None Computing title VMware vRealize Operations Manager 6.x SLES Security Technical Implementation Guide version 2 releaseinfo Release: 2 Vuln_Num V-239441 Rule_ID SV-239441r661774_rule Severity medium Rule_Title The SLES for vRealize must provide automated mechanisms for supporting account management functions. Vuln_Discuss Enterprise environments make account management challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other errors. A comprehensive account management process that includes automation helps to ensure accounts designated as requiring attention are consistently and promptly addressed. Examples include, but are not limited to, using automation to take action on multiple accounts designated as inactive, suspended, or terminated, or by disabling accounts located in non-centralized account stores such as multiple servers. This requirement applies to all account types, including individual/user, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. The automated mechanisms may reside within the SLES for vRealize itself or may be offered by other infrastructure providing automated account management capabilities. Automated mechanisms may be composed of differing technologies that, when placed together, contain an overall automated mechanism supporting an organization's automated account management requirements. Account management functions include: assigning group or role membership; identifying account type; specifying user access authorizations (i.e., privileges); account removal, update, or termination; and administrative alerts. The use of automated mechanisms can include, for example: using email or text messaging to automatically notify account managers when users are terminated or transferred; using the information system to monitor account usage; and using automated telephonic notification to report atypical system account usage. Check_Content Interview the server admin to determine if there is automated mechanisms for managing user accounts. If there is not, this is a finding. Fix_Text Implement an automated system for managing user accounts that minimizes the risk of errors, either intentional or deliberate. If possible, this system should integrate with an existing enterprise user management system, such as, one based Active Directory or Kerberos. Not_Reviewed Vuln_Num V-239442 Rule_ID SV-239442r661777_rule Severity medium Rule_Title The SLES for vRealize must automatically remove or disable temporary user accounts after 72 hours. Vuln_Discuss If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation. Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. If temporary accounts are used, the SLES for vRealize must be configured to automatically terminate these types of accounts after a DoD-defined time period of 72 hours. To address access requirements, many SLES for vRealize operating systems may be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements. Check_Content For every existing temporary account, run the following command to obtain its account expiration information. # chage -l system_account_name Verify each of these accounts has an expiration date set within "72" hours. If any temporary accounts have no expiration date set or do not expire within "72" hours, this is a finding. Fix_Text In the event temporary accounts are required, configure the system to terminate them after "72" hours. For every temporary account, run the following command to set an expiration date on it, substituting "system_account_name" for the appropriate value. # chage -E `date -d "+3 days" +%Y-%m-%d` system_account_name `date -d "+3 days" +%Y-%m-%d` gets the expiration date for the account at the time of running the command. Not_Reviewed Vuln_Num V-239443 Rule_ID SV-239443r661780_rule Severity medium Rule_Title The SLES for vRealize must audit all account creations. Vuln_Discuss Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. To address access requirements, many SLES for vRealize operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Check_Content Determine if execution of the useradd and groupadd executable are audited. # auditctl -l | egrep '(useradd|groupadd)' If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding. Expected result: LIST_RULES: exit,always watch=/usr/sbin/useradd perm=x key=useradd LIST_RULES: exit,always watch=/usr/sbin/groupadd perm=x key=groupadd Fix_Text Configure execute auditing of the "useradd" and "groupadd" executables run the DoD.script with the following command as root: # /etc/dodscript.sh OR Configure execute auditing of the "useradd" and "groupadd" executables. Add the following to /etc/audit/audit.rules: -w /usr/sbin/useradd -p x -k useradd -w /usr/sbin/groupadd -p x -k groupadd Restart the auditd service. # service auditd restart Not_Reviewed Vuln_Num V-239444 Rule_ID SV-239444r661783_rule Severity medium Rule_Title In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications, any unexpected users, groups, or modifications must be investigated for legitimacy. Vuln_Discuss Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. To address access requirements, many SLES for vRealize operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Check_Content Determine if /etc/passwd, /etc/shadow, /etc/group, and /etc/gshadow are audited for appending. # auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow)' | grep perm=a If the "passwd", "shadow", "group", and "gshadow" files are not listed with a permissions filter of at least "a", this is a finding. Expected result: LIST_RULES: exit,always watch=/etc/passwd perm=a key=passwd LIST_RULES: exit,always watch=/etc/shadow perm=a key=shadow LIST_RULES: exit,always watch=/etc/group perm=a key=group LIST_RULES: exit,always watch=/etc/gshadow perm=a key=gshadow Fix_Text Configure append auditing of the "passwd", "shadow", "group", and "gshadow" files run the DoD.script with the following command as root: # /etc/dodscript.sh # echo '-w /etc/gshadow -p a -k gshadow' >> /etc/audit/audit.rules Restart the auditd service. # service auditd restart OR Configure append auditing of the passwd, shadow, group, and gshadow files by running the following commands: # echo '-w /etc/passwd -p a -k passwd' >> /etc/audit/audit.rules # echo '-w /etc/shadow -p a -k shadow' >> /etc/audit/audit.rules # echo '-w /etc/group -p a -k group' >> /etc/audit/audit.rules # echo '-w /etc/gshadow -p a -k gshadow' >> /etc/audit/audit.rules Restart the auditd service. # service auditd restart Not_Reviewed Vuln_Num V-239445 Rule_ID SV-239445r661786_rule Severity medium Rule_Title The SLES for vRealize must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. Vuln_Discuss By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. Check_Content Run the following command to ensure that the SLES for vRealize enforces the limit of "3" consecutive invalid logon attempts by a user: # grep pam_tally2.so /etc/pam.d/common-auth The output should contain "deny=3" in the returned line. If the output does not contain "deny=3", this is a finding. Expected Result: auth required pam_tally2.so deny=3 onerr=fail even_deny_root unlock_time=86400 root_unlock_time=300 Fix_Text To configure the SLES for vRealize to enforce the limit of "3" consecutive invalid attempts using "pam_tally2.so", modify the content of the /etc/pam.d/common-auth-vmware.local by running the following command: # sed -i "/^[^#]*pam_tally2.so/ c\auth required pam_tally2.so deny=3 onerr=fail even_deny_root unlock_time=86400 root_unlock_time=300" /etc/pam.d/common-auth-vmware.local Not_Reviewed Vuln_Num V-239446 Rule_ID SV-239446r661789_rule Severity medium Rule_Title The SLES for vRealize must display the Standard Mandatory DoD Notice and Consent Banner before granting access via SSH. Vuln_Discuss Display of a standardized and approved use notification before granting access to the SLES for vRealize ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for SLES for vRealize systems that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for SLES for vRealize systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't." Check_Content Check that the SSH daemon is configured for logon warning banners: # grep -i banner /etc/ssh/sshd_config | grep -v '#' The output should contain "Banner /etc/issue". If the output does not contain "Banner /etc/issue", this is a finding. Fix_Text To configure the SSH daemon with the logon warning banners, modify /etc/ssh/sshd_config execute the following command: # sed -i "/^[^#]*Banner/ c\Banner /etc/issue" /etc/ssh/sshd_config The SSH service will need to be restarted after the above change has been made to SSH. This can be done by running the following command: # service sshd restart Not_Reviewed Vuln_Num V-239447 Rule_ID SV-239447r877399_rule Severity low Rule_Title The SLES for vRealize must limit the number of concurrent sessions to ten for all accounts and/or account types. Vuln_Discuss Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system. Check_Content Verify the SLES for vRealize limits the number of concurrent sessions to "10" for all accounts and/or account types with the following command: # grep maxlogins /etc/security/limits.conf | grep -v '#' The default maxlimits should be set to a max of "10" or a documented site defined number: * hard maxlogins 10 If the default maxlimits is not set to "10" or the documented site defined number, this is a finding. Fix_Text Configure the SLES for vRealize to limit the number of concurrent sessions to "10" for all accounts and/or account types by using the following command: sed -i 's/\(^* *hard *maxlogins\).*/* hard maxlogins 10/g' /etc/security/limits.conf Not_Reviewed Vuln_Num V-239448 Rule_ID SV-239448r661795_rule Severity medium Rule_Title The SLES for vRealize must initiate a session lock after a 15-minute period of inactivity for all connection types. Vuln_Discuss A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, SLES for vRealize needs to be able to identify when a user's session has idled and take action to initiate the session lock. The session lock is implemented at the point where session activity can be determined and/or controlled. Check_Content Check for the existence of the /etc/profile.d/tmout.sh file: # ls -al /etc/profile.d/tmout.sh Check for the presence of the "TMOUT" variable: # grep TMOUT /etc/profile.d/tmout.sh The value of "TMOUT" should be set to 900 seconds (15 minutes). If the file does not exist, or the "TMOUT" variable is not set, this is a finding. Fix_Text Ensure the file exists and is owned by root. If the files does not exist, use the following commands to create the file: # touch /etc/profile.d/tmout.sh # chown root:root /etc/profile.d/tmout.sh # chmod 644 /etc/profile.d/tmout.sh Edit the file "/etc/profile.d/tmout.sh", and add the following lines: TMOUT=900 readonly TMOUT export TMOUT mesg n 2>/dev/null Not_Reviewed Vuln_Num V-239449 Rule_ID SV-239449r661798_rule Severity medium Rule_Title The SLES for vRealize must initiate a session lock after a 15-minute period of inactivity for an SSH connection. Vuln_Discuss A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, SLES for vRealize needs to be able to identify when a user's session has idled and take action to initiate the session lock. The session lock is implemented at the point where session activity can be determined and/or controlled. Check_Content Verify SLES for vRealize initiates a session lock after a 15-minute period of inactivity for SSH. Execute the following command: # grep ClientAliveInterval /etc/ssh/sshd_config; grep ClientAliveCountMax /etc/ssh/sshd_config Verify the following result: ClientAliveInterval 900 ClientAliveCountMax 0 If the session lock is not set to a 15-minute period, this is a finding. Fix_Text Configure SLES for vRealize to initiate a session lock after a 15-minute period of inactivity for SSH. Set the session lock after a 15-minute period by executing the following command: # sed -i 's/^.*\bClientAliveInterval\b.*$/ClientAliveInterval 900/' /etc/ssh/sshd_config; sed -i 's/^.*\bClientAliveCountMax\b.