Rules In DISA STIG for SUSE Linux Enterprise 15


Total Missing Implemented Coverage STIG ids missing rule
232 5 227 97.84% SLES-15-010001 SLES-15-010370 SLES-15-020190 SLES-15-040010 SLES-15-040061
V-ID CCI CAT Title Description Check Procedures Fixtext Version Mapped Rule
V-234800 1230 high The SUSE operating system must be a vendor-supported release. An operating system is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve any security issue discovered in the system software. To verify that the installed operating system is supported, run the following command: $ grep -i "suse" /etc/os-release The output should contain something similar to: SUSE Linux Enterprise 15 Is it the case that the installed operating system is not supported? The installed operating system must be maintained by a vendor. SUSE Linux Enterprise is supported by SUSE. As the SUSE Linux Enterprise vendor, SUSE is responsible for providing security patches. SLES-15-010000 installed_OS_is_vendor_supported
V-234801 medium The SUSE operating system must deploy Endpoint Security for Linux Threat Prevention (ENSLTP). SLES-15-010001 Missing Rule
V-234802 1227 medium Vendor-packaged SUSE operating system security patches and updates must be installed and up to date. Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. If the system is configured for online updates, invoking the following command will list available security updates:
$ sudo zypper refresh && sudo zypper list-patches -g security


NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy dictates.
SLES-15-010010 security_patches_up_to_date
V-234803 48 medium The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access via local console. Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
To check if the system login banner is compliant, run the following command: $ cat /etc/issue Is it the case that it does not display the required banner? To configure the system login banner edit /etc/issue. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either:

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.


OR:

I've read & consent to terms in IS user agreem't.
SLES-15-010020 banner_etc_issue
V-234804 381 high The SUSE operating system must not have the vsftpd package installed if not required for operational support. Removing the vsftpd package decreases the risk of its accidental activation. Run the following command to determine if the vsftpd package is installed: $ rpm -q vsftpd Is it the case that the package is installed? The vsftpd package can be removed with the following command:
 $ sudo zypper remove vsftpd
SLES-15-010030 package_vsftpd_removed
V-234805 1388 medium The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access via SSH. The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution. To determine how the SSH daemon's Banner option is set, run the following command: $ sudo grep -i Banner /etc/ssh/sshd_config If a line indicating /etc/issue is returned, then the required value is set. Is it the case that the required value is not set? To enable the warning banner and ensure it is consistent across the system, add or correct the following line in /etc/ssh/sshd_config:
Banner /etc/issue
Another section contains information on how to create an appropriate system-wide warning banner.
SLES-15-010040 sshd_enable_warning_banner
V-234806 50 medium The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access to the local graphical user interface (GUI). Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

For U.S. Government systems, system use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
Verify the SUSE operating system displays the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on via the local GUI. Note: If GNOME is not installed, this requirement is Not Applicable. Check the configuration by running the following command: # more /etc/gdm/Xsession The beginning of the file must contain the following text immediately after #!/bin/sh: if ! zenity --text-info \ --title "Consent" \ --filename=/etc/gdm/banner \ --no-markup \ --checkbox="Accept." 10 10; then sleep 1; exit 1; fi If the beginning of the file does not contain the above text immediately after the line (#!/bin/sh), this is a finding. Is it the case that the GNOME environment does not display the standard mandatory DoD notice and consent banner? Display of a standardized and approved use notification before granting access to the SUSE operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

The banner must be acknowledged by the user prior to allowing the user access to the SUSE operating system. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD will not be in compliance with system use notifications required by law.

System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.

The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for the SUSE operating system:
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.

By using this IS (which includes any device attached to this IS), you consent to the following conditions:

-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.

-At any time, the USG may inspect and seize data stored on this IS.

-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.

-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.

-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
Check the configuration by running the following command:
# more /etc/gdm/Xsession
The beginning of the file must contain the following text immediately after #!/bin/sh:
if ! zenity --text-info \
--title "Consent" \
--filename=/etc/gdm/banner \
--no-markup \
--checkbox="Accept." 10 10; then
sleep 1;
exit 1;
fi
SLES-15-010050 gui_login_dod_acknowledgement
V-234807 50 medium The SUSE operating system file /etc/gdm/banner must contain the Standard Mandatory DoD Notice and Consent banner text. Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
To check if the system login banner is compliant, run the following command: $ cat /etc/gdm/banner Is it the case that it does not display the required banner? To configure the GUI system login banner edit /etc/gdm/banner. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either:

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.


OR:

I've read & consent to terms in IS user agreem't.
SLES-15-010060 banner_etc_gdm_banner
V-234808 1387 medium The SUSE operating system must display a banner before granting local or remote access to the system via a graphical user logon. Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

For U.S. Government systems, system use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
To ensure a login warning banner is enabled, run the following: $ grep banner-message-enable /etc/dconf/db/gdm.d/* If properly configured, the output should be true. To ensure a login warning banner is locked and cannot be changed by a user, run the following: $ grep banner-message-enable /etc/dconf/db/gdm.d/locks/* If properly configured, the output should be /org/gnome/login-screen/banner-message-enable. Is it the case that it is not? In the default graphical environment, displaying a login warning banner in the GNOME Display Manager's login screen can be enabled on the login screen by setting banner-message-enable to true.

To enable, add or edit banner-message-enable to /etc/dconf/db/gdm.d/00-security-settings. For example:
[org/gnome/login-screen]
banner-message-enable=true
Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/login-screen/banner-message-enable
After the settings have been set, run dconf update. The banner text must also be set.
SLES-15-010080 dconf_gnome_banner_enabled
V-234809 1388 medium The SUSE operating system must display the approved Standard Mandatory DoD Notice before granting local or remote access to the system via a graphical user logon. An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. To ensure the login warning banner text is properly set, run the following: $ grep banner-message-text /etc/dconf/db/gdm.d/* If properly configured, the proper banner text will appear. To ensure the login warning banner text is locked and cannot be changed by a user, run the following: $ grep banner-message-text /etc/dconf/db/gdm.d/locks/* If properly configured, the output should be /org/gnome/login-screen/banner-message-text. Is it the case that it does not? In the default graphical environment, configuring the login warning banner text in the GNOME Display Manager's login screen can be configured on the login screen by setting banner-message-text to 'APPROVED_BANNER' where APPROVED_BANNER is the approved banner for your environment.

To enable, add or edit banner-message-text to /etc/dconf/db/gdm.d/00-security-settings. For example:
[org/gnome/login-screen]
banner-message-text='APPROVED_BANNER'
Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/login-screen/banner-message-text
After the settings have been set, run dconf update. When entering a warning banner that spans several lines, remember to begin and end the string with ' and use \n for new lines.
SLES-15-010090 dconf_gnome_login_banner_text
V-234810 56 medium The SUSE operating system must be able to lock the graphical user interface (GUI). A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. To check the status of the idle screen lock activation, run the following command: gsettings get org.gnome.desktop.lockdown disable-lock-screen If the result is "true", this is a finding. Configure the SUSE operating system to allow the user to lock the GUI. Run the following command to configure the SUSE operating system to allow the user to lock the GUI: gsettings set org.gnome.desktop.lockdown disable-lock-screen false Is it the case that screensaver locking is not enabled and/or has not been set or configured correctly? To activate locking of the screensaver in the GNOME3 desktop when it is activated, run the following command to configure the SUSE operating system to allow the user to lock the GUI:
gsettings set org.gnome.desktop.lockdown disable-lock-screen false
Validate that disable-lock-screen has been set to false with the command:
gsettings get org.gnome.desktop.lockdown disable-lock-screen
SLES-15-010100 dconf_gnome_screensaver_lock_enabled
V-234811 58 low The SUSE operating system must utilize vlock to allow for session locking. A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Regardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system. Run the following command to determine if the kbd package is installed: $ rpm -q kbd Is it the case that the package is not installed? The SUSE Linux Enterprise 15 operating system must have vlock installed to allow for session locking. The kbd package can be installed with the following command:
$ sudo zypper install kbd
SLES-15-010110 vlock_installed
V-234812 57 medium The SUSE operating system must initiate a session lock after a 15-minute period of inactivity for the graphical user interface (GUI). A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME3 can be configured to identify when a user's session has idled and take action to initiate a session lock. To check the current idle time-out value, run the following command: $ gsettings get org.gnome.desktop.session idle-delay If properly configured, the output should be 'uint32 '. To ensure that users cannot change the screensaver inactivity timeout setting, run the following: $ grep idle-delay /etc/dconf/db/local.d/locks/* If properly configured, the output should be /org/gnome/desktop/session/idle-delay Is it the case that idle-delay is not equal to or less than the expected value? The idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/local.d directory and locked in /etc/dconf/db/local.d/locks directory to prevent user modification.

For example, to configure the system for a 15 minute delay, add the following to /etc/dconf/db/local.d/00-security-settings:
[org/gnome/desktop/session]
idle-delay=uint32 900
Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/desktop/session/idle-delay
After the settings have been set, run dconf update.
SLES-15-010120 dconf_gnome_screensaver_idle_delay
V-234813 57 medium The SUSE operating system must initiate a session lock after a 15-minute period of inactivity. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. Run the following command to ensure the TMOUT value is configured for all users on the system: $ sudo grep TMOUT /etc/profile.d/autologout.sh The output should return the following: TMOUT= readonly TMOUT export TMOUT Is it the case that value of TMOUT is not less than or equal to expected setting? Setting the TMOUT option in /etc/profile ensures that all user sessions will terminate based on inactivity. The TMOUT setting in /etc/profile.d/autologout.sh should read as follows:
TMOUT=
readonly TMOUT export TMOUT
SLES-15-010130 accounts_tmout
V-234814 60 low The SUSE operating system must conceal, via the session lock, information previously visible on the display with a publicly viewable image in the graphical user interface (GUI). Setting the screensaver mode to blank-only conceals the contents of the display from passersby. To ensure the screensaver is configured to be blank, run the following command: $ gsettings get org.gnome.desktop.screensaver picture-uri If properly configured, the output should be ''. To ensure that users cannot set the screensaver background, run the following: $ grep picture-uri /etc/dconf/db/local.d/locks/* If properly configured, the output should be /org/gnome/desktop/screensaver/picture-uri Is it the case that it is not set or configured properly? On SUSE users should set the screensaver to use publicly viewable images or blank screen by doing the following: Find the Settings menu and then navigate to the Background selection section - Click "Activities" on the top left. - Click "Show Applications" at the bottom of the Activities menu. - Click the "Settings" icon. - Click "Background" from left hand menu. - Select image and set the Lock Screen image to the user's choice. - Exit Settings Dialog. To set the screensaver mode in the GNOME3 desktop to a blank screen, add or set picture-uri to string '' in /etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
picture-uri=''
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/desktop/screensaver/picture-uri
After the settings have been set, run dconf update.
SLES-15-010140 dconf_gnome_screensaver_mode_blank
V-234815 67 medium The SUSE operating system must log SSH connection attempts and failures to the server. SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO or VERBOSE level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. To check if LogLevel is enabled or set correctly, run the following command: $ sudo grep "^LogLevel" /etc/ssh/sshd_config If configured properly, output should be LogLevel VERBOSE Is it the case that it is commented out or is not enabled? The VERBOSE parameter configures the SSH daemon to record login and logout activity. To specify the log level in SSH, add or correct the following line in the /etc/ssh/sshd_config file:
LogLevel VERBOSE
SLES-15-010150 sshd_set_loglevel_verbose
V-234816 68 medium The SUSE operating system must implement DoD-approved encryption to protect the confidentiality of SSH remote connections. Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and system data may be compromised.
Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.
FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets industry and government requirements. For government systems, this allows Security Levels 1, 2, 3, or 4 for use on SUSE Linux Enterprise 15.
Only FIPS ciphers should be used. To verify that only FIPS-approved ciphers are in use, run the following command: $ sudo grep Ciphers /etc/ssh/sshd_config The output should contain only following ciphers (or a subset) in the exact order: aes256-ctr,aes192-ctr,aes128-ctr Is it the case that FIPS ciphers are not configured or the enabled ciphers are not FIPS-approved? Limit the ciphers to those algorithms which are FIPS-approved. The following line in /etc/ssh/sshd_config demonstrates use of FIPS-approved ciphers:
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
This rule ensures that there are configured ciphers mentioned above (or their subset), keeping the given order of algorithms.
SLES-15-010160 sshd_use_approved_ciphers_ordered_stig
V-234817 1991 medium The SUSE operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.

Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.
To verify the operating system implements certificate status checking for PKI authentication, run the following command: $ sudo grep -i cert_policy /etc/pam_pkcs11/pam_pkcs11.conf The output should return multiple lines similiar to the following: cert_policy = ca, ocsp_on, signature; cert_policy = ca, ocsp_on, signature; cert_policy = ca, ocsp_on, signature; Is it the case that ca is not configured? Configure the operating system to do certificate status checking for PKI authentication. Modify all of the cert_policy lines in /etc/pam_pkcs11/pam_pkcs11.conf to include ca like so:
cert_policy = ca, ocsp_on, signature;
SLES-15-010170 smartcard_configure_ca
V-234818 381 high The SUSE operating system must not have the telnet-server package installed. It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities are often overlooked and therefore may remain unsecure. They increase the risk to the platform by providing additional attack vectors.
The telnet service provides an unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to login using this service, the privileged user password could be compromised.
Removing the telnet-server package decreases the risk of the telnet service's accidental (or intentional) activation.
Run the following command to determine if the telnet-server package is installed: $ rpm -q telnet-server Is it the case that the package is installed? The telnet-server package can be removed with the following command:
$ sudo zypper remove telnet-server
SLES-15-010180 package_telnet-server_removed
V-234819 213 high SUSE operating systems with a basic input/output system (BIOS) must require authentication upon booting into single-user and maintenance modes. Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. To verify the boot loader superuser password has been set, run the following command: sudo grep "boot" /boot/grub2/grub.cfg The output should show the following: password_pbkdf2 superusers-account ${GRUB2_PASSWORD} To verify the boot loader superuser account password has been set, and the password encrypted, run the following command: sudo cat /etc/grub.d/40_custom The output should be similar to: set superusers="boot" password_pbkdf2 boot grub.pbkdf2.sha512.10000.5DE5DF6E01A52E17A8C2FEDF585A3916B345F654C9D19C9ECD0BC958DF8C8A5E1AB15862D9C0B6DCE1F3209D8E8B46101DB3AE7146BB9D7D6C1D379E1854AF9E.CD75F981FE5223C583FB7887544C3A4C96431B5C089801D26855B93A1CB0BC0A508D189F1799A1CC40036B069C36EAD51DAE6A2EE6C0732353B2B5B4F5C49088 Is it the case that it does not? The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings.

Since plaintext passwords are a security risk, generate a hash for the password by running the following command:
$ grub2-mkpasswd-pbkdf2
When prompted, enter the password that was selected.

Using the hash from the output, modify the /etc/grub.d/40_custom file with the following content:
set superusers="boot"
password_pbkdf2 boot grub.pbkdf2.sha512.VeryLongString
NOTE: the bootloader superuser account and password MUST differ from the root account and password.

Once the superuser password has been added, update the grub.cfg file by running:
grub2-mkconfig -o /boot/grub2/grub.cfg
SLES-15-010190 grub2_password
V-234820 213 high SUSE operating systems with Unified Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. To verify the boot loader superuser password has been set, run the following command: sudo grep -A1 "superusers\|password" /etc/grub.d/40_custom The output should show the following: password_pbkdf2 superusers-account ${GRUB2_PASSWORD} To verify the boot loader superuser account password has been set, and the password encrypted, run the following command: sudo cat /boot/grub2/grub.cfg The output should be similar to: password_pbkdf2 superuser grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC 2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0 916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7 0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828 Is it the case that it does not? The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings.

Since plaintext passwords are a security risk, generate a hash for the password by running the following command:
$ grub2-mkpasswd-pbkdf2
When prompted, enter the password that was selected.

Using the hash from the output, modify the /etc/grub.d/40_custom file with the following content:
set superusers="boot"
password_pbkdf2 boot grub.pbkdf2.sha512.VeryLongString
NOTE: the bootloader superuser account and password MUST differ from the root account and password. Once the superuser password has been added, update the grub.cfg file by running:
grub2-mkconfig -o /boot/grub2/grub.cfg
SLES-15-010200 grub2_uefi_password
V-234821 2314 medium The SUSE operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. Access control methods provide the ability to enhance system security posture by restricting services and known good IP addresses and address ranges. This prevents connections from unknown hosts and protocols. Run the following command to determine the current status of the firewalld service: $ systemctl is-active firewalld If the service is running, it should return the following: active Is it the case that ? The firewalld service can be enabled with the following command:
$ sudo systemctl enable firewalld.service
SLES-15-010220 service_firewalld_enabled
V-234822 804 medium The SUSE operating system must not have duplicate User IDs (UIDs) for interactive users. To assure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system. Run the following command to check for duplicate account names: Check that the operating system contains no duplicate UIDs for interactive users by running the following command: # awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd If output is produced, this is a finding. Configure the operating system to contain no duplicate UIDs for interactive users. Edit the file "/etc/passwd" and provide each interactive user account that has a duplicate UID with a unique UID. Is it the case that a line is returned? Change user IDs (UIDs), or delete accounts, so each has a unique name. SLES-15-010230 account_unique_id
V-234823 1958 medium The SUSE operating system must disable the file system automounter unless required. Disabling the automounter permits the administrator to statically control filesystem mounting through /etc/fstab.

