-GPOS-00133
CCI-001851
auditd_audispd_encrypt_sent_records medium Encrypt Audit Records Sent With audispd Plugin Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. Configure the operating system to encrypt the transfer of off-loaded audit records onto a different system or media from the system being audited. Uncomment the enable_krb5 option in
/etc/audisp/audisp-remote.conf
, and set it with the following line:
enable_krb5 = yes
SRG-OS-000479-GPOS-00224
SRG-OS-000342-GPOS-00133
CCI-001851
auditd_audispd_network_failure_action medium Configure audispd's Plugin network_failure_action On Network Failure Taking appropriate action when there is an error sending audit records to a remote system will minimize the possibility of losing audit records. Configure the action the operating system takes if there is an error sending audit records to a remote system. Edit the file /etc/audisp/audisp-remote.conf. Add or modify the following line, substituting ACTION appropriately:
network_failure_action = ACTION
Set this value to single to cause the system to switch to single user mode for corrective action. Acceptable values also include syslog and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. This profile configures the action to be .
SRG-OS-000479-GPOS-00224
SRG-OS-000342-GPOS-00133
CCI-001851
auditd_data_disk_full_action medium Configure auditd Disk Full Action when Disk Space Is Full Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records. The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately:
disk_full_action = ACTION
Set this value to single to cause the system to switch to single-user mode for corrective action. Acceptable values also include syslog, single, and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page.
SRG-OS-000047-GPOS-00023
CCI-000140
auditd_data_retention_action_mail_acct medium Configure auditd mail_acct Action on Low Disk Space Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action. The auditd service can be configured to send email to a designated account in certain situations. Add or correct the following line in /etc/audit/auditd.conf to ensure that administrators are notified via email for those situations:
action_mail_acct = 
SRG-OS-000046-GPOS-00022
SRG-OS-000343-GPOS-00134
CCI-000139
CCI-001855
auditd_data_retention_space_left medium Configure auditd space_left on Low Disk Space Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting SIZE_in_MB appropriately:
space_left = SIZE_in_MB
Set this value to the appropriate size in Megabytes cause the system to notify the user of an issue.
SRG-OS-000343-GPOS-00134
CCI-001855
banner_etc_gdm_banner medium Modify the System GUI Login Banner Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
To configure the GUI system login banner edit /etc/gdm/banner. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either:

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.


OR:

I've read & consent to terms in IS user agreem't.
SRG-OS-000024-GPOS-00007
CCI-000050
banner_etc_issue medium Modify the System Login Banner Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
To configure the system login banner edit /etc/issue. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either:

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.


OR:

I've read & consent to terms in IS user agreem't.
SRG-OS-000023-GPOS-00006
SRG-OS-000024-GPOS-00007
CCI-000048
CCI-000050
chronyd_or_ntpd_set_maxpoll medium Configure Time Service Maxpoll Interval Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. The maxpoll should be configured to in /etc/ntp.conf or /etc/chrony.conf to continuously poll time servers. To configure maxpoll in /etc/ntp.conf or /etc/chrony.conf add the following:
maxpoll 
SRG-OS-000355-GPOS-00143
SRG-OS-000356-GPOS-00144
CCI-001891
CCI-002046
clean_components_post_updating low Ensure zypper Removes Previous Package Versions Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries. zypper should be configured to remove previous software components after new versions have been installed. To configure zypper to remove the previous software components after updating, set the solver.upgradeRemoveDroppedPackages to 1 in /etc/zypp/zypp.conf. SRG-OS-000437-GPOS-00194
CCI-002617
cracklib_accounts_password_pam_dcredit medium Set Password Strength Minimum Digit Characters Requiring digits makes password guessing attacks more difficult by ensuring a larger search space. The pam_cracklib module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_cracklib will grant +1 additional length credit for each digit. Add dcredit=-1 after pam_cracklib.so to require use of a digit in passwords. SRG-OS-000071-GPOS-00039
CCI-000194
cracklib_accounts_password_pam_difok medium Set Password Strength Minimum Different Characters Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however. The pam_cracklib module's difok parameter controls requirements for usage of different characters during a password change. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different. Make sure the difok parameter for the pam_cracklib module is configured to greater than or equal to . SRG-OS-000072-GPOS-00040
CCI-000195
cracklib_accounts_password_pam_lcredit medium Set Password Strength Minimum Lowercase Characters Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space. The pam_cracklib module's lcredit= parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each lowercase character. Add lcredit=-1 after pam_cracklib.so to require use of a lowercase character in passwords. SRG-OS-000070-GPOS-00038
CCI-000193
cracklib_accounts_password_pam_minlen medium Set Password Minimum Length Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password. The pam_cracklib module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= to set minimum password length requirements. SRG-OS-000078-GPOS-00046
CCI-000205
cracklib_accounts_password_pam_ocredit medium Set Password Strength Minimum Special Characters Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space. The pam_cracklib module's ocredit= parameter controls requirements for usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each special character. Make sure the ocredit parameter for the pam_cracklib module is set to less than or equal to . For example, ocredit=. SRG-OS-000266-GPOS-00101
CCI-001619
cracklib_accounts_password_pam_ucredit medium Set Password Strength Minimum Uppercase Characters Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space. The pam_cracklib module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each uppercase character. Add ucredit=-1 after pam_cracklib.so to require use of an upper case character in passwords. SRG-OS-000069-GPOS-00037
CCI-000192
dconf_db_up_to_date high Make sure that the dconf databases are up-to-date with regards to respective keyfiles Unlike text-based keyfiles, the binary database is impossible to check by OVAL. Therefore, in order to evaluate dconf configuration, both have to be true at the same time - configuration files have to be compliant, and the database needs to be more recent than those keyfiles, which gives confidence that it reflects them. By default, DConf uses a binary database as a data backend. The system-level database is compiled from keyfiles in the /etc/dconf/db/ directory by the
dconf update
command.
dconf_gnome_banner_enabled medium Enable GNOME3 Login Warning Banner Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

For U.S. Government systems, system use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
In the default graphical environment, displaying a login warning banner in the GNOME Display Manager's login screen can be enabled on the login screen by setting banner-message-enable to true.

To enable, add or edit banner-message-enable to /etc/dconf/db/gdm.d/00-security-settings. For example:
[org/gnome/login-screen]
banner-message-enable=true
Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/login-screen/banner-message-enable
After the settings have been set, run dconf update. The banner text must also be set.
SRG-OS-000023-GPOS-00006
SRG-OS-000024-GPOS-00007
SRG-OS-000228-GPOS-00088
SRG-OS-000228-GPOS-00088
SRG-OS-000228-GPOS-00088
SRG-OS-000228-GPOS-00088
SRG-OS-000228-GPOS-00088
CCI-000048
CCI-000050
CCI-001384
CCI-001385
CCI-001386
CCI-001387
CCI-001388
dconf_gnome_login_banner_text medium Set the GNOME3 Login Warning Banner Text An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. In the default graphical environment, configuring the login warning banner text in the GNOME Display Manager's login screen can be configured on the login screen by setting banner-message-text to 'APPROVED_BANNER' where APPROVED_BANNER is the approved banner for your environment.