*$/ClientAliveCountMax 0/' /etc/ssh/sshd_config Not_Reviewed Vuln_Num V-239450 Rule_ID SV-239450r661801_rule Severity medium Rule_Title The SLES for vRealize must monitor remote access methods - SSH Daemon. Vuln_Discuss Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Automated monitoring of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets). Check_Content Verify that SSH is configured to verbosely log connection attempts and failed logon attempts to the server by running the following command: # grep LogLevel /etc/ssh/sshd_config | grep -v '#' The output message must contain the following text: LogLevel VERBOSE If it is not set to "VERBOSE", this is a finding. Fix_Text To configure SSH to verbosely log connection attempts and failed logon attempts to the server, run the following command: # sed -i 's/^.*\bLogLevel\b.*$/LogLevel VERBOSE/' /etc/ssh/sshd_config The SSH service will need to be restarted after the above change has been made to SSH. This can be done by running the following command: # service sshd restart Not_Reviewed Vuln_Num V-239451 Rule_ID SV-239451r877398_rule Severity medium Rule_Title The SLES for vRealize must implement DoD-approved encryption to protect the confidentiality of remote access sessions - SSH Daemon. Vuln_Discuss Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., RDP), thereby providing a degree of confidentiality. The encryption strength of a mechanism is selected based on the security categorization of the information. Check_Content Check the SSH daemon configuration for DoD-approved encryption to protect the confidentiality of SSH remote connections by performing the following commands: Check the Cipher setting in the sshd_config file. # grep -i Ciphers /etc/ssh/sshd_config | grep -v '#' The output must contain either none or any number of the following algorithms: aes128-ctr, aes256-ctr. If the output contains an algorithm not listed above, this is a finding. Expected Output: Ciphers aes256-ctr,aes128-ctr Fix_Text Update the Ciphers directive with the following command: # sed -i "/^[^#]*Ciphers/ c\Ciphers aes256-ctr,aes128-ctr" /etc/ssh/sshd_config Save and close the file. Restart the sshd process: # service sshd restart Not_Reviewed Vuln_Num V-239452 Rule_ID SV-239452r877398_rule Severity medium Rule_Title The SLES for vRealize must implement DoD-approved encryption to protect the confidentiality of remote access sessions - SSH Client. Vuln_Discuss Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., RDP), thereby providing a degree of confidentiality. The encryption strength of a mechanism is selected based on the security categorization of the information. Check_Content Check the SSH daemon configuration for DoD-approved encryption to protect the confidentiality of SSH remote connections by performing the following commands: Check the Cipher setting in the ssh_config file. # grep -i Ciphers /etc/ssh/ssh_config | grep -v '#' The output must contain either none or any number of the following algorithms: aes256-ctr,aes128-ctr. If the output contains an algorithm not listed above, this is a finding. Expected Output: Ciphers aes256-ctr,aes128-ctr Fix_Text Update the Ciphers directive with the following command: # sed -i "/^[^#]*Ciphers/ c\Ciphers aes256-ctr,aes128-ctr" /etc/ssh/ssh_config Save and close the file. Not_Reviewed Vuln_Num V-239453 Rule_ID SV-239453r661810_rule Severity medium Rule_Title The SLES for vRealize must produce audit records. Vuln_Discuss Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the SLES for vRealize audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. Check_Content Verify SLES for vRealize produces audit records by running the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, the returned message must contain the following text: Checking for: service auditd running If the service is not running, this is a finding. Fix_Text Enable the "auditd" service by performing the following commands: # chkconfig auditd on # service auditd start Not_Reviewed Vuln_Num V-239454 Rule_ID SV-239454r661813_rule Severity medium Rule_Title The SLES for vRealize must alert the ISSO and SA (at a minimum) in the event of an audit processing failure. Vuln_Discuss It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. Check_Content Check /etc/audit/auditd.conf for the "space_left_action" with the following command: # cat /etc/audit/auditd.conf | grep space_left_action If the "space_left_action" parameter is missing, set to "ignore", set to "suspend", set to "single", set to "halt", or is blank, this is a finding. Expected Result: space_left_action = SYSLOG Notes: If the space_left_action is set to "exec" the system executes a designated script. If this script informs the SA of the event, this is not a finding. If the space_left_action is set to "email" and the "action_mail_acct" parameter is not set to the email address of the system administrator, this is a finding. The "action_mail_acct" parameter, if missing, defaults to "root". Note: If the email address of the system administrator is on a remote system "sendmail" must be available. Fix_Text Set the "space_left_action" parameter to the valid setting "SYSLOG", by running the following command: # sed -i "/^[^#]*space_left_action/ c\space_left_action = SYSLOG" /etc/audit/auditd.conf Restart the audit service: # service auditd restart Not_Reviewed Vuln_Num V-239455 Rule_ID SV-239455r661816_rule Severity medium Rule_Title The SLES for vRealize must shut down by default upon audit failure (unless availability is an overriding concern). Vuln_Discuss It is critical that when the SLES for vRealize is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include: software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode. When availability is an overriding concern, other approved actions in response to an audit failure are as follows: 1) If the failure was caused by the lack of audit record storage capacity, the operating system must continue generating audit records if possible (automatically restarting the audit service if necessary), overwriting the oldest audit records in a first-in-first-out manner. 2) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, SLES for vRealize must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server. Check_Content Verify the /etc/audit/auditd.conf has the "disk_full_action", "disk_error_action", and "admin_disk_space_left" parameters set. # grep disk_full_action /etc/audit/auditd.conf If the "disk_full_action" parameter is missing or set to "suspend" or "ignore", this is a finding. # grep disk_error_action /etc/audit/auditd.conf If the "disk_error_action" parameter is missing or set to "suspend" or "ignore", this is a finding. # grep admin_space_left_action /etc/audit/auditd.conf If the "admin_space_left_action" parameter is missing or set to "suspend" or "ignore", this is a finding. Fix_Text Edit /etc/audit/auditd.conf and set the "disk_full_action", "disk_error_action", and "admin_space_left_action" parameters to "syslog" with the following commands: # sed -i "/^[^#]*disk_full_action/ c\disk_full_action = SYSLOG" /etc/audit/auditd.conf # sed -i "/^[^#]*disk_error_action/ c\disk_error_action = SYSLOG" /etc/audit/auditd.conf # sed -i "/^[^#]*admin_space_left_action/ c\admin_space_left_action = SYSLOG" /etc/audit/auditd.conf For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Not_Reviewed Vuln_Num V-239456 Rule_ID SV-239456r661819_rule Severity medium Rule_Title The SLES for vRealize must protect audit information from unauthorized read access - ownership. Vuln_Discuss Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit SLES for vRealize activity. Check_Content Verify that the SLES for vRealize audit logs are owned by "root". # (audit_log_file=$(grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//) && if [ -f "${audit_log_file}" ] ; then printf "Log(s) found in "${audit_log_file%/*}":\n"; ls -l ${audit_log_file%/*}; else printf "audit log file(s) not found\n"; fi) If any audit log file is not owned by "root" or "admin", this is a finding. Fix_Text Change the ownership of the audit log file(s). Procedure: # chown root <audit log file> # chown root /var/log/audit/audit.log Not_Reviewed Vuln_Num V-239457 Rule_ID SV-239457r661822_rule Severity medium Rule_Title The SLES for vRealize must protect audit information from unauthorized read access - group ownership. Vuln_Discuss Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit SLES for vRealize activity. Check_Content Verify that the SLES for vRealize audit logs are group-owned by "root". # (audit_log_file=$(grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//) && if [ -f "${audit_log_file}" ] ; then printf "Log(s) found in "${audit_log_file%/*}":\n"; ls -l ${audit_log_file%/*}; else printf "audit log file(s) not found\n"; fi) If any audit log file is not group-owned by "root" or "admin", this is a finding. Fix_Text Change the group ownership of the audit log file(s). Procedure: # chgrp root <audit log file> # chgrp root /var/log/audit/audit.log Not_Reviewed Vuln_Num V-239458 Rule_ID SV-239458r661825_rule Severity medium Rule_Title The SLES for vRealize must protect audit information from unauthorized modification. Vuln_Discuss If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit information, the SLES for vRealize must protect audit information from unauthorized modification. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity. Check_Content Check that the SLES for vRealize audit logs with the following command: # (audit_log_file=$(grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//) && if [ -f "${audit_log_file}" ] ; then printf "Log(s) found in "${audit_log_file%/*}":\n"; ls -l ${audit_log_file%/*}; else printf "audit log file(s) not found\n"; fi) If any audit log file has a mode more permissive than "0640", this is a finding. Fix_Text Change the mode of the audit log file(s): # chmod 0640 <audit log file> Not_Reviewed Vuln_Num V-239459 Rule_ID SV-239459r661828_rule Severity medium Rule_Title The SLES for vRealize must protect audit information from unauthorized deletion. Vuln_Discuss If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit information, the SLES for vRealize must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity. Check_Content Check that the SLES for vRealize audit logs with the following command: # (audit_log_file=$(grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//) && if [ -f "${audit_log_file}" ] ; then printf "Log(s) found in "${audit_log_file%/*}":\n"; ls -l ${audit_log_file%/*}; else printf "audit log file(s) not found\n"; fi) If any audit log file has a mode more permissive than "0640", this is a finding. Fix_Text Change the mode of the audit log file(s): # chmod 0640 <audit log file> Not_Reviewed Vuln_Num V-239460 Rule_ID SV-239460r661831_rule Severity medium Rule_Title The SLES for vRealize must protect audit information from unauthorized deletion - log directories. Vuln_Discuss If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit information, the SLES for vRealize must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity. Check_Content Run the following command to check the mode of the system audit directories: # grep "^log_file" /etc/audit/auditd.conf|sed 's/^[^/]*//; s/[^/]*$//'|xargs stat -c %a:%n Audit directories must be mode "0700". If the audit directories is not set to mode "0700", this is a finding. Fix_Text Change the mode of the audit log directories with the following command: # chmod 700 <audit log directory> Not_Reviewed Vuln_Num V-239474 Rule_ID SV-239474r661873_rule Severity medium Rule_Title The SLES for vRealize must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited - Permissions. Vuln_Discuss Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Check_Content Check the permissions of the rules files in /etc/audit: # ls -l /etc/audit/ Note: If /etc/audit/audit.rules is a symbolic link to /etc/audit/audit.rules.STIG, then the check is only applicable to /etc/audit/audit.rules.STIG. If the permissions of the file is not set to "640", this is a finding. Fix_Text Change the permissions of the /etc/audit/audit.rules.STIG, the /etc/audit/audit.rules.ORIG, and the /etc/audit/audit.rules files (if not a symbolic link): # chmod 640 /etc/audit/audit.rules.STIG # chmod 640 /etc/audit/audit.rules.ORIG # if [ -f /etc/audit/audit.rules ]; then chmod 640 /etc/audit/audit.rules; fi Or run the following command to implement all logging requirements: # /etc/dodscript.sh Not_Reviewed Vuln_Num V-239475 Rule_ID SV-239475r661876_rule Severity medium Rule_Title The SLES for vRealize must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited - ownership. Vuln_Discuss Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Check_Content Check the permissions of the rules files in /etc/audit: # ls -l /etc/audit/ Note: If /etc/audit/audit.rules is a symbolic link to /etc/audit/audit.rules.STIG, then the check is only applicable to /etc/audit/audit.rules.STIG. If the ownership is not set to "root", this is a finding. Fix_Text Change the ownership of the /etc/audit/audit.rules.STIG, the /etc/audit/audit.rules.ORIG, and the /etc/audit/audit.rules files (if not a symbolic link): # chown root /etc/audit/audit.rules.STIG # chown root /etc/audit/audit.rules.ORIG # if [ -f /etc/audit/audit.rules ]; then chown root /etc/audit/audit.rules; fi Or run the following command to implement all logging requirements: # /etc/dodscript.sh Not_Reviewed Vuln_Num V-239476 Rule_ID SV-239476r661879_rule Severity medium Rule_Title The SLES for vRealize must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited - group ownership. Vuln_Discuss Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Check_Content Check the permissions of the rules files in /etc/audit: # ls -l /etc/audit/ Note: If /etc/audit/audit.rules is a symbolic link to /etc/audit/audit.rules.STIG, then the check is only applicable to /etc/audit/audit.rules.STIG. If the group owner is not set to "root", this is a finding. Fix_Text Change the group ownership of the /etc/audit/audit.rules.STIG, the /etc/audit/audit.rules.ORIG, and the /etc/audit/audit.rules files (if not a symbolic link): # chgrp root /etc/audit/audit.rules.STIG # chgrp root /etc/audit/audit.rules.ORIG # if [ -f /etc/audit/audit.rules ]; then chgrp root /etc/audit/audit.rules; fi Or run the following command to implement all logging requirements: # /etc/dodscript.sh Not_Reviewed Vuln_Num V-239477 Rule_ID SV-239477r661882_rule Severity medium Rule_Title The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The operating system must generate audit records for all discretionary access control permission modifications using chmod. Vuln_Discuss Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Check_Content To determine if the system is configured to audit calls to the "chmod" system call, run the following command: # auditctl -l | grep syscall | grep chmod If the system is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid=0 syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid>=500 (0x1f4) auid!=-1 (0xffffffff) syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat If no lines are returned, this is a finding. Fix_Text At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S chmod -F auid=0 -a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 Or run the following command to implement all logging requirements: # /etc/dodscript.sh Not_Reviewed Vuln_Num V-239478 Rule_ID SV-239478r661885_rule Severity medium Rule_Title The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using chown. Vuln_Discuss Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Check_Content To determine if the SLES for vRealize is configured to audit calls to the "chown" system call, run the following command: # auditctl -l | grep syscall | grep chown If the SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid=0 syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid>=500 (0x1f4) auid!=-1 (0xffffffff) syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat If no lines are returned, this is a finding. Fix_Text At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S chown -F auid=0 -a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 Or run the following command to implement all logging requirements: # /etc/dodscript.sh Not_Reviewed Vuln_Num V-239479 Rule_ID SV-239479r661888_rule Severity medium Rule_Title The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fchmod. Vuln_Discuss Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Check_Content To determine if SLES for vRealize is configured to audit calls to the "fchmod" system call, run the following command: # auditctl -l | grep syscall | grep fchmod If SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid=0 syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid>=500 (0x1f4) auid!=-1 (0xffffffff) syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat If no lines are returned, this is a finding. Fix_Text At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S fchmod -F auid=0 -a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 Or run the following command to implement all logging requirements: # /etc/dodscript.sh Not_Reviewed Vuln_Num V-239480 Rule_ID SV-239480r661891_rule Severity medium Rule_Title The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fchmodat. Vuln_Discuss Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Check_Content To determine if SLES for vRealize is configured to audit calls to the "fchmodat" system call, run the following command: # auditctl -l | grep syscall | grep fchmodat If SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid=0 syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid>=500 (0x1f4) auid!=-1 (0xffffffff) syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat If no lines are returned, this is a finding. Fix_Text At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S fchmodat -F auid=0 -a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 Or run the following command to implement all logging requirements: # /etc/dodscript.sh Not_Reviewed Vuln_Num V-239481 Rule_ID SV-239481r661894_rule Severity medium Rule_Title The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fchown. Vuln_Discuss Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Check_Content To determine if SLES for vRealize is configured to audit calls to the "fchown" system call, run the following command: # auditctl -l | grep syscall | grep fchown If SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid=0 syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid>=500 (0x1f4) auid!=-1 (0xffffffff) syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat If no lines are returned, this is a finding. Fix_Text At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S fchown -F auid=0 -a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 Or run the following command to implement all logging requirements: # /etc/dodscript.sh Not_Reviewed Vuln_Num V-239482 Rule_ID SV-239482r661897_rule Severity medium Rule_Title The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fchownat. Vuln_Discuss Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Check_Content To determine if SLES for vRealize is configured to audit calls to the "fchownat" system call, run the following command: # auditctl -l | grep syscall | grep fchownat If SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid=0 syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid>=500 (0x1f4) auid!=-1 (0xffffffff) syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat If no lines are returned, this is a finding. Fix_Text At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S fchownat -F auid=0 -a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 Or run the following command to implement all logging requirements: # /etc/dodscript.sh Not_Reviewed Vuln_Num V-239483 Rule_ID SV-239483r661900_rule Severity medium Rule_Title The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fremovexattr. Vuln_Discuss Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Check_Content To determine if SLES for vRealize is configured to audit calls to the "fremovexattr" system call, run the following command: # auditctl -l | grep syscall | grep fremovexattr If SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=lchown,sethostname,init_module,delete_module,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime If no lines are returned, this is a finding. Fix_Text At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S fremovexattr Or run the following command to implement all logging requirements: # /etc/dodscript.sh Not_Reviewed Vuln_Num V-239484 Rule_ID SV-239484r661903_rule Severity medium Rule_Title The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fsetxattr. Vuln_Discuss Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Check_Content To determine if SLES for vRealize is configured to audit calls to the "fsetxattr" system call, run the following command: # auditctl -l | grep syscall | grep fsetxattr If SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=lchown,sethostname,init_module,delete_module,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime If no lines are returned, this is a finding. Fix_Text At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S fsetxattr Or run the following command to implement all logging requirements: # /etc/dodscript.sh Not_Reviewed Vuln_Num V-239485 Rule_ID SV-239485r661906_rule Severity medium Rule_Title The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using lchown. Vuln_Discuss Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Check_Content To determine if SLES for vRealize is configured to audit calls to the "lchown" system call, run the following command: # auditctl -l | grep syscall | grep lchown If SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=lchown,sethostname,init_module,delete_module,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime If no lines are returned, this is a finding. Fix_Text At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S lchown Or run the following command to implement all logging requirements: # /etc/dodscript.sh Not_Reviewed Vuln_Num V-239486 Rule_ID SV-239486r661909_rule Severity medium Rule_Title The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using lremovexattr. Vuln_Discuss Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Check_Content To determine if SLES for vRealize is configured to audit calls to the "lremovexattr" system call, run the following command: # auditctl -l | grep syscall | grep lremovexattr If SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=lchown,sethostname,init_module,delete_module,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime If no lines are returned, this is a finding. Fix_Text At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S lremovexattr Or run the following command to implement all logging requirements: # /etc/dodscript.sh Not_Reviewed Vuln_Num V-239487 Rule_ID SV-239487r661912_rule Severity medium Rule_Title The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using lsetxattr. Vuln_Discuss Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Check_Content To determine if SLES for vRealize is configured to audit calls to the "lsetxattr" system call, run the following command: # auditctl -l | grep syscall | grep lsetxattr If SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=lchown,sethostname,init_module,delete_module,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime If no lines are returned, this is a finding. Fix_Text At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S lsetxattr Or run the following command to implement all logging requirements: # /etc/dodscript.sh Not_Reviewed Vuln_Num V-239488 Rule_ID SV-239488r661915_rule Severity medium Rule_Title The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using removexattr. Vuln_Discuss Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Check_Content To determine if SLES for vRealize is configured to audit calls to the "removexattr" system call, run the following command: # auditctl -l | grep syscall | grep removexattr If SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=lchown,sethostname,init_module,delete_module,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime If no lines are returned, this is a finding. Fix_Text At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S removexattr Or run the