Additionally, automatically mounting filesystems permits easy introduction of unknown devices, thereby facilitating malicious activity.
To check that the autofs service is disabled in system boot configuration, run the following command: $ systemctl is-enabled autofs Output should indicate the autofs service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled autofs disabled Run the following command to verify autofs is not active (i.e. not running) through current runtime configuration: $ systemctl is-active autofs If the service is not running the command will return the following output: inactive The service will also be masked, to check that the autofs is masked, run the following command: $ systemctl show autofs | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked Is it the case that ? The autofs daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as /misc/cd. However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS is required, it may be possible to configure filesystem mounts statically by editing /etc/fstab rather than relying on the automounter.

The autofs service can be disabled with the following command:
$ sudo systemctl mask --now autofs.service
SLES-15-010240 service_autofs_disabled
V-234824 803 medium The SUSE operating system must employ FIPS 140-2 approved cryptographic hashing algorithm for system authentication (system-auth). Unapproved mechanisms used for authentication to the cryptographic module are not verified and therefore cannot be relied on to provide confidentiality or integrity, and data may be compromised. This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult. Inspect the contents of /etc/pam.d/common-auth and ensure that the pam_unix.so module includes the argument sha512: $ grep sha512 /etc/pam.d/common-auth Is it the case that it does not? The PAM system service can be configured to only store encrypted representations of passwords. In /etc/pam.d/common-auth, the auth section of the file controls which PAM modules execute during a password change. Set the pam_unix.so module in the auth section to include the argument sha512, as shown below:
auth   required    pam_unix.so sha512 other arguments...

This will help ensure when local users change their authentication method, hashes for the new authentications will be generated using the SHA-512 algorithm. This is the default.
SLES-15-010250 set_password_hashing_algorithm_commonauth
V-234825 803 medium The SUSE operating system must employ FIPS 140-2 approved cryptographic hashing algorithm for system authentication (login.defs). Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.

Using a stronger hashing algorithm makes password cracking attacks more difficult.
Inspect /etc/login.defs and ensure the following line appears: ENCRYPT_METHOD SHA512 Is it the case that it does not? In /etc/login.defs, add or correct the following line to ensure the system will use SHA-512 as the hashing algorithm:
ENCRYPT_METHOD SHA512
SLES-15-010260 set_password_hashing_algorithm_logindefs
V-234826 3123 medium The SUSE operating system SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms. DoD Information Systems are required to use FIPS-approved cryptographic hash functions. The only SSHv2 hash algorithms meeting this requirement is SHA2. Only FIPS-approved MACs should be used. To verify that only FIPS-approved MACs are in use, run the following command: $ sudo grep -i macs /etc/ssh/sshd_config The output should contain only following MACs (or a subset) in the exact order: MACs Is it the case that MACs option is commented out or not using FIPS-approved hash algorithms? Limit the MACs to those hash algorithms which are FIPS-approved. The following line in /etc/ssh/sshd_config demonstrates use of FIPS-approved MACs:
MACs hmac-sha2-512,hmac-sha2-256
This rule ensures that there are configured MACs mentioned above (or their subset), keeping the given order of algorithms.
SLES-15-010270 sshd_use_approved_macs_ordered_stig
V-234827 2361 medium The SUSE operating system SSH daemon must be configured with a timeout interval. Terminating an idle ssh session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been let unattended. Run the following command to see what the timeout interval is: $ sudo grep ClientAliveInterval /etc/ssh/sshd_config If properly configured, the output should be: ClientAliveInterval Is it the case that it is commented out or not configured properly? SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out.

To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as follows:
ClientAliveInterval 


The timeout interval is given in seconds. For example, have a timeout of 10 minutes, set interval to 600.

If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made in /etc/ssh/sshd_config. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.
SLES-15-010280 sshd_set_idle_timeout
V-234828 1090 medium The sticky bit must be set on all SUSE operating system world-writable directories. Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure.

The only authorized public directories are those temporary directories supplied with the system, or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system, by users for temporary file storage (such as /tmp), and for directories requiring global read/write access.
To find world-writable directories that lack the sticky bit, run the following command: $ sudo find / -xdev -type d -perm 002 ! -perm 1000 Is it the case that any world-writable directories are missing the sticky bit? When the so-called 'sticky bit' is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may remove any file in the directory. Setting the sticky bit prevents users from removing each other's files. In cases where there is no reason for a directory to be world-writable, a better solution is to remove that permission rather than to set the sticky bit. However, if a directory is used by a particular application, consult that application's documentation instead of blindly changing modes.
To set the sticky bit on a world-writable directory DIR, run the following command:
$ sudo chmod +t DIR
SLES-15-010300 dir_perms_world_writable_sticky_bits
V-234829 1095 medium The SUSE operating system must be configured to use TCP syncookies. A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests. The runtime status of the net.ipv4.tcp_syncookies kernel parameter can be queried by running the following command: $ sysctl net.ipv4.tcp_syncookies The output of the command should indicate a value of 1. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*net.ipv4.tcp_syncookies\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than net.ipv4.tcp_syncookies = 1 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains net.ipv4.tcp_syncookies = 1, and that one assignment is returned when $ grep -r net.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d is executed. Is it the case that the correct value is not returned? To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.tcp_syncookies=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.tcp_syncookies = 1
SLES-15-010310 sysctl_net_ipv4_tcp_syncookies
V-234830 2361 medium The SUSE operating system for all network connections associated with SSH traffic must immediately terminate at the end of the session or after 10 minutes of inactivity. This ensures a user login will be terminated as soon as the ClientAliveInterval is reached. To ensure ClientAliveInterval is set correctly, run the following command: $ sudo grep ClientAliveCountMax /etc/ssh/sshd_config If properly configured, the output should be: ClientAliveCountMax 0 In this case, the SSH idle timeout occurs precisely when the ClientAliveInterval is set. Is it the case that it is commented out or not configured properly? The SSH server sends at most ClientAliveCountMax messages during a SSH session and waits for a response from the SSH client. The option ClientAliveInterval configures timeout after each ClientAliveCountMax message. If the SSH server does not receive a response from the client, then the connection is considered idle and terminated. To ensure the SSH idle timeout occurs precisely when the ClientAliveInterval is set, set the ClientAliveCountMax to value of 0. SLES-15-010320 sshd_set_keepalive_0
V-234831 2475 medium All SUSE operating system persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at-rest protection. The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost. Check the system partitions to determine if they are encrypted with the following command: blkid Output will be similar to: /dev/sda1: UUID=" ab12c3de-4f56-789a-8f33-3850cc8ce3a2 " TYPE="crypto_LUKS" /dev/sda2: UUID=" bc98d7ef-6g54-321h-1d24-9870de2ge1a2 " TYPE="crypto_LUKS" Pseudo-file systems, such as /proc, /sys, and tmpfs, are not required to use disk encryption and are not a finding. Is it the case that partitions do not have a type of crypto_LUKS? SUSE Linux Enterprise 15 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time.

For manual installations, select the Encrypt checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots.

Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on the SUSE Linux Enterprise 15 Documentation web site:
https://www.suse.com/documentation/sled-12/book_security/data/sec_security_cryptofs_y2.html
SLES-15-010330 encrypt_partitions
V-234832 1312 medium The SUSE operating system must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. The SUSE Linux Enterprise 15 must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. Verify the operating system has all system log files under the /var/log directory with a permission set to 640, by using the following command: sudo find /var/log -perm /137 -type f -exec stat -c "%n %a" {} \; Is it the case that not all log files have permission 640 or stricter? Any operating system providing too much information in error messages risks compromising the data and security of the structure, and content of error messages needs to be carefully considered by the organization. Organizations carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers. SLES-15-010340 permissions_local_var_log
V-234833 1314 medium The SUSE operating system must prevent unauthorized users from accessing system error messages. The /var/log/messages file contains system error messages. Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SUSE operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. To check the permissions of /var/log/messages, run the command: $ ls -l /var/log/messages If properly configured, the output should indicate the following permissions: -rw-r----- Check that permissions.local file contains the correct permissions rules with the following command: # grep -i messages /etc/permissions.local /var/log/messages root:root 640 If the command does not return any or different output, this is a finding. Run the following command to correct the permissions after adding the missing entry: # sudo chkstat --set --system Is it the case that Make sure /var/log/messages is not world-readable? Files containing sensitive informations should be protected by restrictive permissions. Most of the time, there is no need that these files need to be read by any non-root user To properly set the permissions of /var/log/messages, run the command:
$ sudo chmod 0640 /var/log/messages
Check that "permissions.local" file contains the correct permissions rules with the following command:
# grep -i messages /etc/permissions.local

/var/log/messages root:root 640
SLES-15-010350 file_permissions_local_var_log_messages
V-234834 1499 medium The SUSE operating system library files must have mode 0755 or less permissive. Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Restrictive permissions are necessary to protect the integrity of the system. Shared libraries are stored in the following directories: /lib /lib64 /usr/lib /usr/lib64 To find shared libraries that are group-writable or world-writable, run the following command for each directory DIR which contains shared libraries: $ sudo find -L DIR -perm /022 -type f Is it the case that any of these files are group-writable or world-writable? System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are stored in /lib/modules. All files in these directories should not be group-writable or world-writable. If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command:
$ sudo chmod go-w FILE
SLES-15-010351 file_permissions_library_dirs
V-234835 1499 medium The SUSE operating system library directories must have mode 0755 or less permissive. If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. Shared libraries are stored in the following directories: /lib /lib64 /usr/lib /usr/lib64 To find shared libraries that are group-writable or world-writable, run the following command for each directory DIR which contains shared libraries: $ sudo find -L DIR -perm /022 -type d Is it the case that any of these files are group-writable or world-writable? System-wide shared library directories, which contain are linked to executables during process load time or run time, are stored in the following directories by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are stored in /lib/modules. All sub-directories in these directories should not be group-writable or world-writable. If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command:
$ sudo chmod go-w DIR
SLES-15-010352 dir_permissions_library_dirs
V-234836 1499 medium The SUSE operating system library files must be owned by root. Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system. Shared libraries are stored in the following directories: /lib /lib64 /usr/lib /usr/lib64 For each of these directories, run the following command to find files not owned by root: $ sudo find -L $DIR ! -user root -exec chown root {} \; Is it the case that any of these files are not owned by root? System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules. All files in these directories should be owned by the root user. If the directory, or any file in these directories, is found to be owned by a user other than root correct its ownership with the following command:
$ sudo chown root FILE
SLES-15-010353 file_ownership_library_dirs
V-234837 1499 medium The SUSE operating system library directories must be owned by root. Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership of library directories is necessary to protect the integrity of the system. Shared libraries are stored in the following directories: /lib /lib64 /usr/lib /usr/lib64 For each of these directories, run the following command to find files not owned by root: $ sudo find -L $DIR ! -user root -type d -exec chown root {} \; Is it the case that any of these directories are not owned by root? System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules. All files in these directories should be owned by the root user. If the directories, is found to be owned by a user other than root correct its ownership with the following command:
$ sudo chown root DIR
SLES-15-010354 dir_ownership_library_dirs
V-234838 1499 medium The SUSE operating system library files must be group-owned by root. If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. System-wide library files are stored in the following directories: /lib /lib64 /usr/lib /usr/lib64 To find if system-wide library files stored in these directories are not group-owned by root run the following command for each directory DIR: $ sudo find -L DIR ! -group root -type f Is it the case that system wide library files are not group owned by root? System-wide library files are stored in the following directories by default:
/lib
/lib64
/usr/lib
/usr/lib64
All system-wide shared library files should be protected from unauthorised access. If any of these files is not owned by root, correct its owner with the following command:
$ sudo chgrp root FILE
SLES-15-010355 root_permissions_syslibrary_files
V-234839 1499 medium The SUSE operating system library directories must be group-owned by root. Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership of library directories is necessary to protect the integrity of the system. Shared libraries are stored in the following directories: /lib /lib64 /usr/lib /usr/lib64 For each of these directories, run the following command to find files not owned by root: $ sudo find -L $DIR ! -user root -type d -exec chgrp root {} \; Is it the case that any of these directories are not group-owned by root? System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules. All files in these directories should be group-owned by the root user. If the directories, is found to be owned by a user other than root correct its ownership with the following command:
$ sudo chgrp root DIR
SLES-15-010356 dir_group_ownership_library_dirs
V-234840 1499 medium The SUSE operating system must have system commands set to a mode of 0755 or less permissive. System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted. System commands are stored in the following directories by default: /bin /sbin /usr/bin /usr/local/bin /usr/local/sbin /usr/sbin To find system commands that have mode 0755 or less permissive, run the following command for each directory DIR which contains system executables: $ sudo find -L DIR -perm /022 -type f Is it the case that any system commands are found to be group or world writable? System commands are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/sbin
/usr/local/bin
/usr/local/sbin
All files in these directories should not be group-writable or world-writable. If any file FILE in these directories is found to be group-writable or world-writable, correct its permission with the following command:
$ sudo chmod 755 FILE
SLES-15-010357 file_permissions_system_commands_dirs
V-234841 1499 medium The SUSE operating system must have directories that contain system commands set to a mode of 0755 or less permissive. System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted. System executables are stored in the following directories by default: /bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sbin To find system executables that are group-writable or world-writable, run the following command for each directory DIR which contains system executables: $ sudo find -L DIR -perm /022 -type f Is it the case that any system executables are found to be group or world writable? System executables are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin
All files in these directories should not be group-writable or world-writable. If any file FILE in these directories is found to be group-writable or world-writable, correct its permission with the following command:
$ sudo chmod go-w FILE
SLES-15-010358 file_permissions_binary_dirs
V-234842 1499 medium The SUSE operating system must have system commands owned by root. System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted. System executables are stored in the following directories by default: /bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sbin To find system executables that are not owned by root, run the following command for each directory DIR which contains system executables: $ sudo find DIR/ \! -user root Is it the case that any system executables are found to not be owned by root? System executables are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin
All files in these directories should be owned by the root user. If any file FILE in these directories is found to be owned by a user other than root, correct its ownership with the following command:
$ sudo chown root FILE
SLES-15-010359 file_ownership_binary_dirs
V-234843 1499 medium The SUSE operating system must have directories that contain system commands owned by root. If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. System commands are stored in the following directories: /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin For each of these directories, run the following command to find directories not owned by root: $ sudo find -L $DIR ! -user root -type d Is it the case that any of these directories are not owned by root? System commands are stored in the following directories by default:
/bin 
/sbin 
/usr/bin 
/usr/sbin 
/usr/local/bin 
/usr/local/sbin
All these directories should be owned by the root user. If any system command directory is not owned by a user other than root correct its ownership with the following command:
$ sudo chown root DIR
SLES-15-010360 dir_system_commands_root_owned
V-234844 1499 medium The SUSE operating system must have system commands group-owned by root. If the operating system allows any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. System commands are stored in the following directories: /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin For each of these directories, run the following command to find files not owned by root group: $ sudo find -L $DIR ! -group root -type f \; Is it the case that any of these files are not owned by root group? System commands files are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/sbin
/usr/local/bin
/usr/local/sbin
All files in these directories should be owned by the root group. If the directory, or any file in these directories, is found to be owned by a group other than root correct its ownership with the following command:
$ sudo chgrp root FILE
SLES-15-010361 file_groupownership_system_commands_dirs
V-234845 1499 medium The SUSE operating system must have directories that contain system commands group-owned by root. If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. System commands are stored in the following directories: /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin For each of these directories, run the following command to find directories not owned by root: $ sudo find -L $DIR ! -group root -type d -exec chgrp root {} \; Is it the case that any of these directories are not group owned by root? System commands are stored in the following directories: by default:
/bin 
/sbin 
/usr/bin 
/usr/sbin 
/usr/local/bin 
/usr/local/sbin
All these directories should have root user as a group owner. If any system command directory is not group owned by a user other than root correct its ownership with the following command:
$ sudo chgrp root DIR
SLES-15-010362 dir_system_commands_group_root_owned
V-234846 medium The SUSE operating system must have a firewall system installed to immediately disconnect or disable remote access to the whole operating system. SLES-15-010370 Missing Rule
V-234847 2418 medium The SUSE operating system wireless network adapters must be disabled unless approved and documented. The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources. Verify that there are no wireless interfaces configured on the system with the following command: # wicked show all lo up link: #1, state up type: loopback config: compat:suse:/etc/sysconfig/network/ifcfg-lo leases: ipv4 static granted leases: ipv6 static granted addr: ipv4 127.0.0.1/8 [static] addr: ipv6 ::1/128 [static] wlan0 up link: #3, state up, mtu 1500 type: wireless, hwaddr 06:00:00:00:00:02 config: wicked:xml:/etc/wicked/ifconfig/wlan0.xml leases: ipv4 dhcp granted addr: ipv4 10.0.0.101/16 [dhcp] route: ipv4 default via 10.0.0.1 proto dhcp The output should not contain any interfaces of type wireless in state up. If a wireless interface is configured it must be documented and approved by the local Authorizing Official. Is it the case that it is not? Deactivating wireless network interfaces should prevent normal usage of the wireless capability.