To enable, add or edit banner-message-text to /etc/dconf/db/gdm.d/00-security-settings. For example:
[org/gnome/login-screen]
banner-message-text='APPROVED_BANNER'
Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/login-screen/banner-message-text
After the settings have been set, run dconf update. When entering a warning banner that spans several lines, remember to begin and end the string with ' and use \n for new lines.
SRG-OS-000023-GPOS-00006
CCI-000048
dconf_gnome_screensaver_idle_delay medium Set GNOME3 Screensaver Inactivity Timeout A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME3 can be configured to identify when a user's session has idled and take action to initiate a session lock. The idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/local.d directory and locked in /etc/dconf/db/local.d/locks directory to prevent user modification.

For example, to configure the system for a 15 minute delay, add the following to /etc/dconf/db/local.d/00-security-settings:
[org/gnome/desktop/session]
idle-delay=uint32 900
Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/desktop/session/idle-delay
After the settings have been set, run dconf update.
SRG-OS-000029-GPOS-00010
CCI-000057
dconf_gnome_screensaver_lock_enabled medium Enable GNOME3 Screensaver Lock After Idle Period A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. To activate locking of the screensaver in the GNOME3 desktop when it is activated, run the following command to configure the SUSE operating system to allow the user to lock the GUI:
gsettings set org.gnome.desktop.lockdown disable-lock-screen false
Validate that disable-lock-screen has been set to false with the command:
gsettings get org.gnome.desktop.lockdown disable-lock-screen
SRG-OS-000028-GPOS-00009
SRG-OS-000030-GPOS-00011
SRG-OS-000031-GPOS-00012
CCI-000056
CCI-000058
CCI-000060
dconf_gnome_screensaver_mode_blank medium Implement Blank Screensaver Setting the screensaver mode to blank-only conceals the contents of the display from passersby. On SUSE users should set the screensaver to use publicly viewable images or blank screen by doing the following: Find the Settings menu and then navigate to the Background selection section - Click "Activities" on the top left. - Click "Show Applications" at the bottom of the Activities menu. - Click the "Settings" icon. - Click "Background" from left hand menu. - Select image and set the Lock Screen image to the user's choice. - Exit Settings Dialog. To set the screensaver mode in the GNOME3 desktop to a blank screen, add or set picture-uri to string '' in /etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
picture-uri=''
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/desktop/screensaver/picture-uri
After the settings have been set, run dconf update.
SRG-OS-000031-GPOS-00012
CCI-000060
dir_group_ownership_library_dirs medium Verify that Shared Library Directories Have Root Group Ownership Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership of library directories is necessary to protect the integrity of the system. System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules. All files in these directories should be group-owned by the root user. If the directories, is found to be owned by a user other than root correct its ownership with the following command:
$ sudo chgrp root DIR
SRG-OS-000259-GPOS-00100
CCI-001499
dir_ownership_library_dirs medium Verify that Shared Library Directories Have Root Ownership Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership of library directories is necessary to protect the integrity of the system. System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules. All files in these directories should be owned by the root user. If the directories, is found to be owned by a user other than root correct its ownership with the following command:
$ sudo chown root DIR
SRG-OS-000259-GPOS-00100
CCI-001499
dir_permissions_library_dirs medium Verify that Shared Library Directories Have Restrictive Permissions If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. System-wide shared library directories, which contain are linked to executables during process load time or run time, are stored in the following directories by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are stored in /lib/modules. All sub-directories in these directories should not be group-writable or world-writable. If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command:
$ sudo chmod go-w DIR
SRG-OS-000259-GPOS-00100
CCI-001499
dir_perms_world_writable_sticky_bits medium Verify that All World-Writable Directories Have Sticky Bits Set Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure.

The only authorized public directories are those temporary directories supplied with the system, or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system, by users for temporary file storage (such as /tmp), and for directories requiring global read/write access.
When the so-called 'sticky bit' is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may remove any file in the directory. Setting the sticky bit prevents users from removing each other's files. In cases where there is no reason for a directory to be world-writable, a better solution is to remove that permission rather than to set the sticky bit. However, if a directory is used by a particular application, consult that application's documentation instead of blindly changing modes.
To set the sticky bit on a world-writable directory DIR, run the following command:
$ sudo chmod +t DIR
SRG-OS-000138-GPOS-00069
CCI-001090
dir_perms_world_writable_system_owned_group medium Ensure All World-Writable Directories Are Group Owned by a System Account Allowing a user account to group own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users. All directories in local partitions which are world-writable should be group owned by root or another system account. If any world-writable directories are not group owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group. SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
dir_system_commands_group_root_owned medium Verify that system commands directories have root as a group owner If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. System commands are stored in the following directories: by default:
/bin 
/sbin 
/usr/bin 
/usr/sbin 
/usr/local/bin 
/usr/local/sbin
All these directories should have root user as a group owner. If any system command directory is not group owned by a user other than root correct its ownership with the following command:
$ sudo chgrp root DIR
SRG-OS-000259-GPOS-00100
CCI-001499
dir_system_commands_root_owned medium Verify that system commands directories have root ownership If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. System commands are stored in the following directories by default:
/bin 
/sbin 
/usr/bin 
/usr/sbin 
/usr/local/bin 
/usr/local/sbin
All these directories should be owned by the root user. If any system command directory is not owned by a user other than root correct its ownership with the following command:
$ sudo chown root DIR
SRG-OS-000259-GPOS-00100
CCI-001499
disable_ctrlaltdel_burstaction high Disable Ctrl-Alt-Del Burst Action A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. By default, SystemD will reboot the system if the Ctrl-Alt-Del key sequence is pressed Ctrl-Alt-Delete more than 7 times in 2 seconds.

To configure the system to ignore the CtrlAltDelBurstAction setting, add or modify the following to /etc/systemd/system.conf:
CtrlAltDelBurstAction=none
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
disable_ctrlaltdel_reboot high Disable Ctrl-Alt-Del Reboot Activation A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. By default, SystemD will reboot the system if the Ctrl-Alt-Del key sequence is pressed.

To configure the system to ignore the Ctrl-Alt-Del key sequence from the command line instead of rebooting the system, do either of the following:
ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
or
systemctl mask ctrl-alt-del.target


Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file, as this file may be restored during future system updates.
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
display_login_attempts low Ensure PAM Displays Last Logon/Access Notification Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. To configure the system to notify users of last logon/access using pam_lastlog, add or correct the pam_lastlog settings in /etc/pam.d/login to read as follows:
session     required pam_lastlog.so showfailed
And make sure that the silent option is not set.
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
enable_dconf_user_profile high Configure GNOME3 DConf User Profile Failure to have a functional DConf profile prevents GNOME3 configuration settings from being enforced for all users and allows various security risks. By default, DConf provides a standard user profile. This profile contains a list of DConf configuration databases. The user profile and database always take the highest priority. As such the DConf User profile should always exist and be configured correctly.

To make sure that the user profile is configured correctly, the /etc/dconf/profile/gdm should be set as follows:
user-db:user
system-db:gdm
encrypt_partitions high Encrypt Partitions The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost. SUSE Linux Enterprise 15 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time.

For manual installations, select the Encrypt checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots.

Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on the SUSE Linux Enterprise 15 Documentation web site:
https://www.suse.com/documentation/sled-12/book_security/data/sec_security_cryptofs_y2.html
SRG-OS-000185-GPOS-00079
SRG-OS-000404-GPOS-00183
SRG-OS-000405-GPOS-00184
CCI-001199
CCI-002475
CCI-002476
ensure_gpgcheck_globally_activated high Ensure gpgcheck Enabled In Main zypper Configuration Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.
Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA).
The gpgcheck option controls whether RPM packages' signatures are always checked prior to installation. To configure zypper to check package signatures before installing them, ensure the following line appears in /etc/zypp/zypp.conf in the [main] section:
gpgcheck=1
SRG-OS-000366-GPOS-00153
CCI-001749
ensure_rtc_utc_configuration high Ensure real-time clock is set to UTC If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. Time stamps generated by the operating system include date and time. Time is commonly expressed in UTC, a modern continuation of GMT, or local time with an offset from UTC. Ensure that the system real-time clock (RTC) is set to Coordinated Universal Time (UTC). SRG-OS-000359-GPOS-00146
CCI-001890
file_etc_security_opasswd medium Verify Permissions and Ownership of Old Passwords File The /etc/security/opasswd file stores old passwords to prevent password reuse. Protection of this file is critical for system security. To properly set the owner of /etc/security/opasswd, run the command:
$ sudo chown root /etc/security/opasswd 
To properly set the group owner of /etc/security/opasswd, run the command:
$ sudo chgrp root /etc/security/opasswd
To properly set the permissions of /etc/security/opasswd, run the command:
$ sudo chmod 0600 /etc/security/opasswd
SRG-OS-000077-GPOS-00045
CCI-000200
file_groupownership_home_directories medium All Interactive User Home Directories Must Be Group-Owned By The Primary User If the Group Identifier (GID) of a local interactive users home directory is not the same as the primary GID of the user, this would allow unauthorized access to the users files, and users that share the same group may not be able to access files that they legitimately should. Change the group owner of interactive users home directory to the group found in /etc/passwd. To change the group owner of interactive users home directory, use the following command:
$ sudo chgrp USER_GROUP /home/USER
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
file_groupownership_system_commands_dirs medium Verify that system commands files are group owned by root If the operating system allows any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. System commands files are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/sbin
/usr/local/bin
/usr/local/sbin
All files in these directories should be owned by the root group. If the directory, or any file in these directories, is found to be owned by a group other than root correct its ownership with the following command:
$ sudo chgrp root FILE
SRG-OS-000259-GPOS-00100
CCI-001499
file_ownership_binary_dirs medium Verify that System Executables Have Root Ownership System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted. System executables are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin
All files in these directories should be owned by the root user. If any file FILE in these directories is found to be owned by a user other than root, correct its ownership with the following command:
$ sudo chown root FILE
SRG-OS-000259-GPOS-00100
CCI-001499
file_ownership_library_dirs medium Verify that Shared Library Files Have Root Ownership Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system. System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules. All files in these directories should be owned by the root user. If the directory, or any file in these directories, is found to be owned by a user other than root correct its ownership with the following command:
$ sudo chown root FILE
SRG-OS-000259-GPOS-00100
CCI-001499
file_permission_user_init_files medium Ensure All User Initialization Files Have Mode 0740 Or Less Permissive Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon. Set the mode of the user initialization files to 0740 with the following command:
$ sudo chmod 0740 /home/USER/.INIT_FILE
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
file_permissions_binary_dirs medium Verify that System Executables Have Restrictive Permissions System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted. System executables are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin
All files in these directories should not be group-writable or world-writable. If any file FILE in these directories is found to be group-writable or world-writable, correct its permission with the following command:
$ sudo chmod go-w FILE
SRG-OS-000259-GPOS-00100
CCI-001499
file_permissions_home_directories medium All Interactive User Home Directories Must Have mode 0750 Or Less Permissive Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users. Change the mode of interactive users home directories to 0750. To change the mode of interactive users home directory, use the following command:
$ sudo chmod 0750 /home/USER
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
file_permissions_library_dirs medium Verify that Shared Library Files Have Restrictive Permissions Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Restrictive permissions are necessary to protect the integrity of the system. System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are stored in /lib/modules. All files in these directories should not be group-writable or world-writable. If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command:
$ sudo chmod go-w FILE
SRG-OS-000259-GPOS-00100
CCI-001499
file_permissions_local_var_log_messages medium Verify that local /var/log/messages is not world-readable The /var/log/messages file contains system error messages. Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SUSE operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. Files containing sensitive informations should be protected by restrictive permissions. Most of the time, there is no need that these files need to be read by any non-root user To properly set the permissions of /var/log/messages, run the command:
$ sudo chmod 0640 /var/log/messages
Check that "permissions.local" file contains the correct permissions rules with the following command:
# grep -i messages /etc/permissions.local

/var/log/messages root:root 640
SRG-OS-000206-GPOS-00084
CCI-001314
file_permissions_sshd_private_key medium Verify Permissions on SSH Server Private *_key Key Files If an unauthorized user obtains the private SSH host key file, the host could be impersonated. To properly set the permissions of /etc/ssh/*_key, run the command:
$ sudo chmod 0600 /etc/ssh/*_key
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
file_permissions_sshd_pub_key medium Verify Permissions on SSH Server Public *.pub Key Files If a public host key file is modified by an unauthorized user, the SSH service may be compromised. To properly set the permissions of /etc/ssh/*.pub, run the command:
$ sudo chmod 0644 /etc/ssh/*.pub
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
file_permissions_system_commands_dirs medium Verify that system commands are protected from unauthorized access System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted. System commands are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/sbin
/usr/local/bin
/usr/local/sbin
All files in these directories should not be group-writable or world-writable. If any file FILE in these directories is found to be group-writable or world-writable, correct its permission with the following command:
$ sudo chmod 755 FILE
SRG-OS-000259-GPOS-00100
CCI-001499
file_permissions_ungroupowned medium Ensure All Files Are Owned by a Group Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed. If any files are not owned by a group, then the cause of their lack of group-ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate group. The following command will discover and print any files on local partitions which do not belong to a valid group:
$ df --local -P | awk '{if (NR!=1) print $6}' | sudo xargs -I '{}' find '{}' -xdev -nogroup
To search all filesystems on a system including network mounted filesystems the following command can be run manually for each partition:
$ sudo find PARTITION -xdev -nogroup
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
SRG-OS-000312-GPOS-00122
SRG-OS-000312-GPOS-00123
SRG-OS-000312-GPOS-00124
CCI-000366
CCI-002165
gnome_gdm_disable_unattended_automatic_login high Disable GDM Unattended or Automatic Login Failure to restrict system access to authenticated users negatively impacts operating system security. The GNOME Display Manager (GDM) can allow users to automatically login without user interaction or credentials or unattended login. User should always be required to authenticate themselves to the system that they are authorized to use. To disable user ability to automatically login to the system, set the DISPLAYMANAGER_AUTOLOGIN="" or DISPLAYMANAGER_PASSWORD_LESS_LOGIN="no" in the /etc/sysconfig/displaymanager. For example:
DISPLAYMANAGER_AUTOLOGIN=""
DISPLAYMANAGER_PASSWORD_LESS_LOGIN="no"
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
grub2_password high Set Boot Loader Password in grub2 Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings.

Since plaintext passwords are a security risk, generate a hash for the password by running the following command:
$ grub2-mkpasswd-pbkdf2
When prompted, enter the password that was selected.

Using the hash from the output, modify the /etc/grub.d/40_custom file with the following content:
set superusers="boot"
password_pbkdf2 boot grub.pbkdf2.sha512.VeryLongString
NOTE: the bootloader superuser account and password MUST differ from the root account and password.