following command to implement all logging requirements: # /etc/dodscript.sh Not_Reviewed Vuln_Num V-239489 Rule_ID SV-239489r661918_rule Severity medium Rule_Title The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using setxattr. Vuln_Discuss Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Check_Content To determine if SLES for vRealize is configured to audit calls to the "setxattr" system call, run the following command: # auditctl -l | grep syscall | grep setxattr If SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=lchown,sethostname,init_module,delete_module,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime If no lines are returned, this is a finding. Fix_Text At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S setxattr Or run the following command to implement all logging requirements: # /etc/dodscript.sh Not_Reviewed Vuln_Num V-239490 Rule_ID SV-239490r661921_rule Severity medium Rule_Title The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all failed attempts to access files and programs. Vuln_Discuss Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Check_Content To check that the SLES for vRealize audit system collects unauthorized file accesses, run the following commands: # grep EACCES /etc/audit/audit.rules -a exit,always -F arch=b64 -S swapon -F exit=-EACCES -a exit,always -F arch=b64 -S creat -F exit=-EACCES -a exit,always -F arch=b64 -S open -F exit=-EACCES # grep EPERM /etc/audit/audit.rules -a exit,always -F arch=b64 -S swapon -F exit=-EPERM -a exit,always -F arch=b64 -S creat -F exit=-EPERM -a exit,always -F arch=b64 -S open -F exit=-EPERM If either command lacks output, this is a finding. Fix_Text Add the following to "/etc/audit/audit.rules": -a exit,always -F arch=b64 -S swapon -F exit=-EACCES -a exit,always -F arch=b64 -S creat -F exit=-EACCES -a exit,always -F arch=b64 -S open -F exit=-EACCES -a exit,always -F arch=b64 -S swapon -F exit=-EPERM -a exit,always -F arch=b64 -S creat -F exit=-EPERM -a exit,always -F arch=b64 -S open -F exit=-EPERM Or run the following command to implement all logging requirements: # /etc/dodscript.sh Not_Reviewed Vuln_Num V-239491 Rule_ID SV-239491r661924_rule Severity medium Rule_Title The SLES for vRealize must enforce password complexity by requiring that at least one upper-case character be used. Vuln_Discuss Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Check_Content Check SLES for vRealize enforces password complexity by requiring that at least one upper-case character be used by using the following command: # grep ucredit /etc/pam.d/common-password-vmware.local If "ucredit" is not set to "-1" or not at all, this is a finding. Expected Result: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=14 difok=4 retry=3 Fix_Text If ucredit was not set at all in "/etc/pam.d/common-password-vmware.local" file then run the following command: # sed -i '/pam_cracklib.so/ s/$/ ucredit=-1/' /etc/pam.d/common-password-vmware.local If "ucredit" was set incorrectly, run the following command to set it to "-1": # sed -i '/pam_cracklib.so/ s/ucredit=../ucredit=-1/' /etc/pam.d/common-password-vmware.local Not_Reviewed Vuln_Num V-239492 Rule_ID SV-239492r661927_rule Severity medium Rule_Title Global settings defined in common- {account,auth,password,session} must be applied in the pam.d definition files. Vuln_Discuss Pam global requirements are generally defined in the common-account, common-auth, common- password and common-session files located in the /etc/pam.d directory. In order for the requirements to be applied the file(s) containing them must be included directly or indirectly in each program's definition file in /etc/pam.d. Check_Content Verify that common-{account, auth, password, session} settings are being applied: Verify that local customization has occurred in the common- {account,auth,password,session}-pc file(s) by some method other than the use of the pam-config utility. The files "/etc/pam.d/common-{account,auth,password,session} -pc" are autogenerated by "pam-config". Any manual changes made to them will be lost if "pam-config" is allowed to run. # ls -l /etc/pam.d/common-{account,auth,password,session} If the symlinks point to "/etc/pam.d/common- {account,auth,password,session}-pc" and manual updates have been made in these files, the updates cannot be protected if pam-config is enabled. # ls -l /usr/sbin/pam-config If the setting for pam-config is not "000", this is a finding. Fix_Text In the default distribution of SLES 11 "/etc/pam.d/common- {account,auth,password,session}" are symlinks to their respective "/etc/pam.d/common- {account,auth,password,session}-pc" files. These common- {account,auth,password,session}-pc files are autogenerated by the pam-config utility. Edit /usr/sbin/pam-config permissions to prevent its use: # chmod 000 /usr/sbin/pam-config Not_Reviewed Vuln_Num V-239493 Rule_ID SV-239493r661930_rule Severity medium Rule_Title The SLES for vRealize must enforce password complexity by requiring that at least one lower-case character be used. Vuln_Discuss Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Check_Content Verify SLES for vRealize enforces password complexity by requiring that at least one lower-case character be used by using the following command: # grep lcredit /etc/pam.d/common-password-vmware.local If "lcredit" is not set to "-1" or not at all, this is a finding. Expected Result: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=14 difok=4 retry=3 Fix_Text If lcredit was not set at all in "/etc/pam.d/common-password-vmware.local" then run the following command: # sed -i '/pam_cracklib.so/ s/$/ lcredit=-1/' /etc/pam.d/common-password-vmware.local If "lcredit" was set incorrectly, run the following command to set it to "-1": # sed -i '/pam_cracklib.so/ s/lcredit=../lcredit=-1/' /etc/pam.d/common-password-vmware.local Not_Reviewed Vuln_Num V-239494 Rule_ID SV-239494r661933_rule Severity medium Rule_Title The SLES for vRealize must enforce password complexity by requiring that at least one numeric character be used. Vuln_Discuss Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Check_Content Check that SLES for vRealize enforces password complexity by requiring that at least one numeric character be used by running the following command: # grep dcredit /etc/pam.d/common-password-vmware.local If "dcredit" is not set to "-1" or not at all, this is a finding. Expected Result: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=14 difok=4 retry=3 Fix_Text If dcredit was not set at all in "/etc/pam.d/common-password-vmware.local" then run the following command: # sed -i '/pam_cracklib.so/ s/$/ dcredit=-1/' /etc/pam.d/common-password-vmware.local If "dcredit" was set incorrectly, run the following command to set it to "-1": # sed -i '/pam_cracklib.so/ s/dcredit=../dcredit=-1/' /etc/pam.d/common-password-vmware.local Not_Reviewed Vuln_Num V-239495 Rule_ID SV-239495r661936_rule Severity medium Rule_Title The SLES for vRealize must require the change of at least eight of the total number of characters when passwords are changed. Vuln_Discuss If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different. Check_Content Check that at least eight characters need to be changed between old and new passwords during a password change by running the following command: # grep pam_cracklib /etc/pam.d/common-password-vmware.local The "difok" parameter indicates how many characters must be different. The DoD requires at least eight characters to be different during a password change. This would appear as "difok=8". If "difok" is not found or not set to at least "8", this is a finding. Expected Result: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=14 difok=8 retry=3 Fix_Text If "difok" was not set at all in "/etc/pam.d/common-password-vmware.local" then run the following command: # sed -i '/pam_cracklib.so/ s/$/ difok-8/' /etc/pam.d/common-password-vmware.local If "difok" was set incorrectly, run the following command to set it to "8": # sed -i '/pam_cracklib.so/ s/difok=./difok=8/' /etc/pam.d/common-password-vmware.local Not_Reviewed Vuln_Num V-239496 Rule_ID SV-239496r877397_rule Severity high Rule_Title The SLES for vRealize must store only encrypted representations of passwords. Vuln_Discuss Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Check_Content Check that the user account passwords are stored hashed using sha512 by running the following command: # cat /etc/default/passwd | grep CRYPT=sha512 If "CRYPT=sha512" is not listed, this is a finding. Fix_Text Ensure password are being encrypted with hash sha512 with the following command: # echo 'CRYPT=sha512'>>/etc/default/passwd Not_Reviewed Vuln_Num V-239497 Rule_ID SV-239497r661942_rule Severity medium Rule_Title SLES for vRealize must enforce 24 hours/1 day as the minimum password lifetime. Vuln_Discuss Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. Check_Content To check that SLES for vRealize enforces 24 hours/1 day as the minimum password age, run the following command: # grep PASS_MIN_DAYS /etc/login.defs | grep -v '#' The DoD requirement is "1". If "PASS_MIN_DAYS" is not set to the required value, this is a finding. Fix_Text To configure SLES for vRealize to enforce 24 hours/1 day as the minimum password age, edit the file "/etc/login.defs" with the following command: # sed -i "/^[^#]*PASS_MIN_DAYS/ c\PASS_MIN_DAYS 1" /etc/login.defs Not_Reviewed Vuln_Num V-239498 Rule_ID SV-239498r661945_rule Severity medium Rule_Title Users must not be able to change passwords more than once every 24 hours. Vuln_Discuss Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. Check_Content Check the minimum time period between password changes for each user account is "1" day. # cat /etc/shadow | cut -d ':' -f1,4 | grep -v 1 | grep -v ":$" If any results are returned, this is a finding. Fix_Text Change the minimum time period between password changes for each [USER] account to "1" day. The command in the check text will give you a list of users that need to be updated to be in compliance. # passwd -n 1 [USER] Not_Reviewed Vuln_Num V-239499 Rule_ID SV-239499r661948_rule Severity medium Rule_Title SLES for vRealize must enforce a 60-day maximum password lifetime restriction. Vuln_Discuss Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If SLES for vRealize does not limit the lifetime of passwords and force users to change their passwords, there is the risk that SLES for vRealize passwords could be compromised. Check_Content To check that SLES for vRealize enforces a "60" days or less maximum password age, run the following command: # grep PASS_MAX_DAYS /etc/login.defs | grep -v "#" The DoD requirement is "60" days or less (Greater than zero, as zero days will lock the account immediately). If "PASS_MAX_DAYS" is not set to the required value, this is a finding. Fix_Text To configure SLES for vRealize to enforce a "60" day or less maximum password age, edit the file "/etc/login.defs" and add or correct the following line. Replace [DAYS] with the appropriate amount of days. # sed -i "/^[^#]*PASS_MAX_DAYS/ c\PASS_MAX_DAYS 60" /etc/login.defs The DoD requirement is "60" days or less (Greater than zero, as zero days will lock the account immediately). Not_Reviewed Vuln_Num V-239500 Rule_ID SV-239500r661951_rule Severity medium Rule_Title User passwords must be changed at least every 60 days. Vuln_Discuss Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If SLES for vRealize does not limit the lifetime of passwords and force users to change their passwords, there is the risk that SLES for vRealize passwords could be compromised. Check_Content Check the max days field of "/etc/shadow" by running the following command: # cat /etc/shadow | cut -d':' -f1,5 | egrep -v "([0|60])" | grep -v ":$" If any results are returned, this is a finding. Fix_Text Set the maximum time period between password changes for each [USER] account to "60" days. The command in the check text will give you a list of users that need to be updated to be in compliance. # passwd -x 60 [USER] The DoD requirement is "60" days. Not_Reviewed Vuln_Num V-239501 Rule_ID SV-239501r661954_rule Severity medium