Configure the system to disable wireless network interfaces by issuing the following command for every active <WIFI-INTERFACE> in the system:
$ sudo wicked ifdown <WIFI-INTERFACE>
Also remove the configuration files for every wifi adapter from /etc/wicked/ifconfig/<WIFI-INTERFACE>.xml to prevent future connections.
SLES-15-010380 wireless_disable_interfaces
V-234848 1774 medium SUSE operating system AppArmor tool must be configured to control whitelisted applications and user home directory access control. Using a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities.

The organization must identify authorized software programs and permit execution of authorized software by adding each authorized program to the "pam_apparmor" exception policy. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.

Verification of whitelisted software occurs prior to execution or at system startup.

Users' home directories/folders may contain information of a sensitive nature. Nonprivileged users should coordinate any sharing of information with a System Administrator (SA) through shared resources.

Apparmor can confine users to their home directory, not allowing them to make any changes outside of their own home directories. Confining users to their home directory will minimize the risk of sharing information.
Run the following command to determine the current status of the apparmor service: $ systemctl is-active apparmor If the service is running, it should return the following: active Is it the case that it is not? Verify that the Apparmor tool is configured to control whitelisted applications and user home directory access control.

The apparmor service can be enabled with the following command:
$ sudo systemctl enable apparmor.service
SLES-15-010390 apparmor_configured
V-234849 1891 medium The SUSE operating system clock must, for networked systems, be synchronized to an authoritative DoD time source at least every 24 hours. Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. To verify that maxpoll has been set properly, perform the following: $ sudo grep maxpoll /etc/ntp.conf /etc/chrony.conf The output should return maxpoll . Is it the case that it does not exist or maxpoll has not been set to the expected value? The maxpoll should be configured to in /etc/ntp.conf or /etc/chrony.conf to continuously poll time servers. To configure maxpoll in /etc/ntp.conf or /etc/chrony.conf add the following:
maxpoll 
SLES-15-010400 chronyd_or_ntpd_set_maxpoll
V-234850 1890 low The SUSE operating system must be configured to use Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. Time stamps generated by the operating system include date and time. Time is commonly expressed in UTC, a modern continuation of GMT, or local time with an offset from UTC. To verify that the system real-time clock is set to UTC or GMT, run the following command: # timedatectl status | grep -i "time zone" # Time zone: UTC (UTC, +0000) If "Timezone" is not set to UTC, this is a finding. Fix Text: Configure the SUSE operating system is configured to use UTC. To configure the system time zone to use UTC or GMT, run the following command, replacing [ZONE] with "UTC" or "GMT". # sudo timedatectl set-timezone [ZONE] Is it the case that the system real-time clock is not configured to use UTC as its time base? Ensure that the system real-time clock (RTC) is set to Coordinated Universal Time (UTC). SLES-15-010410 ensure_rtc_utc_configuration
V-234851 2699 medium Advanced Intrusion Detection Environment (AIDE) must verify the baseline SUSE operating system configuration at least weekly. The AIDE package must be installed if it is to be available for integrity checking. Run the following command to determine if the aide package is installed: $ rpm -q aide Is it the case that the package is not installed? The aide package can be installed with the following command:
$ sudo zypper install aide
SLES-15-010420 package_aide_installed
V-234852 1749 high The SUSE operating system tool zypper must have gpgcheck enabled. Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.
Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA).
To determine whether zypper is configured to use gpgcheck, inspect /etc/zypp/zypp.conf and ensure the following appears in the [main] section: gpgcheck=1 A value of 1 indicates that gpgcheck is enabled. Absence of a gpgcheck line or a setting of 0 indicates that it is disabled. Is it the case that GPG checking is not enabled? The gpgcheck option controls whether RPM packages' signatures are always checked prior to installation. To configure zypper to check package signatures before installing them, ensure the following line appears in /etc/zypp/zypp.conf in the [main] section:
gpgcheck=1
SLES-15-010430 ensure_gpgcheck_globally_activated
V-234853 2038 high The SUSE operating system must reauthenticate users when changing authenticators, roles, or escalating privileges. Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.
To determine if NOPASSWD or !authenticate have been configured for sudo, run the following command: $ sudo grep -ri "nopasswd\|\!authenticate" /etc/sudoers /etc/sudoers.d/ The command should return no output. Is it the case that nopasswd and/or !authenticate is enabled in sudo? The sudo NOPASSWD and !authenticate option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that NOPASSWD and/or !authenticate do not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/." SLES-15-010450 sudo_require_authentication
V-234854 1954 medium The SUSE operating system must have the packages required for multifactor authentication to be installed. Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.

Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.
'Run the following command to determine if the pam_pkcs11 package is installed: $ rpm -q pam_pkcs11' 'Run the following command to determine if the mozilla-nss package is installed: $ rpm -q mozilla-nss' 'Run the following command to determine if the mozilla-nss-tools package is installed: $ rpm -q mozilla-nss-tools' 'Run the following command to determine if the pcsc-ccid package is installed: $ rpm -q pcsc-ccid' 'Run the following command to determine if the pcsc-lite package is installed: $ rpm -q pcsc-lite' 'Run the following command to determine if the pcsc-tools package is installed: $ rpm -q pcsc-tools' 'Run the following command to determine if the opensc package is installed: $ rpm -q opensc' Is it the case that smartcard software is not installed? Configure the operating system to implement multifactor authentication by installing the required package with the following command: The pam_pkcs11 package can be installed with the following command:
$ sudo zypper install pam_pkcs11
The mozilla-nss package can be installed with the following command:
$ sudo zypper install mozilla-nss
The mozilla-nss-tools package can be installed with the following command:
$ sudo zypper install mozilla-nss-tools
The pcsc-ccid package can be installed with the following command:
$ sudo zypper install pcsc-ccid
The pcsc-lite package can be installed with the following command:
$ sudo zypper install pcsc-lite
The pcsc-tools package can be installed with the following command:
$ sudo zypper install pcsc-tools
The opensc package can be installed with the following command:
$ sudo zypper install opensc
SLES-15-010460 install_smartcard_packages
V-234855 1948 medium The SUSE operating system must implement certificate status checking for multifactor authentication. Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.

Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.
To verify the operating system implements certificate status checking for PKI authentication, run the following command: $ sudo grep -i cert_policy /etc/pam_pkcs11/pam_pkcs11.conf The output should return multiple lines similiar to the following: cert_policy = ca, ocsp_on, signature; cert_policy = ca, ocsp_on, signature; cert_policy = ca, ocsp_on, signature; Is it the case that ocsp_on is not configured? Configure the operating system to do certificate status checking for PKI authentication. Modify all of the cert_policy lines in /etc/pam_pkcs11/pam_pkcs11.conf to include ocsp_on like so:
cert_policy = ca, ocsp_on, signature;
SLES-15-010470 smartcard_configure_cert_checking
V-234856 1958 medium The SUSE operating system must disable the USB mass storage kernel module. USB storage devices such as thumb drives can be used to introduce malicious software. If the system is configured to prevent the loading of the usb-storage kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: $ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d Is it the case that no line is returned? To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the usb-storage kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install usb-storage /bin/true
This will prevent the modprobe program from loading the usb-storage module, but will not prevent an administrator (or another program) from using the insmod program to load the module manually.
SLES-15-010480 kernel_module_usb-storage_disabled
V-234857 2007 medium If Network Security Services (NSS) is being used by the SUSE operating system it must prohibit the use of cached authentications after one day. If cached authentication information is out-of-date, the validity of the authentication information may be questionable. To verify that SSSD's in-memory cache expires after a day, run the following command: $ sudo grep memcache_timeout /etc/sssd/sssd.conf If configured properly, output should be memcache_timeout = . Is it the case that it does not exist or is not configured properly? SSSD's memory cache should be configured to set to expire records after seconds. To configure SSSD to expire memory cache, set memcache_timeout to under the [nss] section in /etc/sssd/sssd.conf. For example:
[nss]
memcache_timeout = 
SLES-15-010490 sssd_memcache_timeout
V-234858 2007 medium The SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to prohibit the use of cached offline authentications after one day. If cached authentication information is out-of-date, the validity of the authentication information may be questionable. To verify that SSSD expires offline credentials, run the following command: $ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf If configured properly, output should be offline_credentials_expiration = 1 Is it the case that it does not exist or is not configured properly? SSSD should be configured to expire offline credentials after 1 day. To configure SSSD to expire offline credentials, set offline_credentials_expiration to 1 under the [pam] section in /etc/sssd/sssd.conf. For example:
[pam]
offline_credentials_expiration = 1
SLES-15-010500 sssd_offline_cred_expiration
V-234859 2450 high FIPS 140-2 mode must be enabled on the SUSE operating system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. To verify /proc/sys/crypto/fips_enabled exists, run the following command: cat /proc/sys/crypto/fips_enabled The output should be: 1 Is it the case that the command 'cat /proc/sys/crypto/fips_enabled' returns nothing or '0' or the file does not exist? On a system where FIPS 140-2 mode is enabled, /proc/sys/crypto/fips_enabled must exist. To verify FIPS mode, run the following command:
cat /proc/sys/crypto/fips_enabled
SLES-15-010510 is_fips_mode_enabled
V-234860 2422 high All networked SUSE operating systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. Without protection of the transmitted information, confidentiality, and integrity may be compromised because unprotected communications can be intercepted and either read or altered.

This checklist item applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, etc). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification.
Run the following command to determine the current status of the sshd service: $ systemctl is-active sshd If the service is running, it should return the following: active Is it the case that ? The SSH server service, sshd, is commonly needed. The sshd service can be enabled with the following command:
$ sudo systemctl enable sshd.service
SLES-15-010530 service_sshd_enabled
V-234861 2824 medium The SUSE operating system must implement kptr-restrict to prevent the leaking of internal kernel addresses. Exposing kernel pointers (through procfs or seq_printf()) exposes kernel writeable structures that can contain functions pointers. If a write vulnereability occurs in the kernel allowing a write access to any of this structure, the kernel can be compromise. This option disallow any program withtout the CAP_SYSLOG capability from getting the kernel pointers addresses, replacing them with 0. The runtime status of the kernel.kptr_restrict kernel parameter can be queried by running the following command: $ sysctl kernel.kptr_restrict The output of the command should indicate a value of 1. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*kernel.kptr_restrict\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than kernel.kptr_restrict = 1 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains kernel.kptr_restrict = 1, and that one assignment is returned when $ grep -r kernel.kptr_restrict /etc/sysctl.conf /etc/sysctl.d is executed. Is it the case that the correct value is not returned? To set the runtime status of the kernel.kptr_restrict kernel parameter, run the following command:
$ sudo sysctl -w kernel.kptr_restrict=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.kptr_restrict = 1
SLES-15-010540 sysctl_kernel_kptr_restrict
V-234862 2824 medium Address space layout randomization (ASLR) must be implemented by the SUSE operating system to protect memory from unauthorized code execution. Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques. The runtime status of the kernel.randomize_va_space kernel parameter can be queried by running the following command: $ sysctl kernel.randomize_va_space The output of the command should indicate a value of 2. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*kernel.randomize_va_space\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than kernel.randomize_va_space = 2 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains kernel.randomize_va_space = 2, and that one assignment is returned when $ grep -r kernel.randomize_va_space /etc/sysctl.conf /etc/sysctl.d is executed. Is it the case that the correct value is not returned? To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command:
$ sudo sysctl -w kernel.randomize_va_space=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.randomize_va_space = 2
SLES-15-010550 sysctl_kernel_randomize_va_space
V-234863 2617 medium The SUSE operating system must remove all outdated software components after updated versions have been installed. Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries. To verify that solver.upgradeRemoveDroppedPackages is configured properly, run the following command: $ grep -i upgradeRemoveDroppedPackages /etc/zypp/zypp.conf The output should return something similar to: solver.upgradeRemoveDroppedPackages=true Is it the case that 'solver.upgradeRemoveDroppedPackages is not enabled or configured correctly'? zypper should be configured to remove previous software components after new versions have been installed. To configure zypper to remove the previous software components after updating, set the solver.upgradeRemoveDroppedPackages to 1 in /etc/zypp/zypp.conf. SLES-15-010560 clean_components_post_updating
V-234864 2702 medium The SUSE operating system must notify the System Administrator (SA) when Advanced Intrusion Detection Environment (AIDE) discovers anomalies in the operation of any security functions. By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files.

Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.

Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
To determine that periodic AIDE execution has been scheduled, run the following command: $ grep aide /etc/crontab The output should return something similar to the following: 05 4 * * * root --check NOTE: The usage of special cron times, such as @daily or @weekly, is acceptable. Is it the case that there is no output? At a minimum, AIDE should be configured to run a weekly scan. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
05 4 * * * root  --check
To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
05 4 * * 0 root  --check
AIDE can be executed periodically through other means; this is merely one example. The usage of cron's special time codes, such as @daily and @weekly is acceptable.
SLES-15-010570 aide_periodic_cron_checking
V-234865 1851 medium The SUSE operating system must off-load rsyslog messages for networked systems in real time and off-load standalone systems at least weekly. A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise. To ensure logs are sent to a remote host, examine the file /etc/rsyslog.conf. If using UDP, a line similar to the following should be present: *.* @ If using TCP, a line similar to the following should be present: *.* @@ If using RELP, a line similar to the following should be present: *.* :omrelp: Is it the case that none of these are present? To configure rsyslog to send logs to a remote log server, open /etc/rsyslog.conf and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments.
To use UDP for log message delivery:
*.* @

To use TCP for log message delivery:
*.* @@

To use RELP for log message delivery:
*.* :omrelp:

There must be a resolvable DNS CNAME or Alias record set to "" for logs to be sent correctly to the centralized logging utility.
SLES-15-010580 rsyslog_remote_loghost
V-234866 16 medium The SUSE operating system must provision temporary accounts with an expiration date for 72 hours. If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation.
For every temporary and emergency account, run the following command to obtain its account aging and expiration information: $ sudo chage -l USER Verify each of these accounts has an expiration date set as documented. Is it the case that any temporary or emergency accounts have no expiration date set or do not expire within a documented time frame? Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts. In the event temporary or emergency accounts are required, configure the system to terminate them after a documented time period. For every temporary and emergency account, run the following command to set an expiration date on it, substituting USER and YYYY-MM-DD appropriately:
$ sudo chage -E YYYY-MM-DD USER
YYYY-MM-DD indicates the documented expiration date for the account. For U.S. Government systems, the operating system must be configured to automatically terminate these types of accounts after a period of 72 hours.
SLES-15-020000 account_temp_expire_date
V-234867 2238 medium The SUSE operating system must lock an account after three consecutive invalid access attempts. By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. To configure the operating system to lock an account after three unsuccessful consecutive access attempts using pam_tally2.so, modify the content of both /etc/pam.d/common-auth and /etc/pam.d/common-account as follows:

  • add or modify the pam_tally2.so module line in /etc/pam.d/common-auth to ensure both onerr=fail and deny= are present. For example:
    auth required pam_tally2.so onerr=fail silent audit deny=
  • add or modify the following line in /etc/pam.d/common-account:
    account required pam_tally2.so
Check that the systems locks a user account after - at most - consecutive failed login attempts with the following command: # grep pam_tally2.so /etc/pam.d/common-auth auth required pam_tally2.so onerr=fail deny= If no line is returned, the line is commented out, or the line is missing "onerr=fail", this is a finding. If the line has "deny" set to a value outside of the range 1-, this is a finding. Check that the system resets the failed login attempts counter after a successful login using the following command: # grep pam_tally2.so /etc/pam.d/common-account account required pam_tally2.so deny= If the account option is missing, or commented out, this is a finding. Is it the case that that is not the case? The SUSE Linux Enterprise 15 operating system must lock an account after - at most - consecutive invalid access attempts. SLES-15-020010 accounts_passwords_pam_tally2
V-234868 54 low The SUSE operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types. Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions. Run the following command to ensure the maxlogins value is configured for all users on the system: # grep "maxlogins" /etc/security/limits.conf You should receive output similar to the following: *\t\thard\tmaxlogins\t Is it the case that maxlogins is not equal to or less than the expected value? Limiting the number of allowed users and sessions per user can limit risks related to Denial of Service attacks. This addresses concurrent sessions for a single account and does not address concurrent sessions by a single user via multiple accounts. To set the number of concurrent sessions per user add the following line in /etc/security/limits.conf or a file under /etc/security/limits.d/:
* hard maxlogins 
SLES-15-020020 accounts_max_concurrent_login_sessions
V-234869 768 medium The SUSE operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM). Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials. Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). Check that the pam_pkcs11.so option is configured in the etc/pam.d/common-auth file with the following command: # grep pam_pkcs11.so /etc/pam.d/common-auth auth sufficient pam_pkcs11.so If pam_pkcs11.so is not set in etc/pam.d/common-auth this is a finding. Is it the case that non-exempt accounts are not using CAC authentication? This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). Check that the pam_pkcs11.so option is configured in the etc/pam.d/common-auth file with the following command:
# grep pam_pkcs11.so /etc/pam.d/common-auth

auth sufficient pam_pkcs11.so
For general information about enabling smart card authentication, consult the documentation at:
SLES-15-020030 smartcard_pam_enabled
V-234870 770 medium The SUSE operating system must deny direct logons to the root account using remote access via SSH. Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password. To determine how the SSH daemon's PermitRootLogin option is set, run the following command: $ sudo grep -i PermitRootLogin /etc/ssh/sshd_config If a line indicating no is returned, then the required value is set. Is it the case that the required value is not set? The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following line in /etc/ssh/sshd_config:
PermitRootLogin no
SLES-15-020040 sshd_disable_root_login
V-234871 795 medium The SUSE operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity after password expiration. Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials. To verify the INACTIVE setting, run the following command: $ grep "INACTIVE" /etc/default/useradd The output should indicate the INACTIVE configuration option is set to an appropriate integer as shown in the example below: $ grep "INACTIVE" /etc/default/useradd INACTIVE= Is it the case that the value of INACTIVE is greater than the expected value? To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following line in /etc/default/useradd:
INACTIVE=
If a password is currently on the verge of expiration, then day(s) remain(s) until the account is automatically disabled. However, if the password will not expire for another 60 days, then 60 days plus day(s) could elapse until the account would be automatically disabled. See the useradd man page for more information.
SLES-15-020050 account_disable_post_pw_expiration
V-234872 1682 medium The SUSE operating system must never automatically remove or disable emergency administrator accounts. Emergency accounts are different from infrequently used accounts (i.e., local logon accounts used by the organization's system administrators when network or normal logon/access is not available). Infrequently used accounts are not subject to automatic termination dates. Emergency accounts are accounts created in response to crisis situations, usually for use by maintenance personnel. The automatic expiration or disabling time period may be extended as needed until the crisis is resolved; however, it must not be extended indefinitely. A permanent account should be established for privileged users who need long-term maintenance accounts. To address access requirements the SUSE operating system can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements. Check to see if an emergency administrator account password or account expires with the following command: # sudo chage -l [Emergency_Administrator] Password expires:never If Password expires or Account expires is set to anything other than never, this is a finding. Is it the case that any emergency administrator account or account password has an expiration date set? Emergency accounts are privileged accounts that are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. Check to see if an emergency administrator account password or account expires with the following command:
# sudo chage -l [Emergency_Administrator]

Password expires:never
If Password expires or Account expires is set to anything other than never, this is a finding.
SLES-15-020060 account_emergency_admin
V-234873 366 low The SUSE operating system must display the date and time of the last successful account logon upon logon. Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. To ensure that last logon/access notification is configured correctly, run the following command: $ grep pam_lastlog.so /etc/pam.d/login The output should show output showfailed and must not contain silent. Is it the case that that is not the case? To configure the system to notify users of last logon/access using pam_lastlog, add or correct the pam_lastlog settings in /etc/pam.d/login to read as follows:
session     required pam_lastlog.so showfailed
And make sure that the silent option is not set.
SLES-15-020080 display_login_attempts
V-234874 366 medium The SUSE operating system must not have unnecessary accounts. Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system. To verify that there are no unauthorized local user accounts, run the following command: $ less /etc/passwd Inspect the results, and if unauthorized local user accounts exist, remove them by running the following command: $ sudo userdel unauthorized_user Is it the case that there are unauthorized local user accounts on the system? Enterprise Application tends to use the server or virtual machine exclusively. Besides the default operating system user, there should be only authorized local users required by the installed softoware groups and applications that exist on the operating system. The authorized user list can be customized in the refine value variable var_accounts_authorized_local_users_regex. OVAL regular expression is used for the user list. Configure the system so all accounts on the system are assigned to an active system, application, or user account. Remove accounts that do not support approved system activities or that allow for a normal user to perform administrative-level actions. To remove unauthorized system accounts, use the following command:
$ sudo userdel unauthorized_user
SLES-15-020090 accounts_authorized_local_users
V-234875 366 medium The SUSE operating system must not have unnecessary account capabilities. Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts. To obtain a listing of all users, their UIDs, and their shells, run the command: $ awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd Identify the system accounts from this listing. These will primarily be the accounts with UID numbers less than UID_MIN, other than root. Value of the UID_MIN directive is set in /etc/login.defs configuration file. In the default configuration UID_MIN is set to 1000. Is it the case that any system account (other than root) has a login shell? Some accounts are not associated with a human user of the system, and exist to perform some administrative function. Should an attacker be able to log into these accounts, they should not be granted access to a shell.

The login shell for each local account is stored in the last field of each line in /etc/passwd. System accounts are those user accounts with a user ID less than UID_MIN, where value of UID_MIN directive is set in /etc/login.defs configuration file. In the default configuration UID_MIN is set to 1000, thus system accounts are those user accounts with a user ID less than 1000. The user ID is stored in the third field. If any system account SYSACCT (other than root) has a login shell, disable it with the command:
$ sudo usermod -s /sbin/nologin SYSACCT
SLES-15-020091 no_shelllogin_for_systemaccounts
V-234876 366 high The SUSE operating system root account must be the only account with unrestricted access to the system. An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner. To list all password file entries for accounts with UID 0, run the following command: $ awk -F: '($3 == \"0\") {print}' /etc/passwd This should print only one line, for the user root. If there is a finding, change the UID of the failing (non-root) user. If the account is associated with the system commands or applications the UID should be changed to one greater than 0 but less than 1000. Otherwise assign a UID of greater than 1000 that has not already been assigned. Is it the case that any account other than root has a UID of 0? If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed.
If the account is associated with system commands or applications the UID should be changed to one greater than "0" but less than "1000." Otherwise assign a UID greater than "1000" that has not already been assigned.
SLES-15-020100 accounts_no_uid_except_zero
V-234877 366 medium The SUSE operating system must restrict privilege elevation to authorized personnel. If the "sudoers" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system. To determine if "sudoers" file, restricts sudo access, run the following commands: $ sudo grep -PR '^\s*ALL\s+ALL\=\(ALL\)\s+ALL\s*$' /etc/sudoers /etc/sudoers.d/* $ sudo grep -PR '^\s*ALL\s+ALL\=\(ALL\:ALL\)\s+ALL\s*$' /etc/sudoers /etc/sudoers.d/* Both commands should return no output. Is it the case that /etc/sudoers file does not restrict sudo access to authorized personnel? The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. Restrict privileged actions by removing the following entries from the sudoers file: ALL ALL=(ALL) ALL ALL ALL=(ALL:ALL) ALL SLES-15-020101 sudo_restrict_privilege_elevation_to_authorized
V-234878 2038 medium The SUSE operating system must require re-authentication when using the "sudo" command. Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.
Verify the operating system requires re-authentication when using the "sudo" command to elevate privileges, run the following command: sudo grep -ri '^Defaults.*timestamp_timeout' /etc/sudoers /etc/sudoers.d The output should be: /etc/sudoers:Defaults timestamp_timeout=0 or "timestamp_timeout" is set to a positive number. Is it the case that timestamp_timeout is not set with the appropriate value for sudo? The sudo timestamp_timeout tag sets the amount of time sudo password prompt waits. The default timestamp_timeout value is 5 minutes. The timestamp_timeout should be configured by making sure that the timestamp_timeout tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated. SLES-15-020102 sudo_require_reauthentication
V-234879 366 medium The SUSE operating system must use the invoking user's password for privilege escalation when using "sudo". If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. Run the following command to Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation: sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' If no results are returned, this is a finding If "Defaults !targetpw" is not defined, this is a finding. If "Defaults !rootpw" is not defined, this is a finding. If "Defaults !runaspw" is not defined, this is a finding. Is it the case that invoke user passwd when using sudo? The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. The expected output for:
sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#'
 /etc/sudoers:Defaults !targetpw
      /etc/sudoers:Defaults !rootpw
      /etc/sudoers:Defaults !runaspw 
SLES-15-020103 sudoers_validate_passwd
V-234880 366 medium All SUSE operating system local interactive user accounts, upon creation, must be assigned a home directory. If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. Check if the system is configured to create home directories for local interactive users with the following command: $ sudo grep create_home /etc/login.defs Is it the case that the value of CREATE_HOME is not set to yes, is missing, or the line is commented out? All local interactive user accounts, upon creation, should be assigned a home directory.

Configure the operating system to assign home directories to all new local interactive users by setting the CREATE_HOME parameter in /etc/login.defs to yes as follows:

CREATE_HOME yes
SLES-15-020110 accounts_have_homedir_login_defs
V-234881 366 medium The SUSE operating system must display the date and time of the last successful account logon upon an SSH logon. Providing users feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use. To check if PrintLastLog is enabled or set correctly, run the following command: $ sudo grep PrintLastLog /etc/ssh/sshd_config If configured properly, output should be yes Is it the case that it is commented out or is not enabled? When enabled, SSH will display the date and time of the last successful account logon. To enable LastLog in SSH, add or correct the following line in the /etc/ssh/sshd_config file:
PrintLastLog yes
SLES-15-020120 sshd_print_last_log
V-234882 192 medium The SUSE operating system must enforce passwords that contain at least one uppercase character. Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space. To check how many uppercase characters are required in a password, run the following command: grep pam_cracklib.so /etc/pam.d/common-password password requisite pam_cracklib.so ucredit= The ucredit parameter (as a negative number) will indicate how many uppercase characters are required. The DoD and FISMA require at least one uppercase character in a password. This would appear as ucredit=-1. Is it the case that ucredit is not found or not set to the required value? The pam_cracklib module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each uppercase character. Add ucredit=-1 after pam_cracklib.so to require use of an upper case character in passwords. SLES-15-020130 cracklib_accounts_password_pam_ucredit
V-234883 193 medium The SUSE operating system must enforce passwords that contain at least one lowercase character. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space. Check that the operating system enforces password complexity by requiring that at least one lower-case character be used by using the following command: # grep pam_cracklib.so /etc/pam.d/common-password password requisite pam_cracklib.so lcredit= If the command does not return anything, the returned line is commented out, or has a second column value different from "requisite", or does not contain lcredit=, this is a finding. The DoD and FISMA require at least one lowercase character in a password. This would appear as lcredit=-1. Is it the case that lcredit is not found or not set to the required value? The pam_cracklib module's lcredit= parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each lowercase character. Add lcredit=-1 after pam_cracklib.so to require use of a lowercase character in passwords. SLES-15-020140 cracklib_accounts_password_pam_lcredit
V-234884 194 medium The SUSE operating system must enforce passwords that contain at least one numeric character. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space. To check how many digits are required in a password, run the following command: # grep pam_cracklib /etc/pam.d/common-password password requisite pam_cracklib.so dcredit= The dcredit parameter (as a negative number) will indicate how many digits are required. The DoD requires at least one digit in a password. This would appear as dcredit=-1. Is it the case that dcredit is not found or not set to the required value? The pam_cracklib module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_cracklib will grant +1 additional length credit for each digit. Add dcredit=-1 after pam_cracklib.so to require use of a digit in passwords. SLES-15-020150 cracklib_accounts_password_pam_dcredit
V-234885 195 medium The SUSE operating system must require the change of at least eight of the total number of characters when passwords are changed. Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however. To check how many characters must differ during a password change, run the following command: # grep pam_cracklib.so /etc/pam.d/common-password password requisite pam_cracklib.so difok= The difok parameter will indicate how many characters must differ. The DoD requires at least eight characters differ during a password change. This would appear as difok=8. Is it the case that difok is not found or not set to the required value? The pam_cracklib module's difok parameter controls requirements for usage of different characters during a password change. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different. Make sure the difok parameter for the pam_cracklib module is configured to greater than or equal to . SLES-15-020160 cracklib_accounts_password_pam_difok
V-234886 196 medium The SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to only store encrypted representations of passwords. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kepy in plain text.

This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.
Inspect the contents of /etc/pam.d/common-password and ensure that the pam_unix.so module includes the argument sha512: $ grep sha512 /etc/pam.d/common-password Is it the case that it does not? The PAM system service can be configured to only store encrypted representations of passwords. In /etc/pam.d/common-password, the password section of the file controls which PAM modules execute during a password change. Set the pam_unix.so module in the password section to include the argument sha512, as shown below:
password    required    pam_unix.so sha512 other arguments...

This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default.
SLES-15-020170 set_password_hashing_algorithm_systemauth
V-234887 803 medium The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords. The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy. Check that the interactive user account passwords are using a strong password hash with the following command: # sudo cut -d: -f2 /etc/shadow $6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/ Password hashes ! or * indicate inactive accounts not available for logon and are not evaluated. If any interactive user password hash does not begin with $6, this is a finding. Is it the case that passwords hashed with an unauthorized algorithm are found in /etc/shadow? Verify the operating system requires the shadow password suite configuration be set to encrypt interactive user passwords using a strong cryptographic hash. Check that the interactive user account passwords are using a strong password hash with the following command:
# sudo cut -d: -f2 /etc/shadow
$6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/
Password hashes ! or * indicate inactive accounts not available for logon and are not evaluated. If any interactive user password hash does not begin with $6, this is a finding.
SLES-15-020180 accounts_password_all_shadowed_sha512
V-234888 medium The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords. SLES-15-020190 Missing Rule
V-234889 198 medium The SUSE operating system must be configured to create or update passwords with a minimum lifetime of 24 hours (one day). Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.

Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement.
To check the minimum password age, run the command: $ grep PASS_MIN_DAYS /etc/login.defs Is it the case that it is not equal to or greater than the required value? To specify password minimum age for new accounts, edit the file /etc/login.defs and add or correct the following line:
PASS_MIN_DAYS 
A value of 1 day is considered sufficient for many environments. The DoD requirement is 1. The profile requirement is .
SLES-15-020200 accounts_minimum_age_login_defs
V-234890 198 medium The SUSE operating system must employ user passwords with a minimum lifetime of 24 hours (one day). Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. Check whether the minimum time period between password changes for each user account is one day or greater by running the following command for each user: $ sudo chage -l USER | grep Minimum The output for each user should return something similary to the following: Minimum number of days between password change\t\t: 1 Is it the case that existing passwords are not configured correctly? Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime by running the following command:
$ sudo chage -m 1 USER
SLES-15-020210 accounts_password_set_min_life_existing
V-234891 199 medium The SUSE operating system must be configured to create or update passwords with a maximum lifetime of 60 days. Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.

Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise.
To check the maximum password age, run the command: $ grep PASS_MAX_DAYS /etc/login.defs The DoD and FISMA requirement is 60. A value of 180 days is sufficient for many environments. Is it the case that PASS_MAX_DAYS is not set equal to or greater than the required value? To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line:
PASS_MAX_DAYS 
A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is .
SLES-15-020220 accounts_maximum_age_login_defs
V-234892 199 medium The SUSE operating system must employ user passwords with a maximum lifetime of 60 days. Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. Check whether the maximum time period for existing passwords is restricted to 60 days by running the following command for each user: $ sudo chage -l USER | grep Maximum The output for each user should return something similary to the following: Maximum number of days between password change\t\t: 60 Is it the case that existing passwords are not configured correctly? Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction by running the following command:
$ sudo chage -M 60 USER
SLES-15-020230 accounts_password_set_max_life_existing
V-234893 200 medium The SUSE operating system must employ a password history file. The /etc/security/opasswd file stores old passwords to prevent password reuse. Protection of this file is critical for system security. To check the ownership of /etc/security/opasswd, run the command: $ ls -lL /etc/security/opasswd If properly configured, the output should indicate the following owner: root To check the group ownership of /etc/security/opasswd, run the command: $ ls -lL /etc/security/opasswd If properly configured, the output should indicate the following group-owner: root To check the permissions of /etc/security/opasswd, run the command: $ ls -l /etc/security/opasswd If properly configured, the output should indicate the following permissions: 0600 Is it the case that /etc/security/opasswd has owner root and /etc/security/opasswd has group owner root and /etc/security/opasswd has unix mode 0600? To properly set the owner of /etc/security/opasswd, run the command:
$ sudo chown root /etc/security/opasswd 
To properly set the group owner of /etc/security/opasswd, run the command:
$ sudo chgrp root /etc/security/opasswd
To properly set the permissions of /etc/security/opasswd, run the command:
$ sudo chmod 0600 /etc/security/opasswd
SLES-15-020240 file_etc_security_opasswd
V-234894 200 medium The SUSE operating system must not allow passwords to be reused for a minimum of five generations. Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user. To verify the password reuse setting is compliant, run the following command: $ grep remember /etc/pam.d/system-auth The output should show the following at the end of the line: remember= Is it the case that the value of remember is not set equal to or greater than the expected setting? Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules.