Once the superuser password has been added, update the grub.cfg file by running:
grub2-mkconfig -o /boot/grub2/grub.cfg
SRG-OS-000080-GPOS-00048
CCI-000213
grub2_uefi_password high Set the UEFI Boot Loader Password Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings.

Since plaintext passwords are a security risk, generate a hash for the password by running the following command:
$ grub2-mkpasswd-pbkdf2
When prompted, enter the password that was selected.

Using the hash from the output, modify the /etc/grub.d/40_custom file with the following content:
set superusers="boot"
password_pbkdf2 boot grub.pbkdf2.sha512.VeryLongString
NOTE: the bootloader superuser account and password MUST differ from the root account and password. Once the superuser password has been added, update the grub.cfg file by running:
grub2-mkconfig -o /boot/grub2/grub.cfg
SRG-OS-000080-GPOS-00048
CCI-000213
gui_login_dod_acknowledgement medium Display the Standard Mandatory DoD Notice and Consent Banner until Explicit Acknowledgement Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

For U.S. Government systems, system use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
Display of a standardized and approved use notification before granting access to the SUSE operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

The banner must be acknowledged by the user prior to allowing the user access to the SUSE operating system. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD will not be in compliance with system use notifications required by law.

System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.

The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for the SUSE operating system:
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.

By using this IS (which includes any device attached to this IS), you consent to the following conditions:

-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.

-At any time, the USG may inspect and seize data stored on this IS.

-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.

-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.

-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
Check the configuration by running the following command:
# more /etc/gdm/Xsession
The beginning of the file must contain the following text immediately after #!/bin/sh:
if ! zenity --text-info \
--title "Consent" \
--filename=/etc/gdm/banner \
--no-markup \
--checkbox="Accept." 10 10; then
sleep 1;
exit 1;
fi
SRG-OS-000023-GPOS-00006
SRG-OS-000024-GPOS-00007
CCI-000048
CCI-000050
install_smartcard_packages medium Install Smart Card Packages For Multifactor Authentication Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.

Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.
Configure the operating system to implement multifactor authentication by installing the required package with the following command: The pam_pkcs11 package can be installed with the following command:
$ sudo zypper install pam_pkcs11
The mozilla-nss package can be installed with the following command:
$ sudo zypper install mozilla-nss
The mozilla-nss-tools package can be installed with the following command:
$ sudo zypper install mozilla-nss-tools
The pcsc-ccid package can be installed with the following command:
$ sudo zypper install pcsc-ccid
The pcsc-lite package can be installed with the following command:
$ sudo zypper install pcsc-lite
The pcsc-tools package can be installed with the following command:
$ sudo zypper install pcsc-tools
The opensc package can be installed with the following command:
$ sudo zypper install opensc
SRG-OS-000105-GPOS-00052
SRG-OS-000375-GPOS-00160
SRG-OS-000376-GPOS-00161
SRG-OS-000377-GPOS-00162
CCI-000765
CCI-001948
CCI-001953
CCI-001954
installed_OS_is_vendor_supported high The Installed Operating System Is Vendor Supported An operating system is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve any security issue discovered in the system software. The installed operating system must be maintained by a vendor. SUSE Linux Enterprise is supported by SUSE. As the SUSE Linux Enterprise vendor, SUSE is responsible for providing security patches. SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
is_fips_mode_enabled high Verify '/proc/sys/crypto/fips_enabled' exists Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. On a system where FIPS 140-2 mode is enabled, /proc/sys/crypto/fips_enabled must exist. To verify FIPS mode, run the following command:
cat /proc/sys/crypto/fips_enabled
SRG-OS-000478-GPOS-00223
SRG-OS-000396-GPOS-00176
CCI-002450
kernel_module_usb-storage_disabled medium Disable Modprobe Loading of USB Storage Driver USB storage devices such as thumb drives can be used to introduce malicious software. To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the usb-storage kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install usb-storage /bin/true
This will prevent the modprobe program from loading the usb-storage module, but will not prevent an administrator (or another program) from using the insmod program to load the module manually.
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
SRG-OS-000114-GPOS-00059
SRG-OS-000378-GPOS-00163
CCI-000366
CCI-000778
CCI-001958
mount_option_home_nosuid medium Add nosuid Option to /home The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from user home directory partitions. The nosuid mount option can be used to prevent execution of setuid programs in /home. The SUID and SGID permissions should not be required in these user data directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /home. SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
mount_option_noexec_remote_filesystems medium Mount Remote Filesystems with noexec The noexec mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts. SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
mount_option_nosuid_remote_filesystems medium Mount Remote Filesystems with nosuid NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts. SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
mount_option_nosuid_removable_partitions medium Add nosuid Option to Removable Media Partitions The presence of SUID and SGID executables should be tightly controlled. Allowing users to introduce SUID or SGID binaries from partitions mounted off of removable media would allow them to introduce their own highly-privileged programs. The nosuid mount option prevents set-user-identifier (SUID) and set-group-identifier (SGID) permissions from taking effect. These permissions allow users to execute binaries with the same permissions as the owner and group of the file respectively. Users should not be allowed to introduce SUID and SGID files into the system via partitions mounted from removeable media. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of any removable media partitions. SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
network_sniffer_disabled medium Ensure System is Not Acting as a Network Sniffer Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow them to collect information such as logon IDs, passwords, and key exchanges between systems.

If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information Systems Security Manager (ISSM) and restricted to only authorized personnel.
The system should not be acting as a network sniffer, which can capture all traffic on the network to which it is connected. Run the following to determine if any interface is running in promiscuous mode:
$ ip link | grep PROMISC
Promiscuous mode of an interface can be disabled with the following command:
$ sudo ip link set dev device_name multicast off promisc off
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
no_empty_passwords high Prevent Login to Accounts With Empty Password If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok in password authentication configurations in /etc/pam.d/ to prevent logins with empty passwords. Note that this rule is not applicable for systems running within a container. Having user with empty password within a container is not considered a risk, because it should not be possible to directly login into a container anyway. SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
no_files_unowned_by_user medium Ensure All Files Are Owned by a User Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed. If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate user. The following command will discover and print any files on local partitions which do not belong to a valid user:
$ df --local -P | awk {'if (NR!=1) print $6'} | sudo xargs -I '{}' find '{}' -xdev -nouser
To search all filesystems on a system including network mounted filesystems the following command can be run manually for each partition:
$ sudo find PARTITION -xdev -nouser
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
SRG-OS-000312-GPOS-00122
SRG-OS-000312-GPOS-00123
SRG-OS-000312-GPOS-00124
CCI-000366
CCI-002165
no_host_based_files high Remove Host-Based Authentication Files The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. The shosts.equiv file list remote hosts and users that are trusted by the local system. To remove these files, run the following command to delete them from any location:
$ sudo rm /[path]/[to]/[file]/shosts.equiv
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
no_shelllogin_for_systemaccounts medium Ensure that System Accounts Do Not Run a Shell Upon Login Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts. Some accounts are not associated with a human user of the system, and exist to perform some administrative function. Should an attacker be able to log into these accounts, they should not be granted access to a shell.