Rule_Title The SLES for vRealize must prohibit password reuse for a minimum of five generations. Vuln_Discuss Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements. Check_Content Verify that SLES for vRealize prohibits the reuse of a password for a minimum of five generations, by running the following commands: # grep pam_pwhistory.so /etc/pam.d/common-password-vmware.local If the "remember" option in "/etc/pam.d/common-password-vmware.local" file is not "5" or greater, this is a finding. Fix_Text Configure pam to use password history. If the "remember" option was not set at all in "/etc/pam.d/common-password-vmware.local" file then run the following command: # sed -i '/pam_cracklib.so/ s/$/ remember=5/' /etc/pam.d/common-password-vmware.local If "remember" option was set incorrectly, run the following command to set it to "5": # sed -i '/pam_cracklib.so/ s/remember=./remember=5/' /etc/pam.d/common-password-vmware.local Not_Reviewed Vuln_Num V-239502 Rule_ID SV-239502r661957_rule Severity medium Rule_Title The SLES for vRealize must prohibit password reuse for a minimum of five generations. Ensure the old passwords are being stored. Vuln_Discuss Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements. Check_Content Verify that the old password file, "opasswd", exists, by running the following command: # ls /etc/security/opasswd If "/etc/security/opasswd" file does not exist, this is a finding. Fix_Text Create the password history file. # touch /etc/security/opasswd # chown root:root /etc/security/opasswd # chmod 0600 /etc/security/opasswd Not_Reviewed Vuln_Num V-239503 Rule_ID SV-239503r661960_rule Severity medium Rule_Title The SLES for vRealize must enforce a minimum 15-character password length. Vuln_Discuss The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password. Check_Content Verify that SLES for vRealize enforces a minimum 15-character password length, by running the following command: # grep pam_cracklib /etc/pam.d/common-password-vmware.local # grep pam_cracklib /etc/pam.d/common-password If the result does not contain "minlen=15" or higher, this is a finding. Fix_Text If "minlen" was not set at all in "/etc/pam.d/common-password-vmware.local" file then run the following command: # sed -i '/pam_cracklib.so/ s/$/ minlen=15/' /etc/pam.d/common-password-vmware.local If "minlen" was set incorrectly, run the following command to set it to "15": # sed -i '/pam_cracklib.so/ s/minlen=../minlen=15/' /etc/pam.d/common-password-vmware.local Not_Reviewed Vuln_Num V-239504 Rule_ID SV-239504r661963_rule Severity medium Rule_Title The SLES for vRealize must require root password authentication upon booting into single-user mode. Vuln_Discuss To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system. Check_Content Verify that root password is required for single user mode logon with the following command: # grep sulogin /etc/inittab Expected result: ~~:S:respawn:/sbin/sulogin If the expected result is not displayed, this is a finding. Fix_Text Configure SLES for vRealize to require root password login with single user mode use the following command: # echo '~~:S:respawn:/sbin/sulogin' >> /etc/inittab Not_Reviewed Vuln_Num V-239505 Rule_ID SV-239505r661966_rule Severity medium Rule_Title Bootloader authentication must be enabled to prevent users without privilege to gain access restricted file system resources. Vuln_Discuss To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system. Check_Content To verify a boot password exists. In "/boot/grub/menu.lst" run the following command: # grep password /boot/grub/menu.lst The output should show the following: password --encrypted $1$[rest-of-the-password-hash] If it does not, this is a finding. Fix_Text Run the following command: # /usr/sbin/grub-md5-crypt An MD5 password is generated. After the password is supplied, the command supplies the md5 hash output. Append the password to the menu.lst file by running the following command: echo 'password --md5 <hash from grub-md5-crypt>' >> /boot/grub/menu.lst Or use "yast2" to set the bootloader password: Open the Boot Loader Installation tab. Click Boot Loader Options. Activate the Protect Boot Loader with Password option with a click and type in your Password twice. Click "OK" twice to save the changes. Not_Reviewed Vuln_Num V-239506 Rule_ID SV-239506r661969_rule Severity medium Rule_Title The SLES for the vRealize boot loader configuration file(s) must have mode 0600 or less permissive. Vuln_Discuss File permissions more permissive than 0600 on boot loader configuration files could allow an unauthorized user to view or modify sensitive information pertaining to system boot instructions. Check_Content Check the /boot/grub/menu.lst file: # stat /boot/grub/menu.lst If "/boot/grub/menu.lst" has a mode more permissive than "0600", this is a finding. Fix_Text Change the mode of the "/boot/grub/menu.lst" file to "0600": # chmod 0600 /boot/grub/menu.lst Not_Reviewed Vuln_Num V-239507 Rule_ID SV-239507r661972_rule Severity medium Rule_Title The SLES for the vRealize boot loader configuration files must be owned by root. Vuln_Discuss The SLES for vRealize’s boot loader configuration files are critical to the integrity of the system and must be protected. Unauthorized modification of these files resulting from improper ownership could compromise the system's boot loader configuration. Check_Content Check "/boot/grub/menu.lst" file ownership: # stat /boot/grub/menu.lst If the owner of the file is not "root", this is a finding. Fix_Text Change the ownership of the "/boot/grub/menu.lst" file: # chown root /boot/grub/menu.lst Not_Reviewed Vuln_Num V-239508 Rule_ID SV-239508r661975_rule Severity medium Rule_Title The SLES for the vRealize boot loader configuration file(s) must be group-owned by root, bin, sys, or system. Vuln_Discuss The SLES for vRealize’s boot loader configuration files are critical to the integrity of the system and must be protected. Unauthorized modifications resulting from improper group ownership may compromise the boot loader configuration. Check_Content Check "/boot/grub/menu.lst" file ownership: # stat /boot/grub/menu.lst If the group-owner of the file is not "root", "bin", "sys", or "system", this is a finding. Fix_Text Change the group-ownership of the "/boot/grub/menu.lst" file: # chgrp root /boot/grub/menu.lst Not_Reviewed Vuln_Num V-239509 Rule_ID SV-239509r661978_rule Severity medium Rule_Title The Bluetooth protocol handler must be disabled or not installed. Vuln_Discuss Bluetooth is a personal area network (PAN) technology. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to cause the kernel to dynamically load a protocol handler by opening a socket using the protocol. Check_Content Verify the Bluetooth protocol handler is prevented from dynamic loading: # grep "install bluetooth /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding. Fix_Text Prevent the Bluetooth protocol handler for dynamic loading: # echo "install bluetooth /bin/true" >> /etc/modprobe.conf.local Not_Reviewed Vuln_Num V-239510 Rule_ID SV-239510r661981_rule Severity medium Rule_Title The SLES for vRealize must have USB Mass Storage disabled unless needed. Vuln_Discuss USB is a common computer peripheral interface. USB devices may include storage devices that could be used to install malicious software on a system or exfiltrate data. Check_Content If SLES for vRealize needs USB storage, this vulnerability is not applicable. Check if the "usb-storage" module is prevented from loading: # grep "install usb-storage /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no results are returned, this is a finding. Fix_Text Prevent the "usb-storage" module from loading: # echo "install usb-storage /bin/true" >> /etc/modprobe.conf.local Not_Reviewed Vuln_Num V-239511 Rule_ID SV-239511r661984_rule Severity medium Rule_Title The SLES for vRealize must have USB disabled unless needed. Vuln_Discuss USB is a common computer peripheral interface. USB devices may include storage devices that could be used to install malicious software on a system or exfiltrate data. Check_Content If SLES for vRealize needs USB, this vulnerability is not applicable. Check if the directory "/proc/bus/usb exists". If the directory "/proc/bus/usb exists", this is a finding. Fix_Text Edit the grub bootloader file, "/boot/grub/menu.lst" file, by appending the "nousb" parameter to the kernel boot line. Not_Reviewed Vuln_Num V-239512 Rule_ID SV-239512r661987_rule Severity medium Rule_Title The telnet-server package must not be installed. Vuln_Discuss Removing the "telnet-server" package decreases the risk of the unencrypted telnet service's accidental (or intentional) activation. Check_Content Check if "telnet-server" package is installed: # rpm -q telnet-server If there is a "telnet-server" package listed, this is a finding. Fix_Text To remove the "telnet-server" package use the following command: rpm -e telnet-server Not_Reviewed Vuln_Num V-239513 Rule_ID SV-239513r661990_rule Severity medium Rule_Title The rsh-server package must not be installed. Vuln_Discuss The "rsh-server" package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) activation. Check_Content Check if "rsh-server" package is installed: # rpm -q rsh-server If there is a "rsh-server" package listed, this is a finding. Fix_Text To remove the "telnet-server" package use the following command: rpm -e rsh-server Not_Reviewed Vuln_Num V-239514 Rule_ID SV-239514r661993_rule Severity medium Rule_Title The ypserv package must not be installed. Vuln_Discuss Removing the "ypserv" package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services. Check_Content Check if "ypserv" package is installed: # rpm -q ypserv If there is a "ypserv" package listed, this is a finding. Fix_Text To remove the "ypserv" package use the following command: rpm -e ypserv Not_Reviewed Vuln_Num V-239515 Rule_ID SV-239515r661996_rule Severity medium Rule_Title The yast2-tftp-server package must not be installed. Vuln_Discuss Removing the "yast2-tftp-server" package decreases the risk of the accidental (or intentional) activation of tftp services. Check_Content Check if "yast2-tftp-server" package is installed: # rpm -q yast2-tftp-server If there is a "yast2-tftp-server" package listed, this is a finding. Fix_Text To remove the "yast2-tftp-server" package use the following command: rpm -e yast2-tftp-server Not_Reviewed Vuln_Num V-239516 Rule_ID SV-239516r661999_rule Severity medium Rule_Title The Datagram Congestion Control Protocol (DCCP) must be disabled unless required. Vuln_Discuss The Datagram Congestion Control Protocol (DCCP) is a proposed transport layer protocol. This protocol is not yet widely used. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to cause the kernel to dynamically load a protocol handler by opening a socket using the protocol. Check_Content Check that the DCCP protocol handler is prevented from dynamic loading: # grep "install dccp /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding. # grep "install dccp_ipv4 /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding. # grep "install dccp_ipv6" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* | grep ‘bin/true’ If no result is returned, this is a finding. Fix_Text Prevent the DCCP protocol handler for dynamic loading: # echo "install dccp /bin/true" >> /etc/modprobe.conf.local # echo "install dccp_ipv4 /bin/true" >> /etc/modprobe.conf.local # echo "install dccp_ipv6 /bin/true" >> /etc/modprobe.conf.local Not_Reviewed Vuln_Num V-239517 Rule_ID SV-239517r662002_rule Severity medium Rule_Title The Stream Control Transmission Protocol (SCTP) must be disabled unless required. Vuln_Discuss The Stream Control Transmission Protocol (SCTP) is an IETF-standardized transport layer protocol. This protocol is not yet widely used. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to cause the kernel to dynamically load a protocol handler by opening a socket using the protocol. Check_Content Verify the SCTP protocol handler is prevented from dynamic loading: # grep "install sctp /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding. Fix_Text Prevent the SCTP protocol handler from dynamic loading: # echo "install sctp /bin/true" >> /etc/modprobe.conf.local Not_Reviewed Vuln_Num V-239518 Rule_ID SV-239518r662005_rule Severity medium Rule_Title The Reliable Datagram Sockets (RDS) protocol must be disabled or not installed unless required. Vuln_Discuss The Reliable Datagram Sockets (RDS) protocol is a relatively new protocol developed by Oracle for communication between the nodes of a cluster. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to cause the system to dynamically load a protocol handler by opening a socket using the protocol. Check_Content Ask the SA if RDS is required by application software running on the system. If so, this is not applicable. Check that the RDS protocol handler is prevented from dynamic loading: # grep "install rds /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding. Fix_Text Prevent the RDS protocol handler from dynamic loading: # echo "install rds /bin/true" >> /etc/modprobe.conf.local Not_Reviewed Vuln_Num V-239519 Rule_ID SV-239519r662008_rule Severity medium Rule_Title The Transparent Inter-Process Communication (TIPC) must be disabled or not installed. Vuln_Discuss The Transparent Inter-Process Communication (TIPC) protocol is a relatively new cluster communications protocol developed by Ericsson. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to cause the kernel to dynamically load a protocol handler by opening a socket using the protocol. Check_Content Verify the TIPC protocol handler is prevented from dynamic loading: # grep "install tipc /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding. Fix_Text Prevent the TIPC protocol handler from dynamic loading: # echo "install tipc /bin/true" >> /etc/modprobe.conf.local Not_Reviewed Vuln_Num V-239520 Rule_ID SV-239520r662011_rule Severity medium Rule_Title The xinetd service must be disabled if no network services utilizing it are enabled. Vuln_Discuss The xinetd service provides a dedicated listener service for some programs, which is no longer necessary for commonly-used network services. Disabling it ensures that these uncommon services are not running, and also prevents attacks against xinetd itself. Check_Content If network services are using the "xinetd" service, this is not applicable. To check that the "xinetd" service is disabled in system boot configuration, run the following command: # chkconfig "xinetd" --list Output should indicate the "xinetd" service has either not been installed, or has been disabled at all run levels, as shown in the example below: xinetd 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "xinetd" is disabled through current runtime configuration: # service xinetd status If the "xinetd" service is disabled the command will return the following output: Checking for service xinetd: unused If the "xinetd" service is running, this is a finding. Fix_Text The "xinetd" service can be disabled with the following command: # chkconfig xinetd off Not_Reviewed Vuln_Num V-239521 Rule_ID SV-239521r662014_rule Severity medium Rule_Title The ypbind service must not be running if no network services utilizing it are enabled. Vuln_Discuss Disabling the "ypbind" service ensures the SLES for vRealize is not acting as a client in a NIS or NIS+ domain when not required. Check_Content If network services are using the "ypbind" service, this is not applicable. To check that the "ypbind" service is disabled in system boot configuration, run the following command: # chkconfig "ypbind" --list Output should indicate the "ypbind" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: ypbind 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "ypbind" is disabled through current runtime configuration: # service ypbind status If the "ypbind" service is disabled the command will return the following output: Checking for service ypbind unused If the "ypbind" service is running, this is a finding. Fix_Text The "ypbind" service can be disabled with the following command: # chkconfig ypbind off Not_Reviewed Vuln_Num V-239522 Rule_ID SV-239522r662017_rule Severity medium Rule_Title NIS/NIS+/yp files must be owned by root, sys, or bin. Vuln_Discuss NIS/NIS+/yp files are part of the system's identification and authentication processes and are, therefore, critical to system security. Failure to give ownership of sensitive files or utilities to root or bin provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration, which could weaken the system's security posture. Check_Content Perform the following to check NIS file ownership: # ls -la /var/yp/* If the NIS file ownership is not "root", sys, or bin, this is a finding. Fix_Text Change the ownership of NIS/NIS+/yp files to "root", "sys", "bin", or "system". Consult vendor documentation to determine the location of the files: # chown root <filename> Not_Reviewed Vuln_Num V-239523 Rule_ID SV-239523r662020_rule Severity medium Rule_Title The NIS/NIS+/yp command files must have mode 0755 or less permissive. Vuln_Discuss NIS/NIS+/yp files are part of the system's identification and authentication processes and are, therefore, critical to system security. Unauthorized modification of these files could compromise these processes and SLES for vRealize. Check_Content Perform the following to check NIS file ownership: # ls -la /var/yp/* If the NIS file's mode is more permissive than "0755", this is a finding. Fix_Text Change the mode of NIS/NIS+/yp command files to "0755" or less permissive: # chmod 0755 <filename> Not_Reviewed Vuln_Num V-239524 Rule_ID SV-239524r662023_rule Severity medium Rule_Title The SLES for vRealize must not use UDP for NIS/NIS+. Vuln_Discuss Implementing NIS or NIS+ under UDP may make SLES for vRealize more susceptible to a denial of service attack and does not provide the same quality of service as TCP. Check_Content If SLES for vRealize does not use NIS or NIS+, this is not applicable. Check if NIS or NIS+ is implemented using UDP: # rpcinfo -p | grep yp | grep udp If NIS or NIS+ is implemented using UDP, this is a finding. Fix_Text Configure SLES for vRealize to not use UDP for NIS and NIS+. Consult vendor documentation for the required procedure. Not_Reviewed Vuln_Num V-239525 Rule_ID SV-239525r662026_rule Severity medium Rule_Title NIS maps must be protected through hard-to-guess domain names. Vuln_Discuss The use of hard-to-guess NIS domain names provides additional protection from unauthorized access to the NIS directory information. Check_Content If SLES for vRealize does not use NIS or NIS+, this is not applicable. Check the domain name for NIS maps: # domainname If the name returned is simple to guess, such as the organization name, building or room name, etc., this is a finding. Fix_Text Change the NIS domainname to a value difficult to guess. Consult vendor documentation for the required procedure. Not_Reviewed Vuln_Num V-239526 Rule_ID SV-239526r662029_rule Severity medium Rule_Title Mail relaying must be restricted. Vuln_Discuss If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending SPAM or other unauthorized activity. Check_Content Determine if Sendmail only binds to loopback addresses by examining the "DaemonPortOptions" configuration options. # grep -i "O DaemonPortOptions" /etc/sendmail.cf If there are uncommented "DaemonPortOptions" lines, and all such lines specify system loopback addresses, this is not a finding. Otherwise, determine if "Sendmail" is configured to allow open relay operation. # grep -i promiscuous_relay /etc/mail/sendmail.mc If the promiscuous relay feature is enabled, this is a finding. Fix_Text If SLES for vRealize does not need to receive mail from external hosts, add one or more "DaemonPortOptions" lines referencing system loopback addresses (such as "O DaemonPortOptions=Addr=127.0.0.1,Port=smtp,Name=MTA") and remove lines containing non-loopback addresses. # sed -i "s/O DaemonPortOptions=Name=MTA/O DaemonPortOptions=Addr=127.0.0.1,Port=smtp,Name=MTA/" /etc/sendmail.cf Restart the sendmail service: # service sendmail restart Not_Reviewed Vuln_Num V-239527 Rule_ID SV-239527r662032_rule Severity medium Rule_Title The alias files must be owned by root. Vuln_Discuss If the alias and aliases.db files are not owned by root, an unauthorized user may modify the file to add aliases to run malicious code or redirect email. Check_Content Check the ownership of the alias file: # ls -lL /etc/aliases # ls -lL /etc/aliases.db If all the files are not owned by "root", this is a finding. Fix_Text Change the owner of the alias files to "root": # chown root /etc/aliases # chown root /etc/aliases.db Not_Reviewed Vuln_Num V-239528 Rule_ID SV-239528r662035_rule Severity medium Rule_Title The alias files must be group-owned by root, or a system group. Vuln_Discuss If the aliases and aliases.db file are not group-owned by root or a system group, an unauthorized user may modify one or both of the files to add aliases to run malicious code or redirect email. Check_Content Check the group ownership of the alias files: # ls -lL /etc/aliases # ls -lL /etc/aliases.db If the files are not group-owned by "root", this is a finding. Fix_Text Change the group owner of the alias files to "root": # chgrp root /etc/aliases # chgrp root /etc/aliases.db Not_Reviewed Vuln_Num V-239529 Rule_ID SV-239529r662038_rule Severity medium Rule_Title The alias files must have mode 0644 or less permissive. Vuln_Discuss Excessive permissions on the alias files may permit unauthorized modification. If an alias file is modified by an unauthorized user, they may modify the file to run malicious code or redirect email. Check_Content Check the permissions of the alias files: # ls -lL /etc/aliases # ls -lL /etc/aliases.db If the alias files have a mode more permissive than "0644", this is a finding. Fix_Text Change the mode of the alias files to "0644": # chmod 0644 /etc/aliases /etc/aliases.db Not_Reviewed Vuln_Num V-239530 Rule_ID SV-239530r662041_rule Severity medium Rule_Title Files executed through a mail aliases file must be owned by root and must reside within a directory owned and writable only by root. Vuln_Discuss If a file executed through a mail aliases file is not owned and writable only by root, it may be subject to unauthorized modification. Unauthorized modification of files executed through aliases may allow unauthorized users to attain root privileges. Check_Content Verify the ownership of files referenced within the sendmail aliases file: # more /etc/aliases Examine the aliases file for any utilized directories or paths: # ls -lL <directory or file path> Check the owner for any paths referenced. Check if the file or parent directory is owned by root. If the file or parent directory is not owned by "root", this is a finding. Fix_Text Edit the "/etc/aliases" file (alternatively, /usr/lib/sendmail.cf). Locate the entries executing a program. They will appear similar to the following line: Aliasname: : /usr/local/bin/ls (or some other program name) Ensure "root" owns the programs and the directory(ies) they reside in by using the chown command to change owner to "root": # chown root <file or directory name> Not_Reviewed Vuln_Num V-239531 Rule_ID SV-239531r662044_rule Severity medium Rule_Title Files executed through a mail aliases file must be group-owned by root, bin, sys, or system, and must reside within a directory group-owned by root, bin, sys, or system. Vuln_Discuss If a file executed through a mail aliases file is not group-owned by root or a system group, it may be subject to unauthorized modification. Unauthorized modification of files executed through aliases may allow unauthorized users to attain root privileges. Check_Content Examine the contents of the "/etc/aliases" file: # more /etc/aliases Examine the aliases file for any directories or paths that may be utilized: # ls -lL <file referenced from aliases> Check the permissions for any paths referenced. If the group owner of any file is not "root", "bin", "sys", or "system", this is a finding. Fix_Text Change the group ownership of the file referenced from "/etc/mail/aliases": # chgrp root <file referenced from aliases> Not_Reviewed Vuln_Num