In the file /etc/pam.d/system-auth, append remember= to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below:
  • for the pam_unix.so case:
    password sufficient pam_unix.so ...existing_options... remember=
  • for the pam_pwhistory.so case:
    password requisite pam_pwhistory.so ...existing_options... remember=
The DoD STIG requirement is 5 passwords.
SLES-15-020250 accounts_password_pam_unix_remember
V-234895 205 medium The SUSE operating system must employ passwords with a minimum of 15 characters. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password. To check how many characters are required in a password, run the following command: $ grep pam_cracklib.so /etc/pam.d/common-password Your output should contain minlen= Is it the case that minlen is not found or not set to the required value (or higher)? The pam_cracklib module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= to set minimum password length requirements. SLES-15-020260 cracklib_accounts_password_pam_minlen
V-234896 1619 medium The SUSE operating system must enforce passwords that contain at least one special character. Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space. To check how many special characters are required in a password, run the following command: # grep pam_cracklib.so /etc/pam.d/common-password password requisite pam_cracklib.so ocredit= The ocredit parameter (as a negative number) will indicate how many special characters are required. The DoD and FISMA require at least one special character in a password. This would appear as ocredit=-1. Is it the case that ocredit is not found or not set to the required value? The pam_cracklib module's ocredit= parameter controls requirements for usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each special character. Make sure the ocredit parameter for the pam_cracklib module is set to less than or equal to . For example, ocredit=. SLES-15-020270 cracklib_accounts_password_pam_ocredit
V-234897 366 medium The SUSE operating system must prevent the use of dictionary words for passwords. To reduce opportunities for successful guesses and brute-force attacks. Check the password retry limit with the following command: # grep pam_cracklib.so /etc/pam.d/common-password password requisite pam_cracklib.so retry= If the command does not return anything, or the returned line is commented out, this is a finding. If the value of retry is greater than , this is a finding. Is it the case that retry is not found or not set to the required value (or lower)? The pam_cracklib module's retry parameter controls the maximum number of times to prompt the user for the password before returning with error. Make sure it is configured with a value that is no more than . For example, retry=1. SLES-15-020290 cracklib_accounts_password_pam_retry
V-234898 366 high The SUSE operating system must not be configured to allow blank or null passwords. If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. To verify that null passwords cannot be used, run the following command: $ grep pam_unix.so /etc/pam.d/* | grep nullok If this produces any output, it may be possible to log into accounts with empty passwords. Remove any instances of the nullok option to prevent logins with empty passwords. Is it the case that NULL passwords can be used? If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok in password authentication configurations in /etc/pam.d/ to prevent logins with empty passwords. Note that this rule is not applicable for systems running within a container. Having user with empty password within a container is not considered a risk, because it should not be possible to directly login into a container anyway. SLES-15-020300 no_empty_passwords
V-234899 1686 medium The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. To determine if the system is configured to audit account changes, run the following command: auditctl -l | egrep '(/etc/passwd)' If the system is configured to watch for account changes, lines should be returned for each file specified (and with perm=wa for each). Is it the case that the system is not configured to audit account changes? If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes:

-w /etc/passwd -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-w /etc/passwd -p wa -k audit_rules_usergroup_modification
SLES-15-030000 audit_rules_usergroup_modification_passwd
V-234900 172 medium The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. To determine if the system is configured to audit account changes, run the following command: auditctl -l | egrep '(/etc/group)' If the system is configured to watch for account changes, lines should be returned for each file specified (and with perm=wa for each). Is it the case that the system is not configured to audit account changes? If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes:

-w /etc/group -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-w /etc/group -p wa -k audit_rules_usergroup_modification
SLES-15-030010 audit_rules_usergroup_modification_group
V-234901 2132 medium The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. To determine if the system is configured to audit account changes, run the following command: auditctl -l | egrep '(/etc/shadow)' If the system is configured to watch for account changes, lines should be returned for each file specified (and with perm=wa for each). Is it the case that the system is not configured to audit account changes? If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes:

-w /etc/shadow -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-w /etc/shadow -p wa -k audit_rules_usergroup_modification
SLES-15-030020 audit_rules_usergroup_modification_shadow
V-234902 1403 medium The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd. In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. To determine if the system is configured to audit account changes, run the following command: auditctl -l | egrep '(/etc/security/opasswd)' If the system is configured to watch for account changes, lines should be returned for each file specified (and with perm=wa for each). Is it the case that the system is not configured to audit account changes? If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes:

-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
SLES-15-030030 audit_rules_usergroup_modification_opasswd
V-234903 2130 medium The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. To determine if the system is configured to audit account changes, run the following command: auditctl -l | egrep '(/etc/gshadow)' If the system is configured to watch for account changes, lines should be returned for each file specified (and with perm=wa for each). Is it the case that the system is not configured to audit account changes? If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes:

-w /etc/gshadow -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
SLES-15-030040 audit_rules_usergroup_modification_gshadow
V-234904 2884 medium SUSE operating system audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Ensuring the auditd service is active ensures audit records generated by the kernel are appropriately recorded.

Additionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
Run the following command to determine the current status of the auditd service: $ systemctl is-active auditd If the service is running, it should return the following: active Is it the case that ? The auditd service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The auditd service can be enabled with the following command:
$ sudo systemctl enable auditd.service
SLES-15-030050 service_auditd_enabled
V-234905 2884 low The SUSE operating system must generate audit records for all uses of the ssh-keysign command. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
To verify that auditing of privileged command use is configured, run the following command: $ sudo grep ssh-keysign /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/lib/ssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/lib/ssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SLES-15-030060 audit_rules_privileged_commands_ssh_keysign
V-234906 2884 medium The SUSE operating system must generate audit records for all uses of the passwd command. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
To verify that auditing of privileged command use is configured, run the following command: $ sudo grep passwd /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SLES-15-030070 audit_rules_privileged_commands_passwd
V-234907 2884 low The SUSE operating system must generate audit records for all uses of the gpasswd command. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
To verify that auditing of privileged command use is configured, run the following command: $ sudo grep gpasswd /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SLES-15-030080 audit_rules_privileged_commands_gpasswd
V-234908 2884 low The SUSE operating system must generate audit records for all uses of the newgrp command. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
To verify that auditing of privileged command use is configured, run the following command: $ sudo grep newgrp /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SLES-15-030090 audit_rules_privileged_commands_newgrp
V-234909 2884 low The SUSE operating system must generate audit records for a uses of the chsh command. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
To verify that auditing of privileged command use is configured, run the following command: $ sudo grep chsh /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SLES-15-030100 audit_rules_privileged_commands_chsh
V-234910 2884 medium The SUSE operating system must generate audit records for all uses of the unix_chkpwd or unix2_chkpwd commands. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
To verify that auditing of privileged command use is configured, run the following command: $ sudo grep unix_chkpwd /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SLES-15-030110 audit_rules_privileged_commands_unix_chkpwd
V-234911 2884 medium The SUSE operating system must generate audit records for all uses of the chage command. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
To verify that auditing of privileged command use is configured, run the following command: $ sudo grep chage /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SLES-15-030120 audit_rules_privileged_commands_chage
V-234912 2884 medium The SUSE operating system must generate audit records for all uses of the crontab command. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
To verify that auditing of privileged command use is configured, run the following command: $ sudo grep crontab /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SLES-15-030130 audit_rules_privileged_commands_crontab
V-234913 2884 medium The SUSE operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory. The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes. To verify that auditing is configured for system administrator actions, run the following command: $ sudo auditctl -l | grep "watch=/etc/sudoers\|watch=/etc/sudoers.d\|-w /etc/sudoers\|-w /etc/sudoers.d" Is it the case that there is not output? At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions
SLES-15-030140 audit_rules_sysadmin_actions
V-234914 2884 medium The SUSE operating system must generate audit records for all uses of the open system call. Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. To determine if the system is configured to audit calls to the open system call, run the following command: preserve$ sudo grep "open" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
SLES-15-030150 audit_rules_unsuccessful_file_modification_open
V-234915 2884 medium The SUSE operating system must generate audit records for all uses of the creat system call. Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. To determine if the system is configured to audit calls to the creat system call, run the following command: preserve$ sudo grep "creat" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
SLES-15-030160 audit_rules_unsuccessful_file_modification_creat
V-234916 2884 medium The SUSE operating system must generate audit records for all uses of the openat system call. Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. To determine if the system is configured to audit calls to the openat system call, run the following command: preserve$ sudo grep "openat" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
SLES-15-030170 audit_rules_unsuccessful_file_modification_openat
V-234917 2884 medium The SUSE operating system must generate audit records for all uses of the open_by_handle_at system call. Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. To determine if the system is configured to audit calls to the open_by_handle_at system call, run the following command: preserve$ sudo grep "open_by_handle_at" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
SLES-15-030180 audit_rules_unsuccessful_file_modification_open_by_handle_at
V-234918 2884 medium The SUSE operating system must generate audit records for all uses of the removexattr system call. The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. To determine if the system is configured to audit calls to the removexattr system call, run the following command: preserve$ sudo grep "removexattr" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
SLES-15-030190 audit_rules_dac_modification_removexattr
V-234919 2884 medium The SUSE operating system must generate audit records for all uses of the lremovexattr system call. The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. To determine if the system is configured to audit calls to the lremovexattr system call, run the following command: preserve$ sudo grep "lremovexattr" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
SLES-15-030200 audit_rules_dac_modification_lremovexattr
V-234920 2884 medium The SUSE operating system must generate audit records for all uses of the fremovexattr system call. The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. To determine if the system is configured to audit calls to the fremovexattr system call, run the following command: preserve$ sudo grep "fremovexattr" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
SLES-15-030210 audit_rules_dac_modification_fremovexattr
V-234921 2884 medium The SUSE operating system must generate audit records for all uses of the setxattr system call. The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. To determine if the system is configured to audit calls to the setxattr system call, run the following command: preserve$ sudo grep "setxattr" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
SLES-15-030220 audit_rules_dac_modification_setxattr
V-234922 2884 medium The SUSE operating system must generate audit records for all uses of the fsetxattr system call. The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. To determine if the system is configured to audit calls to the fsetxattr system call, run the following command: preserve$ sudo grep "fsetxattr" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
SLES-15-030230 audit_rules_dac_modification_fsetxattr
V-234923 2884 medium The SUSE operating system must generate audit records for all uses of the lsetxattr system call. The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. To determine if the system is configured to audit calls to the lsetxattr system call, run the following command: preserve$ sudo grep "lsetxattr" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
SLES-15-030240 audit_rules_dac_modification_lsetxattr
V-234924 2884 medium The SUSE operating system must generate audit records for all uses of the chown system call. The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. To determine if the system is configured to audit calls to the chown system call, run the following command: preserve$ sudo grep "chown" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
SLES-15-030250 audit_rules_dac_modification_chown
V-234925 2884 medium The SUSE operating system must generate audit records for all uses of the fchown system call. The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. To determine if the system is configured to audit calls to the fchown system call, run the following command: preserve$ sudo grep "fchown" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
SLES-15-030260 audit_rules_dac_modification_fchown
V-234926 2884 medium The SUSE operating system must generate audit records for all uses of the lchown system call. The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. To determine if the system is configured to audit calls to the lchown system call, run the following command: preserve$ sudo grep "lchown" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
SLES-15-030270 audit_rules_dac_modification_lchown
V-234927 2884 medium The SUSE operating system must generate audit records for all uses of the fchownat system call. The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. To determine if the system is configured to audit calls to the fchownat system call, run the following command: preserve$ sudo grep "fchownat" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
SLES-15-030280 audit_rules_dac_modification_fchownat
V-234928 2884 medium The SUSE operating system must generate audit records for all uses of the chmod system call. The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. To determine if the system is configured to audit calls to the chmod system call, run the following command: preserve$ sudo grep "chmod" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
SLES-15-030290 audit_rules_dac_modification_chmod
V-234929 2884 medium The SUSE operating system must generate audit records for all uses of the fchmod system call. The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. To determine if the system is configured to audit calls to the fchmod system call, run the following command: preserve$ sudo grep "fchmod" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
SLES-15-030300 audit_rules_dac_modification_fchmod
V-234930 2884 medium The SUSE operating system must generate audit records for all uses of the fchmodat system call. The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. To determine if the system is configured to audit calls to the fchmodat system call, run the following command: preserve$ sudo grep "fchmodat" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
SLES-15-030310 audit_rules_dac_modification_fchmodat
V-234931 2884 medium The SUSE operating system must generate audit records for all uses of the ftruncate system call. Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. To determine if the system is configured to audit calls to the ftruncate system call, run the following command: preserve$ sudo grep "ftruncate" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S ftruncate -F exiu=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
SLES-15-030320 audit_rules_unsuccessful_file_modification_ftruncate
V-234932 2884 medium The SUSE operating system must generate audit records for all uses of the sudoedit command. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
To verify that auditing of privileged command use is configured, run the following command: $ sudo grep sudoedit /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/sudoedit -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/sudoedit -F auid>=1000 -F auid!=unset -F key=privileged
SLES-15-030330 audit_rules_privileged_commands_sudoedit
V-234933 2884 low The SUSE operating system must generate audit records for all uses of the chfn command. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). To verify that auditing of privileged command use is configured, run the following command: $ sudo grep chfn /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SLES-15-030340 audit_rules_privileged_commands_chfn
V-234934 2884 low The SUSE operating system must generate audit records for all uses of the mount system call. The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss. To verify that auditing is configured for all media exportation events, run the following command: $ sudo auditctl -l | grep syscall | grep mount Is it the case that there is no output? At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
SLES-15-030350 audit_rules_media_export
V-234935 2884 low The SUSE operating system must generate audit records for all uses of the umount system call. The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. To determine if the system is configured to audit calls to the umount2 system call, run the following command: preserve$ sudo grep "umount2" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file system umount2 changes. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod
SLES-15-030360 audit_rules_dac_modification_umount2
V-234936 2884 low The SUSE operating system must generate audit records for all uses of the ssh-agent command. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). To verify that execution of the command is being audited, run the following command: $ sudo grep "path=/usr/bin/ssh-agent" /etc/audit/audit.rules /etc/audit/rules.d/* The output should return something similar to: -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent Is it the case that it is not the case? At a minimum, the audit system should collect any execution attempt of the ssh-agent command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
SLES-15-030370 audit_rules_privileged_commands_ssh_agent
V-234937 2884 medium The SUSE operating system must generate audit records for all uses of the insmod command. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
To verify that auditing of privileged command use is configured, run the following command: sudo auditctl -l | grep -w '/sbin/insmod' If the system is configured to audit the execution of the module management program "insmod", the command will return a line. Is it the case that it is not the case? At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-w /sbin/insmod -p x -k modules
SLES-15-030380 audit_rules_privileged_commands_insmod
V-234938 2884 medium The SUSE operating system must generate audit records for all uses of the rmmod command. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
To verify that auditing of privileged command use is configured, run the following command: sudo auditctl -l | grep -w '/sbin/rmmod' If the system is configured to audit the execution of the module management program "rmmod", the command will return a line. Is it the case that it is not the case? At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-w /sbin/rmmod -p x -k modules
SLES-15-030390 audit_rules_privileged_commands_rmmod
V-234939 2884 medium The SUSE operating system must generate audit records for all uses of the modprobe command. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
To verify that auditing of privileged command use is configured, run the following command: sudo auditctl -l | grep -w '/sbin/modprobe' -w /sbin/modprobe -p x -k modules It should return a relevant line in the audit rules. Is it the case that it is not the case? At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-w /sbin/modprobe -p x -k modules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-w /sbin/modprobe -p x -k modules
SLES-15-030400 audit_rules_privileged_commands_modprobe
V-234940 2884 medium The SUSE operating system must generate audit records for all uses of the kmod command. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). To verify that auditing of privileged command use is configured, run the following command: # sudo grep kmod /etc/audit/audit.rules -w /usr/bin/kmod -p x -k modules If the system is configured to audit the execution of the module management program "kmod", the command will return a line. If the command does not return a line, or the line is commented out, this is a finding. Is it the case that it is not the case? At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-w /usr/bin/kmod -p x -k modules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-w /usr/bin/kmod -p x -k modules
SLES-15-030410 audit_rules_privileged_commands_kmod
V-234941 2884 medium The SUSE operating system must generate audit records for all uses of the chmod command. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). To verify that execution of the command is being audited, run the following command: $ sudo grep "path=/usr/bin/chmod" /etc/audit/audit.rules /etc/audit/rules.d/* The output should return something similar to: -a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged Is it the case that ? At a minimum, the audit system should collect any execution attempt of the chmod command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SLES-15-030420 audit_rules_execution_chmod
V-234942 2884 medium The SUSE operating system must generate audit records for all uses of the setfacl command. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). To verify that execution of the command is being audited, run the following command: Configure the operating system to generate an audit record for all uses of the "setfacl" command. Add or update the following rules in the "/etc/audit/audit.rules" file: -a always,exit -F arch=b32 path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -a always,exit -F arch=b64 path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service $ sudo grep "path=/usr/bin/setfacl" /etc/audit/audit.rules /etc/audit/rules.d/* The output should return something similar to: -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged Is it the case that ? At a minimum, the audit system should collect any execution attempt of the setfacl command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SLES-15-030430 audit_rules_execution_setfacl
V-234943 2884 medium The SUSE operating system must generate audit records for all uses of the chacl command. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). To verify that execution of the command is being audited, run the following command: Configure the operating system to generate an audit record for all uses of the "chacl" command. Add or update the following rules in the "/etc/audit/audit.rules" file: -a always,exit -F arch=b32 path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -a always,exit -F arch=b64 path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service Is it the case that ? At a minimum, the audit system should collect any execution attempt of the chacl command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SLES-15-030440 audit_rules_execution_chacl
V-234944 2884 medium The SUSE operating system must generate audit records for all uses of the chcon command. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
To verify that execution of the command is being audited, run the following command: $ sudo grep "path=/usr/bin/chcon" /etc/audit/audit.rules /etc/audit/rules.d/* The output should return something similar to: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged Is it the case that ? At a minimum, the audit system should collect any execution attempt of the chcon command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SLES-15-030450 audit_rules_execution_chcon
V-234945 2884 medium The SUSE operating system must generate audit records for all uses of the rm command. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). To verify that execution of the command is being audited, run the following command: $ sudo grep "path=/usr/bin/rm" /etc/audit/audit.rules /etc/audit/rules.d/* The output should return something similar to: -a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged Is it the case that ? At a minimum, the audit system should collect any execution attempt of the rm command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SLES-15-030460 audit_rules_execution_rm
V-234946 2884 medium The SUSE operating system must generate audit records for all modifications to the tallylog file must generate an audit record. Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. To verify that auditing is configured for system administrator actions, run the following command: $ sudo auditctl -l | grep "watch=/var/log/tallylog\|-w /var/log/tallylog" Is it the case that there is not output? The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events:
-w /var/log/tallylog -p wa -k logins
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events:
-w /var/log/tallylog -p wa -k logins
SLES-15-030470 audit_rules_login_events_tallylog
V-234947 2884 medium The SUSE operating system must generate audit records for all modifications to the lastlog file. Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. To verify that auditing is configured for system administrator actions, run the following command: $ sudo auditctl -l | grep "watch=/var/log/lastlog\|-w /var/log/lastlog" Is it the case that there is not output? The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events:
-w /var/log/lastlog -p wa -k logins
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events:
-w /var/log/lastlog -p wa -k logins
SLES-15-030480 audit_rules_login_events_lastlog
V-234948 2884 medium The SUSE operating system must generate audit records for all uses of the passmass command. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
To verify that auditing of privileged command use is configured, run the following command: $ sudo grep passmass /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/passmass -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/passmass -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SLES-15-030490 audit_rules_privileged_commands_passmass
V-234949 2884 medium The SUSE operating system must generate audit records for all uses of the usermod command. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
To verify that auditing of privileged command use is configured, run the following command: $ sudo grep usermod /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SLES-15-030500 audit_rules_privileged_commands_usermod
V-234950 2884 medium The SUSE operating system must generate audit records for all uses of the pam_timestamp_check command. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
To verify that auditing of privileged command use is configured, run the following command: $ sudo grep pam_timestamp_check /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/sbin/pam_timestamp_check
-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/sbin/pam_timestamp_check
-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SLES-15-030510 audit_rules_privileged_commands_pam_timestamp_check
V-234951 2884 medium The SUSE operating system must generate audit records for all uses of the delete_module system call. The removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. To determine if the system is configured to audit calls to the delete_module system call, run the following command: preserve$ sudo grep "delete_module" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To capture kernel module unloading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S delete_module -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules.
SLES-15-030520 audit_rules_kernel_module_loading_delete
V-234952 2884 medium The SUSE operating system must generate audit records for all uses of the finit_module system call. The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. To determine if the system is configured to audit calls to the finit_module system call, run the following command: preserve$ sudo grep "finit_module" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S finit_module -F key=modules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S finit_module -F key=modules
SLES-15-030530 audit_rules_kernel_module_loading_finit
V-234953 2884 medium The SUSE operating system must generate audit records for all uses of the init_module system call. The addition of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. To determine if the system is configured to audit calls to the init_module system call, run the following command: preserve$ sudo grep "init_module" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To capture kernel module loading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S init_module -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules.
SLES-15-030540 audit_rules_kernel_module_loading_init
V-234954 2884 medium The SUSE operating system must generate audit records for all uses of the su command. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
To verify that auditing of privileged command use is configured, run the following command: $ sudo grep su /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SLES-15-030550 audit_rules_privileged_commands_su
V-234955 2884 low The SUSE operating system must generate audit records for all uses of the sudo command. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
To verify that auditing of privileged command use is configured, run the following command: $ sudo grep sudo /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that it is not the case? At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SLES-15-030560 audit_rules_privileged_commands_sudo
V-234956 139 medium The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must be alerted of a SUSE operating system audit processing failure event. Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action. Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured to send email to an account when it needs to notify an administrator: action_mail_acct = Is it the case that auditd is not configured to send emails per identified actions? The auditd service can be configured to send email to a designated account in certain situations. Add or correct the following line in /etc/audit/auditd.conf to ensure that administrators are notified via email for those situations:
action_mail_acct = 
SLES-15-030570 auditd_data_retention_action_mail_acct
V-234957 139 medium The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must have mail aliases to be notified of a SUSE operating system audit processing failure. A number of system services utilize email messages sent to the root user to notify system administrators of active or impending issues. These messages must be forwarded to at least one monitored email address. Find the list of alias maps used by the Postfix mail server: $ sudo postconf alias_maps Query the Postfix alias maps for an alias for the root user: $ sudo postmap -q root hash:/etc/aliases The output should return an alias. Is it the case that it is not? Make sure that mails delivered to root user are forwarded to a monitored email address. Make sure that the address is a valid email address reachable from the system in question. Use the following command to configure the alias:
$ sudo echo "root: " >> /etc/aliases
$ sudo newaliases
SLES-15-030580 postfix_client_configure_mail_alias
V-234958 140 medium The SUSE operating system audit system must take appropriate action when the audit storage volume is full. Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records. Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured to either log to syslog, switch to single-user mode, execute a script, or halt when the disk is out of space: disk_full_action single Is it the case that the system is not configured to switch to single-user mode for corrective action? The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately:
disk_full_action = ACTION
Set this value to single to cause the system to switch to single-user mode for corrective action. Acceptable values also include syslog, single, and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page.
SLES-15-030590 auditd_data_disk_full_action
V-234959 164 medium The SUSE operating system must protect audit rules from unauthorized modification. Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Check that permissions.local file contains the correct permissionsi rules with the following command: # grep -i audit /etc/permissions.local /var/log/audit/ root:root 600 /var/log/audit/audit.log root:root 600 /etc/audit/audit.rules root:root 640 /etc/audit/rules.d/audit.rules root:root 640 If the command does not return all the above lines, the missing ones need to be added. Run the following command to correct the permissions after adding missing entries: # sudo chkstat --set --system Is it the case that ? Files containing sensitive informations should be protected by restrictive permissions. Most of the time, there is no need that these files need to bei read by any non-root user. Check that "permissions.local" file contains the correct permissions rules with the following command:
# grep -i audit /etc/permissions.local