The login shell for each local account is stored in the last field of each line in /etc/passwd. System accounts are those user accounts with a user ID less than UID_MIN, where value of UID_MIN directive is set in /etc/login.defs configuration file. In the default configuration UID_MIN is set to 1000, thus system accounts are those user accounts with a user ID less than 1000. The user ID is stored in the third field. If any system account SYSACCT (other than root) has a login shell, disable it with the command:
$ sudo usermod -s /sbin/nologin SYSACCT
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
no_user_host_based_files high Remove User Host-Based Authentication Files The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. The ~/.shosts (in each user's home directory) files list remote hosts and users that are trusted by the local system. To remove these files, run the following command to delete them from any location:
$ sudo find / -name '.shosts' -type f -delete
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
package_aide_installed medium Install AIDE The AIDE package must be installed if it is to be available for integrity checking. The aide package can be installed with the following command:
$ sudo zypper install aide
SRG-OS-000446-GPOS-00200
SRG-OS-000363-GPOS-00150
CCI-002699
CCI-001744
package_audit-audispd-plugins_installed medium Ensure the default plugins for the audit dispatcher are Installed Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. The audit-audispd-plugins package should be installed. SRG-OS-000479-GPOS-00224
SRG-OS-000342-GPOS-00133
CCI-001851
package_audit_installed medium Ensure the audit Subsystem is Installed The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. The audit package should be installed. SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000365-GPOS-00152
SRG-OS-000348-GPOS-00136
SRG-OS-000349-GPOS-00137
SRG-OS-000350-GPOS-00138
SRG-OS-000351-GPOS-00139
SRG-OS-000352-GPOS-00140
SRG-OS-000353-GPOS-00141
SRG-OS-000354-GPOS-00142
SRG-OS-000358-GPOS-00145
SRG-OS-000337-GPOS-00129
SRG-OS-000062-GPOS-00031
CCI-000172
CCI-001814
CCI-001875
CCI-001877
CCI-001878
CCI-001879
CCI-001880
CCI-001881
CCI-001882
CCI-001889
CCI-001914
CCI-000169
package_firewalld_installed medium Install firewalld Package The firewalld package should be installed to provide access control methods. The firewalld package can be installed with the following command:
$ sudo zypper install firewalld
SRG-OS-000297-GPOS-00115
CCI-002314
package_pam_apparmor_installed medium Install the pam_apparmor Package Protection of system integrity using AppArmor depends on this package being installed. The pam_apparmor package can be installed with the following command:
$ sudo zypper install pam_apparmor
SRG-OS-000368-GPOS-00154
SRG-OS-000370-GPOS-00155
SRG-OS-000312-GPOS-00122
SRG-OS-000312-GPOS-00123
SRG-OS-000312-GPOS-00124
SRG-OS-000326-GPOS-00126
SRG-OS-000324-GPOS-00125
CCI-001764
CCI-001774
CCI-002165
CCI-002233
CCI-002235
package_telnet-server_removed high Uninstall telnet-server Package It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities are often overlooked and therefore may remain unsecure. They increase the risk to the platform by providing additional attack vectors.
The telnet service provides an unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to login using this service, the privileged user password could be compromised.
Removing the telnet-server package decreases the risk of the telnet service's accidental (or intentional) activation.
The telnet-server package can be removed with the following command:
$ sudo zypper remove telnet-server
SRG-OS-000095-GPOS-00049
CCI-000381
package_vsftpd_removed high Uninstall vsftpd Package Removing the vsftpd package decreases the risk of its accidental activation. The vsftpd package can be removed with the following command:
 $ sudo zypper remove vsftpd
SRG-OS-000074-GPOS-00042
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
SRG-OS-000095-GPOS-00049
CCI-000197
CCI-000366
CCI-000381
pam_disable_automatic_configuration medium The PAM configuration should not be changed automatically pam-config is a command line utility that automatically generates a system PAM configuration as packages are installed, updated or removed from the system. pam-config removes configurations for PAM modules and parameters that it does not know about. It may render ineffective PAM configuration by the system administrator and thus impact system security. Verify the SUSE operating system is configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes. SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
partition_for_home low Ensure /home Located On Separate Partition Ensuring that /home is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage. If user home directories will be stored locally, create a separate partition for /home at installation time (or migrate it later using LVM). If /home will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later. SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CCI-001208
partition_for_var low Ensure /var Located On Separate Partition Ensuring that /var is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the /var directory to contain world-writable directories installed by other software packages. The /var directory is used by daemons and other system services to store frequently-changing data. Ensure that /var has its own partition or logical volume at installation time, or migrate it using LVM. SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
partition_for_var_log_audit low Ensure /var/log/audit Located On Separate Partition Placing /var/log/audit in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space. Audit logs are stored in the /var/log/audit directory. Ensure that /var/log/audit has its own partition or logical volume at installation time, or migrate it using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon. SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
SRG-OS-000341-GPOS-00132
CCI-000366
CCI-001849
permissions_local_audit_binaries medium Verify Permissions of Local Logs of audit Tools Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. SUSE operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools. The SUSE operating system audit tools must have the proper permissions configured to protect against unauthorized access. Check that "permissions.local" file contains the correct permissions rules with the following command:
grep "^/usr/sbin/au" /etc/permissions.local

/usr/sbin/audispd root:root 0750
/usr/sbin/auditctl root:root 0750
/usr/sbin/auditd root:root 0750
/usr/sbin/ausearch root:root 0755
/usr/sbin/aureport root:root 0755
/usr/sbin/autrace root:root 0750
/usr/sbin/augenrules root:root 0750
Audit tools include but are not limited to vendor-provided and open-source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
SRG-OS-000256-GPOS-00097
SRG-OS-000257-GPOS-00098
SRG-OS-000258-GPOS-00099
CCI-001493
CCI-001494
CCI-001495
permissions_local_var_log medium Verify permissions of log files The SUSE Linux Enterprise 15 must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. Any operating system providing too much information in error messages risks compromising the data and security of the structure, and content of error messages needs to be carefully considered by the organization. Organizations carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers. SRG-OS-000205-GPOS-00083
CCI-001312
permissions_local_var_log_audit medium Verify that Local Logs of the audit Daemon are not World-Readable Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Files containing sensitive informations should be protected by restrictive permissions. Most of the time, there is no need that these files need to bei read by any non-root user. Check that "permissions.local" file contains the correct permissions rules with the following command:
# grep -i audit /etc/permissions.local

/var/log/audit/ root:root 600
/var/log/audit/audit.log root:root 600
/etc/audit/audit.rules root:root 640
/etc/audit/rules.d/audit.rules root:root 640
SRG-OS-000059-GPOS-00029
CCI-000164
postfix_client_configure_mail_alias low Configure System to Forward All Mail For The Root Account A number of system services utilize email messages sent to the root user to notify system administrators of active or impending issues. These messages must be forwarded to at least one monitored email address. Make sure that mails delivered to root user are forwarded to a monitored email address. Make sure that the address is a valid email address reachable from the system in question. Use the following command to configure the alias:
$ sudo echo "root: " >> /etc/aliases
$ sudo newaliases
SRG-OS-000046-GPOS-00022
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000139
CCI-000366
root_permissions_syslibrary_files medium Verify the system-wide library files in directories "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are owned by root. If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. System-wide library files are stored in the following directories by default:
/lib
/lib64
/usr/lib
/usr/lib64
All system-wide shared library files should be protected from unauthorised access. If any of these files is not owned by root, correct its owner with the following command:
$ sudo chgrp root FILE
SRG-OS-000259-GPOS-00100
CCI-001499
rsyslog_remote_loghost medium Ensure Logs Sent To Remote Host A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise. To configure rsyslog to send logs to a remote log server, open /etc/rsyslog.conf and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments.
To use UDP for log message delivery:
*.* @

To use TCP for log message delivery:
*.* @@

To use RELP for log message delivery:
*.* :omrelp:

There must be a resolvable DNS CNAME or Alias record set to "" for logs to be sent correctly to the centralized logging utility.
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
SRG-OS-000479-GPOS-00224
SRG-OS-000342-GPOS-00133
CCI-000366
CCI-001348
CCI-000136
CCI-001851
security_patches_up_to_date high Ensure Software Patches Installed Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. If the system is configured for online updates, invoking the following command will list available security updates:
$ sudo zypper refresh && sudo zypper list-patches -g security


NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy dictates.
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CCI-001227
service_auditd_enabled medium Enable auditd Service Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Ensuring the auditd service is active ensures audit records generated by the kernel are appropriately recorded.

Additionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
The auditd service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The auditd service can be enabled with the following command:
$ sudo systemctl enable auditd.service
SRG-OS-000037-GPOS-00015
SRG-OS-000038-GPOS-00016
SRG-OS-000039-GPOS-00017
SRG-OS-000040-GPOS-00018
SRG-OS-000041-GPOS-00019
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000051-GPOS-00024
SRG-OS-000054-GPOS-00025
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
SRG-OS-000254-GPOS-00095
SRG-OS-000255-GPOS-00096
SRG-OS-000365-GPOS-00152
SRG-OS-000122-GPOS-00063
SRG-OS-000392-GPOS-00172
SRG-OS-000062-GPOS-00031
CCI-000126
CCI-000130
CCI-000131
CCI-000132
CCI-000133
CCI-000134
CCI-000135
CCI-000154
CCI-000158
CCI-000366
CCI-001464
CCI-001487
CCI-001814
CCI-001876
CCI-002884
CCI-000169
service_autofs_disabled medium Disable the Automounter Disabling the automounter permits the administrator to statically control filesystem mounting through /etc/fstab.

Additionally, automatically mounting filesystems permits easy introduction of unknown devices, thereby facilitating malicious activity.
The autofs daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as /misc/cd. However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS is required, it may be possible to configure filesystem mounts statically by editing /etc/fstab rather than relying on the automounter.

The autofs service can be disabled with the following command:
$ sudo systemctl mask --now autofs.service
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
SRG-OS-000114-GPOS-00059
SRG-OS-000378-GPOS-00163
CCI-000366
CCI-000778
CCI-001958
service_firewalld_enabled medium Verify firewalld Enabled Access control methods provide the ability to enhance system security posture by restricting services and known good IP addresses and address ranges. This prevents connections from unknown hosts and protocols. The firewalld service can be enabled with the following command:
$ sudo systemctl enable firewalld.service
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
SRG-OS-000096-GPOS-00050
SRG-OS-000297-GPOS-00115
CCI-000366
CCI-000382
CCI-002314
service_kdump_disabled medium Disable KDump Kernel Crash Analyzer (kdump) Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. Unless the system is used for kernel development or testing, there is little need to run the kdump service. The kdump service provides a kernel crash dump analyzer. It uses the kexec system call to boot a secondary kernel ("capture" kernel) following a system crash, which can load information from the crashed kernel for analysis. The kdump service can be disabled with the following command:
$ sudo systemctl mask --now kdump.service
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
service_sshd_enabled medium Enable the OpenSSH Service Without protection of the transmitted information, confidentiality, and integrity may be compromised because unprotected communications can be intercepted and either read or altered.

This checklist item applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, etc). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification.
The SSH server service, sshd, is commonly needed. The sshd service can be enabled with the following command:
$ sudo systemctl enable sshd.service
SRG-OS-000423-GPOS-00187
SRG-OS-000481-GPOS-000481
SRG-OS-000425-GPOS-00189
SRG-OS-000424-GPOS-00188
SRG-OS-000426-GPOS-00190
CCI-002418
CCI-002420
CCI-002421
CCI-002422
set_password_hashing_algorithm_commonauth medium Set PAM's Common Authentication Hashing Algorithm Unapproved mechanisms used for authentication to the cryptographic module are not verified and therefore cannot be relied on to provide confidentiality or integrity, and data may be compromised. This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult. The PAM system service can be configured to only store encrypted representations of passwords. In /etc/pam.d/common-auth, the auth section of the file controls which PAM modules execute during a password change. Set the pam_unix.so module in the auth section to include the argument sha512, as shown below:
auth   required    pam_unix.so sha512 other arguments...

This will help ensure when local users change their authentication method, hashes for the new authentications will be generated using the SHA-512 algorithm. This is the default.
SRG-OS-000120-GPOS-00061
CCI-000803
set_password_hashing_algorithm_logindefs medium Set Password Hashing Algorithm in /etc/login.defs Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.

Using a stronger hashing algorithm makes password cracking attacks more difficult.
In /etc/login.defs, add or correct the following line to ensure the system will use SHA-512 as the hashing algorithm:
ENCRYPT_METHOD SHA512
SRG-OS-000073-GPOS-00041
CCI-000196
set_password_hashing_algorithm_systemauth medium Set PAM's Password Hashing Algorithm Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kepy in plain text.

This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.
The PAM system service can be configured to only store encrypted representations of passwords. In /etc/pam.d/common-password, the password section of the file controls which PAM modules execute during a password change. Set the pam_unix.so module in the password section to include the argument sha512, as shown below:
password    required    pam_unix.so sha512 other arguments...

This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default.
SRG-OS-000073-GPOS-00041
CCI-000196
set_password_hashing_min_rounds_logindefs medium Set Password Hashing Rounds in /etc/login.defs Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.

Using more hashing rounds makes password cracking attacks more difficult.
In /etc/login.defs, ensure SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS has the minimum value of 5000. For example:
SHA_CRYPT_MIN_ROUNDS 5000
SHA_CRYPT_MAX_ROUNDS 5000
Notice that if neither are set, they already have the default value of 5000. If either is set, they must have the minimum value of 5000.
SRG-OS-000120-GPOS-00061
CCI-000803
smartcard_configure_ca medium Configure Smart Card Certificate Authority Validation Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.

Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.
Configure the operating system to do certificate status checking for PKI authentication. Modify all of the cert_policy lines in /etc/pam_pkcs11/pam_pkcs11.conf to include ca like so:
cert_policy = ca, ocsp_on, signature;
SRG-OS-000066-GPOS-00034
SRG-OS-000384-GPOS-00167
CCI-000185
CCI-001991
smartcard_configure_cert_checking medium Configure Smart Card Certificate Status Checking Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.

Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.
Configure the operating system to do certificate status checking for PKI authentication. Modify all of the cert_policy lines in /etc/pam_pkcs11/pam_pkcs11.conf to include ocsp_on like so:
cert_policy = ca, ocsp_on, signature;
SRG-OS-000375-GPOS-00160
SRG-OS-000376-GPOS-00161
SRG-OS-000377-GPOS-00162
CCI-001948
CCI-001953
CCI-001954
smartcard_pam_enabled medium Enable Smart Card Logins in PAM Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials. Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). Check that the pam_pkcs11.so option is configured in the etc/pam.d/common-auth file with the following command:
# grep pam_pkcs11.so /etc/pam.d/common-auth

auth sufficient pam_pkcs11.so
For general information about enabling smart card authentication, consult the documentation at:
SRG-OS-000105-GPOS-00052
SRG-OS-000106-GPOS-00053
SRG-OS-000107-GPOS-00054
SRG-OS-000108-GPOS-00055
SRG-OS-000068-GPOS-00036
SRG-OS-000375-GPOS-00160
SRG-OS-000376-GPOS-00161
SRG-OS-000377-GPOS-00162
CCI-000765
CCI-000766
CCI-000767
CCI-000768
CCI-000187
CCI-001948
CCI-001953
CCI-001954
sshd_disable_compression medium Disable Compression Or Set Compression to delayed If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges. Compression is useful for slow network connections over long distances but can cause performance issues on local LANs. If use of compression is required, it should be enabled only after a user has authenticated; otherwise, it should be disabled. To disable compression or delay compression until after a user has successfully authenticated, add or correct the following line in the /etc/ssh/sshd_config file:
Compression 
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
sshd_disable_empty_passwords high Disable SSH Access via Empty Passwords Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. To explicitly disallow SSH login from accounts with empty passwords, add or correct the following line in /etc/ssh/sshd_config:
PermitEmptyPasswords no

Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
SRG-OS-000106-GPOS-00053
CCI-000366
CCI-000766
sshd_disable_root_login medium Disable SSH Root Login Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password. The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following line in /etc/ssh/sshd_config:
PermitRootLogin no
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
SRG-OS-000109-GPOS-00056
CCI-000366
CCI-000770
sshd_disable_user_known_hosts medium Disable SSH Support for User Known Hosts Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. SSH can allow system users to connect to systems if a cache of the remote systems public keys is available. This should be disabled.

To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config:
IgnoreUserKnownHosts yes
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
sshd_disable_x11_forwarding medium Disable X11 Forwarding Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders. The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections. SSH has the capability to encrypt remote X11 connections when SSH's X11Forwarding option is enabled.

To disable X11 Forwarding, add or correct the following line in /etc/ssh/sshd_config:
X11Forwarding no
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
sshd_do_not_permit_user_env medium Do Not Allow SSH Environment Options SSH environment options potentially allow users to bypass access restriction in some configurations. To ensure users are not able to override environment variables of the SSH daemon, add or correct the following line in /etc/ssh/sshd_config:
PermitUserEnvironment no
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
sshd_enable_strictmodes medium Enable Use of Strict Mode Checking If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user. SSHs StrictModes option checks file and ownership permissions in the user's home directory .ssh folder before accepting login. If world- writable permissions are found, logon is rejected. To enable StrictModes in SSH, add or correct the following line in the /etc/ssh/sshd_config file:
StrictModes yes
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
sshd_enable_warning_banner medium Enable SSH Warning Banner The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution. To enable the warning banner and ensure it is consistent across the system, add or correct the following line in /etc/ssh/sshd_config:
Banner /etc/issue
Another section contains information on how to create an appropriate system-wide warning banner.
SRG-OS-000023-GPOS-00006
SRG-OS-000024-GPOS-00007
SRG-OS-000228-GPOS-00088
SRG-OS-000228-GPOS-00088
SRG-OS-000228-GPOS-00088
SRG-OS-000228-GPOS-00088
SRG-OS-000228-GPOS-00088
CCI-000048
CCI-000050
CCI-001384
CCI-001385
CCI-001386
CCI-001387
CCI-001388
sshd_print_last_log medium Enable SSH Print Last Log Providing users feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use. When enabled, SSH will display the date and time of the last successful account logon. To enable LastLog in SSH, add or correct the following line in the /etc/ssh/sshd_config file:
PrintLastLog yes
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
sshd_set_idle_timeout medium Set SSH Idle Timeout Interval Terminating an idle ssh session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been let unattended. SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out.

To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as follows:
ClientAliveInterval 


The timeout interval is given in seconds. For example, have a timeout of 10 minutes, set interval to 600.