V-239532 Rule_ID SV-239532r662047_rule Severity medium Rule_Title Files executed through a mail aliases file must have mode 0755 or less permissive. Vuln_Discuss If a file executed through a mail alias file has permissions greater than 0755, it can be modified by an unauthorized user and may contain malicious code or instructions that could compromise the system. Check_Content Examine the contents of the "/etc/aliases" file: # more /etc/aliases Examine the aliases file for any directories or paths that may be utilized: # ls -lL <file referenced from aliases> Check the permissions for any paths referenced. If any file referenced from the aliases file has a mode more permissive than "0755", this is a finding. Fix_Text Use the chmod command to change the access permissions for files executed from the alias file: # chmod 0755 <file referenced from aliases> Not_Reviewed Vuln_Num V-239533 Rule_ID SV-239533r662050_rule Severity medium Rule_Title Sendmail logging must not be set to less than nine in the sendmail.cf file. Vuln_Discuss If Sendmail is not configured to log at level 9, system logs may not contain the information necessary for tracking unauthorized use of the sendmail service. Check_Content Check sendmail to determine if the logging level is set to level "9": # grep "O L" /etc/sendmail.cf OR # grep LogLevel /etc/sendmail.cf If logging is set to less than "9", this is a finding. Fix_Text Edit the "sendmail.cf" file, locate the "O L" or "LogLevel" entry, and change it to "9". Not_Reviewed Vuln_Num V-239534 Rule_ID SV-239534r662053_rule Severity medium Rule_Title The system syslog service must log informational and more severe SMTP service messages. Vuln_Discuss If informational and more severe SMTP service messages are not logged, malicious activity on the system may go unnoticed. Check_Content Check the "/etc/syslog-ng/syslog-ng.conf" file for the following log entries: filter f_mailinfo { level(info) and facility(mail); }; filter f_mailwarn { level(warn) and facility(mail); }; filter f_mailerr { level(err, crit) and facility(mail); }; filter f_mail { facility(mail); }; If any of the above log entries are present, this is not a finding. Fix_Text Edit the "/etc/syslog-ng/syslog-ng.conf" file and add the following log entries: filter f_mailinfo { level(info) and facility(mail); }; filter f_mailwarn { level(warn) and facility(mail); }; filter f_mailerr { level(err, crit) and facility(mail); }; filter f_mail { facility(mail); }; destination mailinfo { file("/var/log/mail.info"); }; log { source(src); filter(f_mailinfo); destination(mailinfo); }; destination mailwarn { file("/var/log/mail.warn"); }; log { source(src); filter(f_mailwarn); destination(mailwarn); }; destination mailerr { file("/var/log/mail.err" fsync(yes)); }; log { source(src); filter(f_mailerr); destination(mailerr); }; Not_Reviewed Vuln_Num V-239535 Rule_ID SV-239535r662056_rule Severity medium Rule_Title The SMTP service log files must be owned by root. Vuln_Discuss If the SMTP service log file is not owned by root, then unauthorized personnel may modify or delete the file to hide a system compromise. Check_Content Check the permissions on the mail log files: # ls -la /var/log/mail # ls -la /var/log/mail.info # ls -la /var/log/mail.warn # ls -la /var/log/mail.err If any mail log file is not owned by "root", this is a finding. Fix_Text Change the ownership of the sendmail log files to "root": # chown root <sendmail log file> Not_Reviewed Vuln_Num V-239536 Rule_ID SV-239536r662059_rule Severity medium Rule_Title The SMTP service log file must have mode 0644 or less permissive. Vuln_Discuss If the SMTP service log file is more permissive than 0644, unauthorized users may be allowed to change the log file. Check_Content Check the permissions on the mail log files: # ls -la /var/log/mail # ls -la /var/log/mail.info # ls -la /var/log/mail.warn # ls -la /var/log/mail.err If the log file permissions are greater than "0644", this is a finding. Fix_Text Change the mode of the sendmail log files to "0644": # chmod 0644 <sendmail log file> Not_Reviewed Vuln_Num V-239537 Rule_ID SV-239537r662062_rule Severity medium Rule_Title The SMTP service HELP command must not be enabled. Vuln_Discuss The HELP command should be disabled to mask version information. The version of the SMTP service software could be used by attackers to target vulnerabilities present in specific software versions. Check_Content Check the permissions of the sendmail helpfile: ls -al /usr/lib/sendmail.d/helpfile If the permissions are not "0000", this is a finding. Fix_Text Run the following command to disable the sendmail helpfile: # chmod 0000 /usr/lib/sendmail.d/helpfile Not_Reviewed Vuln_Num V-239538 Rule_ID SV-239538r662065_rule Severity medium Rule_Title The SMTP services SMTP greeting must not provide version information. Vuln_Discuss The version of the SMTP service can be used by attackers to plan an attack based on vulnerabilities present in the specific version. Check_Content To check for the sendmail version being displayed in the greeting: # more /etc/sendmail.cf | grep SmtpGreetingMessage If it returns: O SmtpGreetingMessage=$j Sendmail $v/$Z; $b Then sendmail is providing version information, this is a finding. Fix_Text Change the "O SmtpGreetingMessage" line in the "/etc/sendmail.cf" file to: O SmtpGreetingMessage= Mail Server Ready ; $b Not_Reviewed Vuln_Num V-239539 Rule_ID SV-239539r662068_rule Severity medium Rule_Title The SMTP service must not use .forward files. Vuln_Discuss The .forward file allows users to automatically forward mail to another system. Use of .forward files could allow the unauthorized forwarding of mail and could potentially create mail loops that could degrade system performance. Check_Content Check forwarding from sendmail: # grep "0 ForwardPath" /etc/sendmail.cf If the entry contains a file path and is not commented out, this is a finding. Fix_Text Disable forwarding for sendmail and remove ".forward" files from the system: Remove all ".forward" files on the system. # find / -name .forward -delete Use the following command to disable forwarding: # sed -i "s/O ForwardPath/#O ForwardPath/" /etc/sendmail.cf Restart the sendmail service: # service sendmail restart Not_Reviewed Vuln_Num V-239540 Rule_ID SV-239540r662071_rule Severity medium Rule_Title The SMTP service must not have the EXPN feature active. Vuln_Discuss The SMTP EXPN function allows an attacker to determine if an account exists on a system, providing significant assistance to a brute force attack on user accounts. EXPN may also provide additional information concerning users on the system, such as the full names of account owners. Check_Content Use the following command to check if EXPN is disabled: # grep -v "^#" /etc/sendmail.cf |grep -i PrivacyOptions If "noexpn" is not returned, this is a finding. Fix_Text Add "noexpn" to the "PrivacyOptions" flag in the "/etc/sendmail.cf" file. Not_Reviewed Vuln_Num V-239541 Rule_ID SV-239541r662074_rule Severity medium Rule_Title The SMTP service must not have the VRFY feature active. Vuln_Discuss The VRFY (Verify) command allows an attacker to determine if an account exists on a system, providing significant assistance to a brute force attack on user accounts. VRFY may provide additional information about users on the system, such as the full names of account owners. Check_Content Use the following command to check if VRFY is disabled: # grep -v "^#" /etc/sendmail.cf |grep -i PrivacyOptions If "novrfy" is not returned, this is a finding. Fix_Text Add "novrfy" to the "PrivacyOptions" flag in the "/etc/sendmail.cf" file. Not_Reviewed Vuln_Num V-239542 Rule_ID SV-239542r662077_rule Severity medium Rule_Title The Lightweight User Datagram Protocol (UDP-Lite) must be disabled unless required. Vuln_Discuss The Lightweight User Datagram Protocol (UDP-Lite) is a proposed transport layer protocol. This protocol is not yet widely used. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to cause SLES for vRealize to dynamically load a protocol handler by opening a socket using the protocol. Check_Content Run the following command: iptables --list | grep "udplite" If no result is displayed, this is a finding. Fix_Text Configure SLES for vRealize to prevent the dynamic loading of the "UDP-Lite" protocol handler: Add the following rule to the iptables firewall ruleset: # iptables -A INPUT -p udplite -j DROP Not_Reviewed Vuln_Num V-239543 Rule_ID SV-239543r662080_rule Severity medium Rule_Title The Internetwork Packet Exchange (IPX) protocol must be disabled or not installed. Vuln_Discuss The Internetwork Packet Exchange (IPX) protocol is a network-layer protocol that is no longer in common use. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to cause SLES for vRealize to dynamically load a protocol handler by opening a socket using the protocol. Check_Content Check that the "IPX" protocol handler is prevented from dynamic loading: # grep "install ipx /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding. Fix_Text Prevent the "IPX" protocol handler from dynamic loading: # echo "install ipx /bin/true" >> /etc/modprobe.conf.local Not_Reviewed Vuln_Num V-239544 Rule_ID SV-239544r662083_rule Severity medium Rule_Title The AppleTalk protocol must be disabled or not installed. Vuln_Discuss The AppleTalk suite of protocols is no longer in common use. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to cause SLES for vRealize to dynamically load a protocol handler by opening a socket using the protocol. Check_Content Verify the "AppleTalk" protocol handler is prevented from dynamic loading: # grep "install appletalk /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding. Fix_Text Prevent the "AppleTalk" protocol handler from dynamic loading: # echo "install appletalk /bin/true" >> /etc/modprobe.conf.local Not_Reviewed Vuln_Num V-239545 Rule_ID SV-239545r662086_rule Severity medium Rule_Title The DECnet protocol must be disabled or not installed. Vuln_Discuss The DECnet suite of protocols is no longer in common use. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to cause SLES for vRealize to dynamically load a protocol handler by opening a socket using the protocol. Check_Content Check that the "DECnet" protocol handler is prevented from dynamic loading: # grep "install decnet /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding. Fix_Text Prevent the "DECnet" protocol handler from dynamic loading: # echo "install decnet /bin/true" >> /etc/modprobe.conf.local Not_Reviewed Vuln_Num V-239546 Rule_ID SV-239546r662089_rule Severity medium Rule_Title Proxy Neighbor Discovery Protocol (NDP) must not be enabled on SLES for vRealize. Vuln_Discuss Proxy Neighbor Discovery Protocol (NDP) allows a system to respond to NDP requests on one interface on behalf of hosts connected to another interface. If this function is enabled when not required, addressing information may be leaked between the attached network segments. Check_Content Determine if SLES for vRealize has proxy "NDP", and if it is enabled: # more /proc/sys/net/ipv6/conf/*/proxy_ndp If the file is not found, the kernel does not have proxy "NDP", this is not a finding. If the file has a value of "0", proxy "NDP" is not enabled, this is not a finding. If the file has a value of "1", proxy NDP is enabled, this is a finding. Fix_Text Disable proxy "NDP" on the system. For Appliance OS, "proxy_ndp" is disabled by default. Not_Reviewed Vuln_Num V-239547 Rule_ID SV-239547r662092_rule Severity medium Rule_Title The SLES for vRealize must not have 6to4 enabled. Vuln_Discuss 6to4 is an IPv6 transition mechanism that involves tunneling IPv6 packets encapsulated in IPv4 packets on an ad hoc basis. This is not a preferred transition strategy and increases the attack surface of SLES for vRealize. Check_Content Check SLES for vRealize for any active "6to4" tunnels without specific remote addresses: # ip tun list | grep "remote any" | grep "ipv6/ip" If any results are returned the "tunnel" is the first field. If any results are returned, this is a finding. Fix_Text Disable the active "6to4" tunnel: # ip link set <tunnel> down Add this