/var/log/audit/ root:root 600
/var/log/audit/audit.log root:root 600
/etc/audit/audit.rules root:root 640
/etc/audit/rules.d/audit.rules root:root 640
SLES-15-030600 permissions_local_var_log_audit
V-234960 172 medium The SUSE operating system must generate audit records for all uses of the truncate command. Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. To determine if the system is configured to audit calls to the truncate system call, run the following command: preserve$ sudo grep "truncate" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
SLES-15-030610 audit_rules_unsuccessful_file_modification_truncate
V-234961 1495 medium The SUSE operating system audit tools must have the proper permissions configured to protect against unauthorized access. Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. SUSE operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools. Check that permissions.local file contains the correct permissions rules with the following command: grep "^/usr/sbin/au" /etc/permissions.local /usr/sbin/audispd root:root 0750 /usr/sbin/auditctl root:root 0750 /usr/sbin/auditd root:root 0750 /usr/sbin/ausearch root:root 0755 /usr/sbin/aureport root:root 0755 /usr/sbin/autrace root:root 0750 /usr/sbin/augenrules root:root 0750 If the command does not return all the above lines, the missing ones need to be added. Run the following command to correct the permissions after adding missing entries: # sudo chkstat --set --system Is it the case that ? The SUSE operating system audit tools must have the proper permissions configured to protect against unauthorized access. Check that "permissions.local" file contains the correct permissions rules with the following command:
grep "^/usr/sbin/au" /etc/permissions.local

/usr/sbin/audispd root:root 0750
/usr/sbin/auditctl root:root 0750
/usr/sbin/auditd root:root 0750
/usr/sbin/ausearch root:root 0755
/usr/sbin/aureport root:root 0755
/usr/sbin/autrace root:root 0750
/usr/sbin/augenrules root:root 0750
Audit tools include but are not limited to vendor-provided and open-source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
SLES-15-030620 permissions_local_audit_binaries
V-234962 1496 medium The SUSE operating system file integrity tool must be configured to protect the integrity of the audit tools. Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Audit tools include but are not limited to vendor-provided and open-source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. It is not uncommon for attackers to replace the audit tools or inject code into the existing tools to provide the capability to hide or erase system activity from the audit logs. To address this risk, audit tools must be cryptographically signed to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files. Check that AIDE is properly configured to protect the integrity of the audit tools by running the following command: # sudo cat /etc/aide.conf | grep /usr/sbin/au /usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 If AIDE is configured properly to protect the integrity of the audit tools, all lines listed above will be returned from the command. If one or more lines are missing, this is a finding. Is it the case that integrity checks of the audit tools are missing or incomplete? The operating system file integrity tool must be configured to protect the integrity of the audit tools. SLES-15-030630 aide_check_audit_tools
V-234963 1875 low The SUSE operating system must generate audit records for all uses of the privileged functions. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. Add or update the following rules in "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service Is it the case that it is not the case? Verify the system generates an audit record when privileged functions are executed.
# grep -iw execve /etc/audit/audit.rules
-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid
-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid
If both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding. If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding.
SLES-15-030640 audit_rules_suid_privilege_function
V-234964 1878 medium The SUSE operating system must have the auditing package installed. The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. Run the following command to determine if the audit package is installed: $ rpm -q audit Is it the case that the package is not installed? The audit package should be installed. SLES-15-030650 package_audit_installed
V-234965 1849 medium The SUSE operating system must allocate audit record storage capacity to store at least one week of audit records when audit records are not immediately sent to a central audit record storage facility. Information stored in one location is vulnerable to accidental or incidental deletion or alteration.Off-loading is a common process in information systems with limited audit storage capacity. To verify whether audispd plugin off-loads audit records onto a different system or media from the system being audited, run the following command: # grep -i remote_server /etc/audisp/audisp-remote.conf The output should return something similar to where REMOTE_SYSTEM is an IP address or hostname: remote_server = REMOTE_SYSTEM Determine which partition the audit records are being written to with the following command: # grep log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Check the size of the partition that audit records are written to with the following command and verify whether it is sufficiently large: # df -h /var/log/audit/ /dev/sda2 24G 10.4G 13.6G 43% /var/log/audit Is it the case that audispd is not sending logs to a remote system and the local partition has inadequate? The SUSE Linux Enterprise 15 operating system must allocate audit record storage capacity to store at least one weeks worth of audit records when audit records are not immediately sent to a central audit record storage facility. The partition size needed to capture a week's worth of audit records is based on the activity level of the system and the total storage capacity available. In normal circumstances, 10.0 GB of storage space for audit records will be sufficient. Determine which partition the audit records are being written to with the following command:
# grep log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log
Check the size of the partition that audit records are written to with the following command:
# df -h /var/log/audit/
/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit
SLES-15-030660 auditd_audispd_configure_sufficiently_large_partition
V-234966 1851 medium The audit-audispd-plugins must be installed on the SUSE operating system. Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. Is it the case that the package is not installed? The audit-audispd-plugins package should be installed. SLES-15-030670 package_audit-audispd-plugins_installed
V-234967 1851 low The SUSE operating system audit event multiplexor must be configured to use Kerberos. Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. To verify the audispd plugin encrypts audit records off-loaded onto a different system or media from the system being audited, run the following command: $ sudo grep -i enable_krb5 /etc/audisp/audisp-remote.conf The output should return the following: enable_krb5 = yes Is it the case that audispd is not encrypting audit records when sent over the network? Configure the operating system to encrypt the transfer of off-loaded audit records onto a different system or media from the system being audited. Uncomment the enable_krb5 option in
/etc/audisp/audisp-remote.conf
, and set it with the following line:
enable_krb5 = yes
SLES-15-030680 auditd_audispd_encrypt_sent_records
V-234968 1851 low Audispd must off-load audit records onto a different system or media from the SUSE operating system being audited. Information stored in one location is vulnerable to accidental or incidental deletion or alteration.Off-loading is a common process in information systems with limited audit storage capacity. To verify the audispd plugin off-loads audit records onto a different system or media from the system being audited, run the following command: $ sudo grep -i remote_server /etc/audisp/audisp-remote.conf The output should return something similar to remote_server = Is it the case that audispd is not sending logs to a remote system? Configure the audispd plugin to off-load audit records onto a different system or media from the system being audited. Set the remote_server option in
/etc/audisp/audisp-remote.conf
with an IP address or hostname of the system that the audispd plugin should send audit records to. For example
remote_server = 
SLES-15-030690 auditd_audispd_configure_remote_server
V-234969 1855 medium The SUSE operating system auditd service must notify the System Administrator (SA) and Information System Security Officer (ISSO) immediately when audit storage capacity is 75 percent full. Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured correctly: space_left SIZE_in_MB Is it the case that the system is not configured a specfic size in MB to notify administrators of an issue? The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting SIZE_in_MB appropriately:
space_left = SIZE_in_MB
Set this value to the appropriate size in Megabytes cause the system to notify the user of an issue.
SLES-15-030700 auditd_data_retention_space_left
V-234970 172 medium The SUSE operating system must generate audit records for all uses of the rename system call. Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. To determine if the system is configured to audit calls to the rename system call, run the following command: preserve$ sudo grep "rename" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? The audit system should collect unsuccessful file deletion attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
SLES-15-030710 audit_rules_unsuccessful_file_modification_rename
V-234971 172 medium The SUSE operating system must generate audit records for all uses of the renameat system call. Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. To determine if the system is configured to audit calls to the renameat system call, run the following command: preserve$ sudo grep "renameat" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? The audit system should collect unsuccessful file deletion attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
SLES-15-030720 audit_rules_unsuccessful_file_modification_renameat
V-234972 172 medium The SUSE operating system must generate audit records for all uses of the renameat2 system call. Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. To determine if the system is configured to audit calls to the renameat2 system call, run the following command: preserve$ sudo grep "renameat2" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? The audit system should collect unsuccessful file deletion attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S renameat2 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S renameat2 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S renameat2 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S renameat2 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
SLES-15-030730 audit_rules_unsuccessful_file_modification_renameat2
V-234973 172 medium The SUSE operating system must generate audit records for all uses of the unlink system call. Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. To determine if the system is configured to audit calls to the unlink system call, run the following command: preserve$ sudo grep "unlink" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? The audit system should collect unsuccessful file deletion attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
SLES-15-030740 audit_rules_unsuccessful_file_modification_unlink
V-234974 172 medium The SUSE operating system must generate audit records for all uses of the unlinkat system call. Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. To determine if the system is configured to audit calls to the unlinkat system call, run the following command: preserve$ sudo grep "unlinkat" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? The audit system should collect unsuccessful file deletion attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
SLES-15-030750 audit_rules_unsuccessful_file_modification_unlinkat
V-234975 172 medium The SUSE operating system must generate audit records for the /run/utmp file. Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. To Check the file is being audited by performing the following command sudo auditctl -l | grep -w '/run/utmp' Is it the case that Audit rule is not present? The audit system already collects process information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing such process information:
-w /run/utmp -p wa -k session
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for attempted manual edits of files involved in storing such process information:
-w /run/utmp -p wa -k session
SLES-15-030760 audit_rules_session_events_utmp
V-234976 172 medium The SUSE operating system must generate audit records for the /var/log/wtmp file. Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. Check that the file is being audited by performing the following command: sudo auditctl -l | grep -w '/var/log/wtmp' Is it the case that Audit rule is not present? The audit system already collects process information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing such process information:
 -w /var/log/wtmp -p wa -k session
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for attempted manual edits of files involved in storing such process information:
 -w /var/log/wtmp -p wa -k session
SLES-15-030770 audit_rules_session_events_wtmp
V-234977 172 medium The SUSE operating system must generate audit records for the /var/log/btmp file. Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. Check that the file is being audited by running the following command: sudo auditctl -l | grep -w '/var/log/btmp' Is it the case that Audit rule is not present? The audit system already collects process information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing such process information:
-w /var/log/btmp -p wa -k session
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for attempted manual edits of files involved in storing such process information:
-w /var/log/btmp -p wa -k session
SLES-15-030780 audit_rules_session_events_btmp
V-234978 1851 medium The SUSE operating system must off-load audit records onto a different system or media from the system being audited. Taking appropriate action when there is an error sending audit records to a remote system will minimize the possibility of losing audit records. Inspect /etc/audisp/audisp-remote.conf and locate the following line to determine if the system is configured to perform a correct action according to the policy: grep -i network_failure_action /etc/audisp/audisp-remote.conf The output should return: network_failure_action = Is it the case that the system is not configured to switch to single user mode for corrective action? Configure the action the operating system takes if there is an error sending audit records to a remote system. Edit the file /etc/audisp/audisp-remote.conf. Add or modify the following line, substituting ACTION appropriately:
network_failure_action = ACTION
Set this value to single to cause the system to switch to single user mode for corrective action. Acceptable values also include syslog and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. This profile configures the action to be .
SLES-15-030790 auditd_audispd_network_failure_action
V-234979 1851 medium Audispd must take appropriate action when the SUSE operating system audit storage is full. Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records. Inspect /etc/audisp/audisp-remote.conf and locate the following line to determine if the system is configured to either send to syslog, switch to single user mode, or halt when the disk is full: grep -i disk_full_action /etc/audisp/audisp-remote.conf The output should return something similar to: disk_full_action = single Acceptable values also include syslog and halt. Is it the case that the system is not configured to switch to single user mode for corrective action? Configure the action the operating system takes if the disk the audit records are written to becomes full. Edit the file /etc/audisp/audisp-remote.conf. Add or modify the following line, substituting ACTION appropriately:
disk_full_action = ACTION
Set this value to single to cause the system to switch to single user mode for corrective action. Acceptable values also include syslog and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined.
SLES-15-030800 auditd_audispd_disk_full_action
V-234980 366 low The SUSE operating system must use a separate file system for the system audit data path. Placing /var/log/audit in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space. Run the following command to determine if /var/log/audit is on its own partition or logical volume: $ mount | grep "on /var/log/audit" If /var/log/audit has its own partition or volume group, a line will be returned. Is it the case that no line is returned? Audit logs are stored in the /var/log/audit directory. Ensure that /var/log/audit has its own partition or logical volume at installation time, or migrate it using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon. SLES-15-030810 partition_for_var_log_audit
V-234981 366 medium The SUSE operating system must not disable syscall auditing. Audit rules for syscalls do not take effect unless this line is removed. To check for the offending line, run the following command: $ grep task,never /etc/audit/{rules.d,.}/audit.rules There must not be any output, or else these lines must be removed from the matching files. Is it the case that syscall auditing is still disabled? By default, SUSE Linux Enterprise 15 ships an audit rule to disable syscall auditing for performance reasons. To make sure that syscall auditing works, this line must be removed from /etc/audit/rules.d/audit.rules and /etc/audit/audit.rules:
-a task,never
SLES-15-030820 audit_rules_enable_syscall_auditing
V-234982 366 medium The SUSE operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt. Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account. Verify that the SUSE Linux Enterprise 15 operating system enforces a minimum delay betweeen logon prompts following a failed logon attempt. # grep pam_faildelay /etc/pam.d/common-auth auth required pam_faildelay.so delay= If the value of delay is not set to or greater, "delay" is commented out, "delay" is missing, or the "pam_faildelay" line is missing completely, this is a finding. Is it the case that that is not the case? To configure the system to introduce a delay after failed logon attempts, add or correct the pam_faildelay settings in /etc/pam.d/common-auth to make sure its delay parameter is at least or greater. For example:
auth required pam_faildelay.so delay=
SLES-15-040000 accounts_passwords_pam_faildelay_delay
V-234983 medium The SUSE operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt. SLES-15-040010 Missing Rule
V-234984 366 high There must be no .shosts files on the SUSE operating system. The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. To verify that there are no .shosts files on the system, run the following command: $ sudo find / -name '.shosts' No output should be returned. Is it the case that these files exist? The ~/.shosts (in each user's home directory) files list remote hosts and users that are trusted by the local system. To remove these files, run the following command to delete them from any location:
$ sudo find / -name '.shosts' -type f -delete
SLES-15-040020 no_user_host_based_files
V-234985 366 high There must be no shosts.equiv files on the SUSE operating system. The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. To verify that there are no shosts.equiv files on the system, run the following command: $ find / -name shosts.equiv No output should be returned. Is it the case that these files exist? The shosts.equiv file list remote hosts and users that are trusted by the local system. To remove these files, run the following command to delete them from any location:
$ sudo rm /[path]/[to]/[file]/shosts.equiv
SLES-15-040030 no_host_based_files
V-234986 366 low The SUSE operating system file integrity tool must be configured to verify Access Control Lists (ACLs). ACLs can provide permissions beyond those permitted through the file mode and must be verified by the file integrity tools. To determine that AIDE is verifying ACLs, run the following command: $ grep acl /etc/aide.conf Verify that the acl option is added to the correct ruleset. Is it the case that the acl option is missing or not added to the correct ruleset? By default, the acl option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the acl option is missing, add acl to the appropriate ruleset. For example, add acl to the following line in /etc/aide.conf:
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. The remediation provided with this rule adds acl to all rule sets available in /etc/aide.conf
SLES-15-040040 aide_verify_acls
V-234987 366 low The SUSE operating system file integrity tool must be configured to verify extended attributes. Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications. To determine that AIDE is verifying extended file attributes, run the following command: $ grep xattrs /etc/aide.conf Verify that the xattrs option is added to the correct ruleset. Is it the case that the xattrs option is missing or not added to the correct ruleset? By default, the xattrs option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the xattrs option is missing, add xattrs to the appropriate ruleset. For example, add xattrs to the following line in /etc/aide.conf:
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. The remediation provided with this rule adds xattrs to all rule sets available in /etc/aide.conf
SLES-15-040050 aide_verify_ext_attributes
V-234988 366 high The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence. A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. To ensure the system is configured to mask the Ctrl-Alt-Del sequence, Check that the ctrl-alt-del.target is masked and not active with the following command: sudo systemctl status ctrl-alt-del.target The output should indicate that the target is masked and not active. It might resemble following output: ctrl-alt-del.target Loaded: masked (/dev/null; bad) Active: inactive (dead) Is it the case that the system is configured to reboot when Ctrl-Alt-Del is pressed? By default, SystemD will reboot the system if the Ctrl-Alt-Del key sequence is pressed.