If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made in /etc/ssh/sshd_config. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.
SRG-OS-000126-GPOS-00066
SRG-OS-000163-GPOS-00072
SRG-OS-000279-GPOS-00109
CCI-000879
CCI-001133
CCI-002361
sshd_set_keepalive_0 medium Set SSH Client Alive Count Max to zero This ensures a user login will be terminated as soon as the ClientAliveInterval is reached. The SSH server sends at most ClientAliveCountMax messages during a SSH session and waits for a response from the SSH client. The option ClientAliveInterval configures timeout after each ClientAliveCountMax message. If the SSH server does not receive a response from the client, then the connection is considered idle and terminated. To ensure the SSH idle timeout occurs precisely when the ClientAliveInterval is set, set the ClientAliveCountMax to value of 0. SRG-OS-000126-GPOS-00066
SRG-OS-000163-GPOS-00072
SRG-OS-000279-GPOS-00109
CCI-000879
CCI-001133
CCI-002361
sshd_set_loglevel_verbose medium Set SSH Daemon LogLevel to VERBOSE SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO or VERBOSE level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. The VERBOSE parameter configures the SSH daemon to record login and logout activity. To specify the log level in SSH, add or correct the following line in the /etc/ssh/sshd_config file:
LogLevel VERBOSE
SRG-OS-000032-GPOS-00013
CCI-000067
sshd_use_approved_ciphers_ordered_stig medium Use Only FIPS 140-2 Validated Ciphers Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and system data may be compromised.
Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.
FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets industry and government requirements. For government systems, this allows Security Levels 1, 2, 3, or 4 for use on SUSE Linux Enterprise 15.
Limit the ciphers to those algorithms which are FIPS-approved. The following line in /etc/ssh/sshd_config demonstrates use of FIPS-approved ciphers:
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
This rule ensures that there are configured ciphers mentioned above (or their subset), keeping the given order of algorithms.
SRG-OS-000033-GPOS-00014
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
SRG-OS-000120-GPOS-00061
SRG-OS-000125-GPOS-00065
SRG-OS-000393-GPOS-00173
SRG-OS-000394-GPOS-00174
CCI-000068
CCI-000366
CCI-000803
CCI-000877
CCI-002890
CCI-003123
sshd_use_approved_macs_ordered_stig medium Use Only FIPS 140-2 Validated MACs DoD Information Systems are required to use FIPS-approved cryptographic hash functions. The only SSHv2 hash algorithms meeting this requirement is SHA2. Limit the MACs to those hash algorithms which are FIPS-approved. The following line in /etc/ssh/sshd_config demonstrates use of FIPS-approved MACs:
MACs hmac-sha2-512,hmac-sha2-256
This rule ensures that there are configured MACs mentioned above (or their subset), keeping the given order of algorithms.
SRG-OS-000033-GPOS-00014
SRG-OS-000120-GPOS-00061
SRG-OS-000125-GPOS-00065
SRG-OS-000250-GPOS-00093
SRG-OS-000394-GPOS-00174
CCI-000068
CCI-000803
CCI-000877
CCI-001453
CCI-003123
sssd_memcache_timeout medium Configure SSSD's Memory Cache to Expire If cached authentication information is out-of-date, the validity of the authentication information may be questionable. SSSD's memory cache should be configured to set to expire records after seconds. To configure SSSD to expire memory cache, set memcache_timeout to under the [nss] section in /etc/sssd/sssd.conf. For example:
[nss]
memcache_timeout = 
SRG-OS-000383-GPOS-00166
CCI-002007
sssd_offline_cred_expiration medium Configure SSSD to Expire Offline Credentials If cached authentication information is out-of-date, the validity of the authentication information may be questionable. SSSD should be configured to expire offline credentials after 1 day. To configure SSSD to expire offline credentials, set offline_credentials_expiration to 1 under the [pam] section in /etc/sssd/sssd.conf. For example:
[pam]
offline_credentials_expiration = 1
SRG-OS-000383-GPOS-00166
CCI-002007
sudo_remove_no_authenticate medium Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.
The sudo !authenticate option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the !authenticate option does not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. SRG-OS-000373-GPOS-00158
SRG-OS-000373-GPOS-00157
SRG-OS-000373-GPOS-00156
CCI-002038
sudo_remove_nopasswd medium Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.
The sudo NOPASSWD tag, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the NOPASSWD tag does not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. SRG-OS-000373-GPOS-00158
SRG-OS-000373-GPOS-00157
SRG-OS-000373-GPOS-00156
CCI-002038
sudo_require_authentication medium Ensure Users Re-Authenticate for Privilege Escalation - sudo Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.
The sudo NOPASSWD and !authenticate option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that NOPASSWD and/or !authenticate do not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/." SRG-OS-000373-GPOS-00158
SRG-OS-000373-GPOS-00157
SRG-OS-000373-GPOS-00156
CCI-002038
sudo_require_reauthentication medium The operating system must require Re-Authentication when using the sudo command. Ensure sudo timestamp_timeout is appropriate - sudo timestamp_timeout Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.
The sudo timestamp_timeout tag sets the amount of time sudo password prompt waits. The default timestamp_timeout value is 5 minutes. The timestamp_timeout should be configured by making sure that the timestamp_timeout tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated. SRG-OS-000373-GPOS-00158
SRG-OS-000373-GPOS-00157
SRG-OS-000373-GPOS-00156
CCI-002038
sudo_restrict_privilege_elevation_to_authorized medium The operating system must restrict privilege elevation to authorized personnel If the "sudoers" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system. The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. Restrict privileged actions by removing the following entries from the sudoers file: ALL ALL=(ALL) ALL ALL ALL=(ALL:ALL) ALL SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
sudoers_validate_passwd medium Ensure invoking users password for privilege escalation when using sudo If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. The expected output for:
sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#'
 /etc/sudoers:Defaults !targetpw
      /etc/sudoers:Defaults !rootpw
      /etc/sudoers:Defaults !runaspw 
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CCI-002227
sysctl_kernel_kptr_restrict medium Restrict Exposed Kernel Pointer Addresses Access Exposing kernel pointers (through procfs or seq_printf()) exposes kernel writeable structures that can contain functions pointers. If a write vulnereability occurs in the kernel allowing a write access to any of this structure, the kernel can be compromise. This option disallow any program withtout the CAP_SYSLOG capability from getting the kernel pointers addresses, replacing them with 0. To set the runtime status of the kernel.kptr_restrict kernel parameter, run the following command:
$ sudo sysctl -w kernel.kptr_restrict=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.kptr_restrict = 1
SRG-OS-000433-GPOS-00193
SRG-OS-000433-GPOS-00192
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-002824
CCI-000366
sysctl_kernel_randomize_va_space medium Enable Randomized Layout of Virtual Address Space Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques. To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command:
$ sudo sysctl -w kernel.randomize_va_space=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.randomize_va_space = 2
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
SRG-OS-000433-GPOS-00193
SRG-OS-000433-GPOS-00192
CCI-000366
CCI-002824
sysctl_net_ipv4_conf_all_accept_redirects medium Disable Accepting ICMP Redirects for All IPv4 Interfaces ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required."
To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.accept_redirects = 0
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CCI-001503
CCI-001551
sysctl_net_ipv4_conf_all_accept_source_route medium Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.

Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.accept_source_route = 0
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
sysctl_net_ipv4_conf_all_send_redirects medium Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers.
To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.send_redirects = 0
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
sysctl_net_ipv4_conf_default_accept_redirects medium Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required.
To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.default.accept_redirects = 0
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CCI-001551
sysctl_net_ipv4_conf_default_accept_source_route medium Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures.
Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required, such as when IPv4 forwarding is enabled and the system is legitimately functioning as a router.
To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.default.accept_source_route = 0
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CCI-001551
sysctl_net_ipv4_conf_default_send_redirects medium Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers.
To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.default.send_redirects = 0
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
sysctl_net_ipv4_ip_forward medium Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network. To set the runtime status of the net.ipv4.ip_forward kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.ip_forward=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.ip_forward = 0
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
sysctl_net_ipv4_tcp_syncookies medium Enable Kernel Parameter to Use TCP Syncookies on IPv4 Interfaces A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests. To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.tcp_syncookies=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.tcp_syncookies = 1
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
SRG-OS-000142-GPOS-00071
CCI-000366
CCI-001095
sysctl_net_ipv6_conf_all_accept_redirects medium Disable Accepting ICMP Redirects for All IPv6 Interfaces An illicit ICMP redirect message could result in a man-in-the-middle attack. To set the runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.all.accept_redirects = 0
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CCI-001551
sysctl_net_ipv6_conf_all_accept_source_route medium Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.

Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
To set the runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.all.accept_source_route = 0
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
sysctl_net_ipv6_conf_all_forwarding medium Disable Kernel Parameter for IPv6 Forwarding IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers. To set the runtime status of the net.ipv6.conf.all.forwarding kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.all.forwarding=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.all.forwarding = 0
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
sysctl_net_ipv6_conf_default_accept_redirects medium Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces An illicit ICMP redirect message could result in a man-in-the-middle attack. To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.default.accept_redirects = 0
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CCI-001551
sysctl_net_ipv6_conf_default_accept_source_route medium Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required. To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.default.accept_source_route = 0
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
sysctl_net_ipv6_conf_default_forwarding medium Disable Kernel Parameter for IPv6 Forwarding by default IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers. To set the runtime status of the net.ipv6.conf.default.forwarding kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.default.forwarding=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.default.forwarding = 0
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
vlock_installed medium Check that vlock is installed to allow session locking A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Regardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system. The SUSE Linux Enterprise 15 operating system must have vlock installed to allow for session locking. The kbd package can be installed with the following command:
$ sudo zypper install kbd
SRG-OS-000028-GPOS-00009
SRG-OS-000030-GPOS-00011
SRG-OS-000031-GPOS-00012
CCI-000056
CCI-000058
CCI-000060
wireless_disable_interfaces medium Deactivate Wireless Network Interfaces The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources. Deactivating wireless network interfaces should prevent normal usage of the wireless capability.

Configure the system to disable wireless network interfaces by issuing the following command for every active <WIFI-INTERFACE> in the system:
$ sudo wicked ifdown <WIFI-INTERFACE>
Also remove the configuration files for every wifi adapter from /etc/wicked/ifconfig/<WIFI-INTERFACE>.xml to prevent future connections.
SRG-OS-000423-GPOS-00187
SRG-OS-000481-GPOS-000481
SRG-OS-000424-GPOS-00188
SRG-OS-000299-GPOS-00117
CCI-000085
CCI-002418
CCI-002421
CCI-001444