To configure the system to ignore the Ctrl-Alt-Del key sequence from the command line instead of rebooting the system, do either of the following:
ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
or
systemctl mask ctrl-alt-del.target


Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file, as this file may be restored during future system updates.
SLES-15-040060 disable_ctrlaltdel_reboot
V-234989 high The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence for Graphical User Interfaces. SLES-15-040061 Missing Rule
V-234990 366 high The SUSE operating system must disable the systemd Ctrl-Alt-Delete burst key sequence. A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. To ensure the system is configured to ignore the Ctrl-Alt-Del setting, enter the following command: $ sudo grep -i ctrlaltdelburstaction /etc/systemd/system.conf The output should return: CtrlAltDelBurstAction=none Is it the case that the system is configured to reboot when Ctrl-Alt-Del is pressed more than 7 times in 2 seconds.? By default, SystemD will reboot the system if the Ctrl-Alt-Del key sequence is pressed Ctrl-Alt-Delete more than 7 times in 2 seconds.

To configure the system to ignore the CtrlAltDelBurstAction setting, add or modify the following to /etc/systemd/system.conf:
CtrlAltDelBurstAction=none
SLES-15-040062 disable_ctrlaltdel_burstaction
V-234991 366 medium All SUSE operating system local interactive users must have a home directory assigned in the /etc/passwd file. If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. To verify interactive users on the system have a home directory assigned, run the following command: $ sudo awk -F":" '{print $1 ":" $6}' /etc/passwd Inspect the output and verify that all interactive users have a home directory defined. Is it the case that users home directory is not defined? Assign home directories to all interactive users that currently do not have a home directory assigned. SLES-15-040070 accounts_user_interactive_home_directory_defined
V-234992 366 medium All SUSE operating system local interactive user home directories defined in the /etc/passwd file must exist. If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access. To verify the assigned home directory of all interactive users on the system exist, run the following command: $ sudo pwck -r The output should not return any interactive users. Is it the case that users home directory does not exist? Create home directories to all interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in /etc/passwd:
$ sudo mkdir /home/USER
SLES-15-040080 accounts_user_interactive_home_directory_exists
V-234993 366 medium All SUSE operating system local interactive user home directories must have mode 0750 or less permissive. Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users. To verify the assigned home directory of all interactive user home directories have a mode of 0750 or less permissive, run the following command: $ sudo ls -l /home Inspect the output for any directories with incorrect permissions. Is it the case that they are more permissive? Change the mode of interactive users home directories to 0750. To change the mode of interactive users home directory, use the following command:
$ sudo chmod 0750 /home/USER
SLES-15-040090 file_permissions_home_directories
V-234994 366 medium All SUSE operating system local interactive user home directories must be group-owned by the home directory owner's primary group. If the Group Identifier (GID) of a local interactive users home directory is not the same as the primary GID of the user, this would allow unauthorized access to the users files, and users that share the same group may not be able to access files that they legitimately should. To verify the assigned home directory of all interactive users is group- owned by that users primary GID, run the following command: # ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd) Is it the case that the group ownership is incorrect? Change the group owner of interactive users home directory to the group found in /etc/passwd. To change the group owner of interactive users home directory, use the following command:
$ sudo chgrp USER_GROUP /home/USER
SLES-15-040100 file_groupownership_home_directories
V-234995 366 medium All SUSE operating system local initialization files must have mode 0740 or less permissive. Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon. To verify that all user initialization files have a mode of 0740 or less permissive, run the following command: $ sudo find /home -type f -name '\.*' \( -perm -0002 -o -perm -0020 \) There should be no output. Is it the case that they are not 0740 or more permissive? Set the mode of the user initialization files to 0740 with the following command:
$ sudo chmod 0740 /home/USER/.INIT_FILE
SLES-15-040110 file_permission_user_init_files
V-234996 366 medium All SUSE operating system local interactive user initialization files executable search paths must contain only paths that resolve to the users home directory. The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the users home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO). To verify that all interactive user initialization files executable search path statements do not contain statements that will reference a working directory other than the users home directory, run the following command: $ sudo grep -r PATH /home/ Inspect the output for any PATH is references directories outside the home directory. Is it the case that paths contain more than local home directories? Ensure that all interactive user initialization files executable search path statements do not contain statements that will reference a working directory other than the users home directory. SLES-15-040120 accounts_user_home_paths_only
V-234997 366 medium All SUSE operating system local initialization files must not execute world-writable programs. If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level. To verify that local initialization files do not execute world-writable programs, execute the following command: $ sudo find /home -perm -002 -type f -name ".[^.]*" -exec ls -ld {} \; There should be no output. Is it the case that files are executing world-writable programs? Set the mode on files being executed by the user initialization files with the following command:
$ sudo chmod 0755 FILE
SLES-15-040130 accounts_user_dot_no_world_writable_programs
V-234998 366 medium SUSE operating system file systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed. The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from user home directory partitions. To verify the nosuid option is configured for the /home mount point, run the following command: $ mount | grep '\s/home\s' The output should show the corresponding mount point along with the nosuid setting in parentheses. Is it the case that the is not present in the output line, or there is no output line at all? The nosuid mount option can be used to prevent execution of setuid programs in /home. The SUID and SGID permissions should not be required in these user data directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /home. SLES-15-040140 mount_option_home_nosuid
V-234999 366 medium SUSE operating system file systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed. The presence of SUID and SGID executables should be tightly controlled. Allowing users to introduce SUID or SGID binaries from partitions mounted off of removable media would allow them to introduce their own highly-privileged programs. The nosuid mount option prevents set-user-identifier (SUID) and set-group-identifier (SGID) permissions from taking effect. These permissions allow users to execute binaries with the same permissions as the owner and group of the file respectively. Users should not be allowed to introduce SUID and SGID files into the system via partitions mounted from removeable media. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of any removable media partitions. SLES-15-040150 mount_option_nosuid_removable_partitions
V-235000 366 medium SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed. NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem. To verify the nosuid option is configured for all NFS mounts, run the following command: $ mount | grep nfs All NFS mounts should show the nosuid setting in parentheses. This is not applicable if NFS is not implemented. Is it the case that the setting does not show? Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts. SLES-15-040160 mount_option_nosuid_remote_filesystems
V-235001 366 medium SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed. The noexec mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. To verify the noexec option is configured for all NFS mounts, run the following command: $ mount | grep nfs All NFS mounts should show the noexec setting in parentheses. This is not applicable if NFS is not implemented. Is it the case that the setting does not show? Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts. SLES-15-040170 mount_option_noexec_remote_filesystems
V-235002 366 medium All SUSE operating system world-writable directories must be group-owned by root, sys, bin, or an application group. Allowing a user account to group own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users. The following command will discover and print world-writable directories that are not group owned by a system account, given the assumption that only system accounts have a gid lower than 1000. Run it once for each local partition PART: $ sudo find PART -xdev -type d -perm -0002 -gid +999 -print Is it the case that there is output? All directories in local partitions which are world-writable should be group owned by root or another system account. If any world-writable directories are not group owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group. SLES-15-040180 dir_perms_world_writable_system_owned_group
V-235003 366 medium SUSE operating system kernel core dumps must be disabled unless needed. Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. Unless the system is used for kernel development or testing, there is little need to run the kdump service. To check that the kdump service is disabled in system boot configuration, run the following command: $ systemctl is-enabled kdump Output should indicate the kdump service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ systemctl is-enabled kdump disabled Run the following command to verify kdump is not active (i.e. not running) through current runtime configuration: $ systemctl is-active kdump If the service is not running the command will return the following output: inactive The service will also be masked, to check that the kdump is masked, run the following command: $ systemctl show kdump | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked Is it the case that ? The kdump service provides a kernel crash dump analyzer. It uses the kexec system call to boot a secondary kernel ("capture" kernel) following a system crash, which can load information from the crashed kernel for analysis. The kdump service can be disabled with the following command:
$ sudo systemctl mask --now kdump.service
SLES-15-040190 service_kdump_disabled
V-235004 366 low A separate file system must be used for SUSE operating system user home directories (such as /home or an equivalent). Ensuring that /home is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage. Run the following command to determine if /home is on its own partition or logical volume: $ mount | grep "on /home" If /home has its own partition or volume group, a line will be returned. Is it the case that no line is returned? If user home directories will be stored locally, create a separate partition for /home at installation time (or migrate it later using LVM). If /home will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later. SLES-15-040200 partition_for_home
V-235005 366 low The SUSE operating system must use a separate file system for /var. Ensuring that /var is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the /var directory to contain world-writable directories installed by other software packages. Run the following command to determine if /var is on its own partition or logical volume: $ mount | grep "on /var" If /var has its own partition or volume group, a line will be returned. Is it the case that no line is returned? The /var directory is used by daemons and other system services to store frequently-changing data. Ensure that /var has its own partition or logical volume at installation time, or migrate it using LVM. SLES-15-040210 partition_for_var
V-235006 366 medium The SUSE operating system must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes. pam-config is a command line utility that automatically generates a system PAM configuration as packages are installed, updated or removed from the system. pam-config removes configurations for PAM modules and parameters that it does not know about. It may render ineffective PAM configuration by the system administrator and thus impact system security. Check that soft links between PAM configuration files are removed with the following command: # find /etc/pam.d/ -type l -iname "common-*" If any results are returned, this is a finding. Is it the case that that is not the case? Verify the SUSE operating system is configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes. SLES-15-040220 pam_disable_automatic_configuration
V-235007 366 medium The SUSE operating system SSH daemon must be configured to not allow authentication using known hosts authentication. Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. To determine how the SSH daemon's IgnoreUserKnownHosts option is set, run the following command: $ sudo grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config If a line indicating yes is returned, then the required value is set. Is it the case that the required value is not set? SSH can allow system users to connect to systems if a cache of the remote systems public keys is available. This should be disabled.

To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config:
IgnoreUserKnownHosts yes
SLES-15-040230 sshd_disable_user_known_hosts
V-235008 366 medium The SUSE operating system SSH daemon public host key files must have mode 0644 or less permissive. If a public host key file is modified by an unauthorized user, the SSH service may be compromised. To check the permissions of /etc/ssh/*.pub, run the command: $ ls -l /etc/ssh/*.pub If properly configured, the output should indicate the following permissions: -rw-r--r-- Is it the case that /etc/ssh/*.pub has unix mode -rw-r--r--? To properly set the permissions of /etc/ssh/*.pub, run the command:
$ sudo chmod 0644 /etc/ssh/*.pub
SLES-15-040240 file_permissions_sshd_pub_key
V-235009 366 medium The SUSE operating system SSH daemon private host key files must have mode 0600 or less permissive. If an unauthorized user obtains the private SSH host key file, the host could be impersonated. To check the permissions of /etc/ssh/*_key, run the command: $ ls -l /etc/ssh/*_key If properly configured, the output should indicate the following permissions: -rw-r----- Is it the case that /etc/ssh/*_key has unix mode -rw-r-----? To properly set the permissions of /etc/ssh/*_key, run the command:
$ sudo chmod 0600 /etc/ssh/*_key
SLES-15-040250 file_permissions_sshd_private_key
V-235010 366 medium The SUSE operating system SSH daemon must perform strict mode checking of home directory configuration files. If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user. To check if StrictModes is enabled or set correctly, run the following command: $ sudo grep StrictModes /etc/ssh/sshd_config If configured properly, output should be yes Is it the case that it is commented out or is not enabled? SSHs StrictModes option checks file and ownership permissions in the user's home directory .ssh folder before accepting login. If world- writable permissions are found, logon is rejected. To enable StrictModes in SSH, add or correct the following line in the /etc/ssh/sshd_config file:
StrictModes yes
SLES-15-040260 sshd_enable_strictmodes
V-235012 366 medium The SUSE operating system SSH daemon must not allow compression or must only allow compression after successful authentication. If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges. To check if compression is enabled or set correctly, run the following command: $ sudo grep Compression /etc/ssh/sshd_config If configured properly, output should be no or delayed. Is it the case that it is commented out, or is not set to no or delayed? Compression is useful for slow network connections over long distances but can cause performance issues on local LANs. If use of compression is required, it should be enabled only after a user has authenticated; otherwise, it should be disabled. To disable compression or delay compression until after a user has successfully authenticated, add or correct the following line in the /etc/ssh/sshd_config file:
Compression 
SLES-15-040280 sshd_disable_compression
V-235013 366 medium The SUSE operating system SSH daemon must disable forwarded remote X connections for interactive users, unless to fulfill documented and validated mission requirements. Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders. To determine how the SSH daemon's X11Forwarding option is set, run the following command: $ sudo grep -i X11Forwarding /etc/ssh/sshd_config If no line, a commented line, or a line indicating the value no is returned, then the required value is set. Is it the case that the required value is not set? The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections. SSH has the capability to encrypt remote X11 connections when SSH's X11Forwarding option is enabled.

To disable X11 Forwarding, add or correct the following line in /etc/ssh/sshd_config:
X11Forwarding no
SLES-15-040290 sshd_disable_x11_forwarding
V-235014 366 medium The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets. Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.

Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
The runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.accept_source_route The output of the command should indicate a value of 0. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*net.ipv4.conf.all.accept_source_route\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than net.ipv4.conf.all.accept_source_route = 0 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains net.ipv4.conf.all.accept_source_route = 0, and that one assignment is returned when $ grep -r net.ipv4.conf.all.accept_source_route /etc/sysctl.conf /etc/sysctl.d is executed. Is it the case that the correct value is not returned? To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.accept_source_route = 0
SLES-15-040300 sysctl_net_ipv4_conf_all_accept_source_route
V-235015 366 medium The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets. Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.

Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
The runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter can be queried by running the following command: $ sysctl net.ipv6.conf.all.accept_source_route The output of the command should indicate a value of 0. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*net.ipv6.conf.all.accept_source_route\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than net.ipv6.conf.all.accept_source_route = 0 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains net.ipv6.conf.all.accept_source_route = 0, and that one assignment is returned when $ grep -r net.ipv6.conf.all.accept_source_route /etc/sysctl.conf /etc/sysctl.d is executed. Is it the case that the correct value is not returned? To set the runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.all.accept_source_route = 0
SLES-15-040310 sysctl_net_ipv6_conf_all_accept_source_route
V-235016 366 medium The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default. Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures.
Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required, such as when IPv4 forwarding is enabled and the system is legitimately functioning as a router.
The runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.accept_source_route The output of the command should indicate a value of 0. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*net.ipv4.conf.default.accept_source_route\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than net.ipv4.conf.default.accept_source_route = 0 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains net.ipv4.conf.default.accept_source_route = 0, and that one assignment is returned when $ grep -r net.ipv4.conf.default.accept_source_route /etc/sysctl.conf /etc/sysctl.d is executed. Is it the case that the correct value is not returned? To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.default.accept_source_route = 0
SLES-15-040320 sysctl_net_ipv4_conf_default_accept_source_route
V-235017 366 medium The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets by default. Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required. The runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter can be queried by running the following command: $ sysctl net.ipv6.conf.default.accept_source_route The output of the command should indicate a value of 0. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*net.ipv6.conf.default.accept_source_route\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than net.ipv6.conf.default.accept_source_route = 0 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains net.ipv6.conf.default.accept_source_route = 0, and that one assignment is returned when $ grep -r net.ipv6.conf.default.accept_source_route /etc/sysctl.conf /etc/sysctl.d is executed. Is it the case that the correct value is not returned? To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.default.accept_source_route = 0
SLES-15-040321 sysctl_net_ipv6_conf_default_accept_source_route
V-235018 366 medium The SUSE operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted. ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required."
The runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.accept_redirects The output of the command should indicate a value of 0. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*net.ipv4.conf.all.accept_redirects\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than net.ipv4.conf.all.accept_redirects = 0 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains net.ipv4.conf.all.accept_redirects = 0, and that one assignment is returned when $ grep -r net.ipv4.conf.all.accept_redirects /etc/sysctl.conf /etc/sysctl.d is executed. Is it the case that the correct value is not returned? To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.accept_redirects = 0
SLES-15-040330 sysctl_net_ipv4_conf_all_accept_redirects
V-235019 366 medium The SUSE operating system must not allow interfaces to accept Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default. ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required.
The runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.accept_redirects The output of the command should indicate a value of 0. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*net.ipv4.conf.default.accept_redirects\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than net.ipv4.conf.default.accept_redirects = 0 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains net.ipv4.conf.default.accept_redirects = 0, and that one assignment is returned when $ grep -r net.ipv4.conf.default.accept_redirects /etc/sysctl.conf /etc/sysctl.d is executed. Is it the case that the correct value is not returned? To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.default.accept_redirects = 0
SLES-15-040340 sysctl_net_ipv4_conf_default_accept_redirects
V-235020 366 medium The SUSE operating system must prevent Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages from being accepted. An illicit ICMP redirect message could result in a man-in-the-middle attack. The runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv6.conf.all.accept_redirects The output of the command should indicate a value of 0. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*net.ipv6.conf.all.accept_redirects\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than net.ipv6.conf.all.accept_redirects = 0 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains net.ipv6.conf.all.accept_redirects = 0, and that one assignment is returned when $ grep -r net.ipv6.conf.all.accept_redirects /etc/sysctl.conf /etc/sysctl.d is executed. Is it the case that the correct value is not returned? To set the runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.all.accept_redirects = 0
SLES-15-040341 sysctl_net_ipv6_conf_all_accept_redirects
V-235021 366 medium The SUSE operating system must not allow interfaces to accept Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by default. An illicit ICMP redirect message could result in a man-in-the-middle attack. The runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv6.conf.default.accept_redirects The output of the command should indicate a value of 0. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*net.ipv6.conf.default.accept_redirects\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than net.ipv6.conf.default.accept_redirects = 0 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains net.ipv6.conf.default.accept_redirects = 0, and that one assignment is returned when $ grep -r net.ipv6.conf.default.accept_redirects /etc/sysctl.conf /etc/sysctl.d is executed. Is it the case that the correct value is not returned? To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.default.accept_redirects = 0
SLES-15-040350 sysctl_net_ipv6_conf_default_accept_redirects
V-235022 366 medium The SUSE operating system must not allow interfaces to send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default. ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers.
The runtime status of the net.ipv4.conf.default.send_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.send_redirects The output of the command should indicate a value of 0. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*net.ipv4.conf.default.send_redirects\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than net.ipv4.conf.default.send_redirects = 0 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains net.ipv4.conf.default.send_redirects = 0, and that one assignment is returned when $ grep -r net.ipv4.conf.default.send_redirects /etc/sysctl.conf /etc/sysctl.d is executed. Is it the case that the correct value is not returned? To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.default.send_redirects = 0
SLES-15-040360 sysctl_net_ipv4_conf_default_send_redirects
V-235023 366 medium The SUSE operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects. ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers.
The runtime status of the net.ipv4.conf.all.send_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.send_redirects The output of the command should indicate a value of 0. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*net.ipv4.conf.all.send_redirects\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than net.ipv4.conf.all.send_redirects = 0 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains net.ipv4.conf.all.send_redirects = 0, and that one assignment is returned when $ grep -r net.ipv4.conf.all.send_redirects /etc/sysctl.conf /etc/sysctl.d is executed. Is it the case that the correct value is not returned? To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.send_redirects = 0
SLES-15-040370 sysctl_net_ipv4_conf_all_send_redirects
V-235024 366 medium The SUSE operating system must not be performing Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router. Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network. The runtime status of the net.ipv4.ip_forward kernel parameter can be queried by running the following command: $ sysctl net.ipv4.ip_forward The output of the command should indicate a value of 0. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*net.ipv4.ip_forward\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than net.ipv4.ip_forward = 0 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains net.ipv4.ip_forward = 0, and that one assignment is returned when $ grep -r net.ipv4.ip_forward /etc/sysctl.conf /etc/sysctl.d is executed. The ability to forward packets is only appropriate for routers. Is it the case that ? To set the runtime status of the net.ipv4.ip_forward kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.ip_forward=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.ip_forward = 0
SLES-15-040380 sysctl_net_ipv4_ip_forward
V-235025 366 medium The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding unless the system is a router. IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers. The runtime status of the net.ipv6.conf.all.forwarding kernel parameter can be queried by running the following command: $ sysctl net.ipv6.conf.all.forwarding The output of the command should indicate a value of 0. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*net.ipv6.conf.all.forwarding\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than net.ipv6.conf.all.forwarding = 0 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains net.ipv6.conf.all.forwarding = 0, and that one assignment is returned when $ grep -r net.ipv6.conf.all.forwarding /etc/sysctl.conf /etc/sysctl.d is executed. The ability to forward packets is only appropriate for routers. Is it the case that ? To set the runtime status of the net.ipv6.conf.all.forwarding kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.all.forwarding=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.all.forwarding = 0
SLES-15-040381 sysctl_net_ipv6_conf_all_forwarding
V-235026 366 medium The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding by default unless the system is a router. IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers. The runtime status of the net.ipv6.conf.default.forwarding kernel parameter can be queried by running the following command: $ sysctl net.ipv6.conf.default.forwarding The output of the command should indicate a value of 0. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*net.ipv6.conf.default.forwarding\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than net.ipv6.conf.default.forwarding = 0 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains net.ipv6.conf.default.forwarding = 0, and that one assignment is returned when $ grep -r net.ipv6.conf.default.forwarding /etc/sysctl.conf /etc/sysctl.d is executed. The ability to forward packets is only appropriate for routers. Is it the case that IPv6 Forwading is not disabled? To set the runtime status of the net.ipv6.conf.default.forwarding kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.default.forwarding=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.default.forwarding = 0
SLES-15-040382 sysctl_net_ipv6_conf_default_forwarding
V-235027 366 medium The SUSE operating system must not have network interfaces in promiscuous mode unless approved and documented. Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow them to collect information such as logon IDs, passwords, and key exchanges between systems.

If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information Systems Security Manager (ISSM) and restricted to only authorized personnel.
To verify that Promiscuous mode of an interface is disabled, run the following command: $ ip link | grep PROMISC The output returned should not return any network device containing PROMISC. Is it the case that any network device is in promiscuous mode? The system should not be acting as a network sniffer, which can capture all traffic on the network to which it is connected. Run the following to determine if any interface is running in promiscuous mode:
$ ip link | grep PROMISC
Promiscuous mode of an interface can be disabled with the following command:
$ sudo ip link set dev device_name multicast off promisc off
SLES-15-040390 network_sniffer_disabled
V-235028 1230 medium All SUSE operating system files and directories must have a valid owner. Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed. The following command will discover and print any files on local partitions which do not belong to a valid user. $ df --local -P | awk {'if (NR!=1) print $6'} | sudo xargs -I '{}' find '{}' -xdev -nouser Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories on the system with the chown command: $ sudo chown user file Is it the case that files exist that are not owned by a valid user? If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate user. The following command will discover and print any files on local partitions which do not belong to a valid user:
$ df --local -P | awk {'if (NR!=1) print $6'} | sudo xargs -I '{}' find '{}' -xdev -nouser
To search all filesystems on a system including network mounted filesystems the following command can be run manually for each partition:
$ sudo find PARTITION -xdev -nouser
SLES-15-040400 no_files_unowned_by_user
V-235029 1230 medium All SUSE operating system files and directories must have a valid group owner. Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed. The following command will discover and print any files on local partitions which do not belong to a valid group. $ df --local -P | awk '{if (NR!=1) print $6}' | sudo xargs -I '{}' find '{}' -xdev -nogroup Either remove all files and directories from the system that do not have a valid group, or assign a valid group with the chgrp command: $ sudo chgrp group file Is it the case that there is output? If any files are not owned by a group, then the cause of their lack of group-ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate group. The following command will discover and print any files on local partitions which do not belong to a valid group:
$ df --local -P | awk '{if (NR!=1) print $6}' | sudo xargs -I '{}' find '{}' -xdev -nogroup
To search all filesystems on a system including network mounted filesystems the following command can be run manually for each partition:
$ sudo find PARTITION -xdev -nogroup
SLES-15-040410 file_permissions_ungroupowned
V-235030 366 medium The SUSE operating system default permissions must be defined in such a way that all authenticated users can only read and modify their own files. The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and written to by unauthorized users. Verify the UMASK setting is configured correctly in the /etc/login.defs file by running the following command: # grep -i "UMASK" /etc/login.defs All output must show the value of umask set as shown in the below: # grep -i "UMASK" /etc/login.defs umask Is it the case that the above command returns no output, or if the umask is configured incorrectly? To ensure the default umask controlled by /etc/login.defs is set properly, add or correct the UMASK setting in /etc/login.defs to read as follows:
UMASK 
SLES-15-040420 accounts_umask_etc_login_defs
V-235031 366 high The SUSE operating system must not allow unattended or automatic logon via the graphical user interface (GUI). Failure to restrict system access to authenticated users negatively impacts operating system security. To verify that automatic or unattended logins are disabled, run the following command: grep -i ^DISPLAYMANAGER_AUTOLOGIN /etc/sysconfig/displaymanager The output should show the following: DISPLAYMANAGER_AUTOLOGIN="" DISPLAYMANAGER_PASSWORD_LESS_LOGIN="no" Is it the case that GDM allows users to automatically login or unattended login? The GNOME Display Manager (GDM) can allow users to automatically login without user interaction or credentials or unattended login. User should always be required to authenticate themselves to the system that they are authorized to use. To disable user ability to automatically login to the system, set the DISPLAYMANAGER_AUTOLOGIN="" or DISPLAYMANAGER_PASSWORD_LESS_LOGIN="no" in the /etc/sysconfig/displaymanager. For example:
DISPLAYMANAGER_AUTOLOGIN=""
DISPLAYMANAGER_PASSWORD_LESS_LOGIN="no"
SLES-15-040430 gnome_gdm_disable_unattended_automatic_login
V-235032 366 high The SUSE operating system must not allow unattended or automatic logon via SSH. SSH environment options potentially allow users to bypass access restriction in some configurations. To ensure users are not able to send environment variables, run the following command: $ sudo grep PermitUserEnvironment /etc/ssh/sshd_config If properly configured, output should be: PermitUserEnvironment no Is it the case that PermitUserEnvironment is not disabled? To ensure users are not able to override environment variables of the SSH daemon, add or correct the following line in /etc/ssh/sshd_config:
PermitUserEnvironment no
SLES-15-040440 sshd_do_not_permit_user_env