command to a startup script, or remove the configuration creating the tunnel. Not_Reviewed Vuln_Num V-239548 Rule_ID SV-239548r662095_rule Severity medium Rule_Title The SLES for vRealize must not have Teredo enabled. Vuln_Discuss Teredo is an IPv6 transition mechanism that involves tunneling IPv6 packets encapsulated in IPv4 packets. Unauthorized tunneling may circumvent network security. Check_Content Verify the "Miredo" service is not running: # ps ax | grep miredo | grep -v grep If the Miredo process is running, this is a finding. Note: For Appliance OS, "Miredo" is not included by default, this is not a finding. Fix_Text Kill the "Miredo" service. Edit startup scripts to prevent the service from running on startup. Not_Reviewed Vuln_Num V-239549 Rule_ID SV-239549r662098_rule Severity medium Rule_Title The DHCP client must be disabled if not needed. Vuln_Discuss DHCP allows for the unauthenticated configuration of network parameters on SLES for vRealize by exchanging information with a DHCP server. Check_Content Check that no interface is configured to use "DHCP": # grep -i bootproto=dhcp4 /etc/sysconfig/network/ifcfg-* If any configuration is found, this is a finding. Fix_Text Edit the "/etc/sysconfig/network/ifcfg-*" file(s) and change the "bootproto" setting to "static". Not_Reviewed Vuln_Num V-239550 Rule_ID SV-239550r662101_rule Severity medium Rule_Title The SLES for vRealize must have IEEE 1394 (Firewire) disabled unless needed. Vuln_Discuss Firewire is a common computer peripheral interface. Firewire devices may include storage devices that could be used to install malicious software on a system or exfiltrate data. Check_Content If SLES for vRealize needs IEEE 1394 (Firewire), this is not applicable. Check if the firewire module is not disabled: # grep "install ieee1394 /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no results are returned, this is a finding. Fix_Text Prevent SLES for vRealize from loading the firewire module: # echo "install ieee1394 /bin/true" >> /etc/modprobe.conf.local Not_Reviewed Vuln_Num V-239551 Rule_ID SV-239551r662104_rule Severity medium Rule_Title Duplicate User IDs (UIDs) must not exist for users within the organization. Vuln_Discuss To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of SLES for vRealize. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: 1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and 2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. Check_Content Verify that SLES for vRealize contains no duplicate UIDs for organizational users by running the following command: # awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd If output is produced, this is a finding. Fix_Text Edit the file "/etc/passwd" and provide each organizational user account that has a duplicate UID with a unique UID. Not_Reviewed Vuln_Num V-239552 Rule_ID SV-239552r662107_rule Severity high Rule_Title The SLES for vRealize must prevent direct logon into the root account. Vuln_Discuss To assure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated. A group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does not uniquely identify individual users. Examples of the group authenticator is the UNIX OS "root" user account, the Windows "Administrator" account, the "sa" account, or a "helpdesk" account. For example, the UNIX and Windows operating systems offer a 'switch user' capability allowing users to authenticate with their individual credentials and, when needed, 'switch' to the administrator role. This method provides for unique individual authentication prior to using a group authenticator. Users (and any processes acting on behalf of users) need to be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization, which outlines specific user actions that can be performed on the operating system without identification or authentication. Requiring individuals to be authenticated with an individual authenticator prior to using a group authenticator allows for traceability of actions, as well as adding an additional level of protection of the actions that can be taken with group account knowledge. Check_Content Verify SLES for vRealize prevents direct logons to the root account by running the following command: # grep root /etc/shadow | cut -d "":"" -f 2 If the returned message contains any text, this is a finding. Fix_Text Configure SLES for vRealize to prevent direct logins to the root account by performing the following operations: Add this line to the "/etc/group" file: admin:x:[UNIQUE_NUMBER]:[USERNAME] USERNAME is the user you wish to add to the admin group. UNIQUE_NUMBER is a number entered into the ID field of an entry that is unique to all other IDs in the file. Comment out the following lines in "/etc/sudoers" file: Default targetpw ALL ALL=(ALL) ALL Under the line in the "/etc/sudoers" file: root ALL=(ALL) All Add the following line: %admin ALL=(ALL) ALL Run the following command: # passwd -d root Not_Reviewed Vuln_Num V-239553 Rule_ID SV-239553r852586_rule Severity medium Rule_Title The SLES for vRealize must enforce SSHv2 for network access to privileged accounts. Vuln_Discuss A replay attack may enable an unauthorized user to gain access to SLES for vRealize. Authentication sessions between the authenticator and SLES for vRealize validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. A privileged account is any information system account with authorizations of a privileged user. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators. Check_Content Verify that SLES for vRealize enforces SSHv2 for network access to privileged accounts by running the following command: Replace [ADDRESS] in the following command with the correct IP address based on the current system configuration. # ssh -1 [ADDRESS] An example of the command usage is as follows: # ssh -1 localhost The output must be the following: Protocol major versions differ: 1 vs. 2 If it is not, this is a finding. OR Verify that the ssh is configured to enforce SSHv2 for network access to privileged accounts by running the following command: # grep Protocol /etc/ssh/sshd_config If the result is not "Protocol 2", this is a finding. Fix_Text Configure SLES for vRealize to enforce SSHv2 for network access to privileged accounts by running the following commands: # sed -i 's/^.*\bProtocol\b.*$/Protocol 2/' /etc/ssh/sshd_config Restart the ssh service. # service sshd restart Not_Reviewed Vuln_Num V-239554 Rule_ID SV-239554r852587_rule Severity medium Rule_Title The SLES for vRealize must enforce SSHv2 for network access to non-privileged accounts. Vuln_Discuss A replay attack may enable an unauthorized user to gain access to SLES for vRealize. Authentication sessions between the authenticator and SLES for vRealize validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. A non-privileged account is any SLES for vRealize account with authorizations of a non-privileged user. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators. Check_Content Verify that SLES for vRealize enforces SSHv2 for network access to privileged accounts by running the following command: Replace [ADDRESS] in the following command with the correct IP address based on the current system configuration. # ssh -1 [ADDRESS] An example of the command usage is as follows: # ssh -1 localhost The output must be one of the following items: Protocol major versions differ: 1 vs. 2 OR Protocol 1 not allowed in the FIPS mode. If it does not, this is a finding. OR Verify that the ssh is configured to enforce SSHv2 for network access to privileged accounts by running the following command: # grep Protocol /etc/ssh/sshd_config If the result is not "Protocol 2", this is a finding. Fix_Text Configure SLES for vRealize to enforce SSHv2 for network access to non-privileged accounts by running the following commands: # sed -i 's/^.*\bProtocol\b.*$/Protocol 2/' /etc/ssh/sshd_config Restart the ssh service. # service sshd restart Not_Reviewed Vuln_Num V-239555 Rule_ID SV-239555r662116_rule Severity medium Rule_Title The SLES for vRealize must disable account identifiers of individuals and roles (such as root) after 35 days of inactivity after password expiration. Vuln_Discuss Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. SLES for vRealize need to track periods of inactivity and disable application identifiers after 35 days of inactivity. Check_Content Verify SLES for vRealize disables account identifiers after "35" days of inactivity after the password expiration, by performing the following commands: # grep "INACTIVE" /etc/default/useradd The output must indicate the "INACTIVE" configuration option is set to an appropriate integer as shown in the example below: grep "INACTIVE" /etc/default/useradd INACTIVE=35 If "INACTIVE" is not set to a value 0<[VALUE]<=35, this is a finding. Fix_Text Configure SLES for vRealize to disable account identifiers after "35" days of inactivity after the password expiration. Run the following command to change the configuration for useradd: Replace [VALUE] in the command with any integer from the range 0<[VALUE]<= 35. # sed -i "s/^.*\bINACTIVE\b.*$/INACTIVE=[VALUE]/" /etc/default/useradd DoD recommendation is "35" days, but a lower value is acceptable. The value "-1" will disable this feature and "0" will disable the account immediately after the password expires. Not_Reviewed Vuln_Num V-239556 Rule_ID SV-239556r662119_rule Severity medium Rule_Title The SLES for vRealize must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. Vuln_Discuss Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. SLES for vRealize utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system. Check_Content Check the "/etc/default/passwd" file: # grep CRYPT /etc/default/passwd If the "CRYPT" setting in the "/etc/default/passwd" file is not present, or not set to "SHA256" or "SHA512", this is a finding. If the "CRYPT_FILES" setting in the "/etc/default/passwd" file is not present, or not set to "SHA256" or "SHA512", this is a finding. Fix_Text Edit the "/etc/default/passwd" file and add or change the "CRYPT" variable setting so that it contains: CRYPT=sha256 OR CRYPT=sha512 Edit the "/etc/default/passwd" file and add or change the "CRYPT_FILES" variable setting so that it contains: CRYPT_FILES=sha256 OR CRYPT_FILES=sha512 Not_Reviewed Vuln_Num V-239557 Rule_ID SV-239557r662122_rule Severity medium Rule_Title The SLES for vRealize must uniquely identify and must authenticate non-organizational users (or processes acting on behalf of non-organizational users). Vuln_Discuss Lack of authentication and identification enables non-organizational users to gain access to the application or possibly other information systems and provides an opportunity for intruders to compromise resources within the application or information system. Non-organizational users include all information system users other than organizational users, which include organizational employees or individuals the organization deems to have equivalent status of an employee (e.g., contractors and guest researchers). Non-organizational users must be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization when related to the use of anonymous access. Check_Content Run the following command to check for duplicate account names: # pwck -rq If there are no duplicate names, no line will be returned. If a line is returned, this is a finding. Fix_Text Change usernames, or delete accounts, so each has a unique name. Not_Reviewed Vuln_Num V-239558 Rule_ID SV-239558r662125_rule Severity medium Rule_Title The SLES for vRealize must uniquely identify and must authenticate non-organizational users (or processes acting on behalf of non-organizational users). Vuln_Discuss Lack of authentication and identification enables non-organizational users to gain access to the application or possibly other information systems and provides an opportunity for intruders to compromise resources within the application or information system. Non-organizational users include all information system users other than organizational users, which include organizational employees or individuals the organization deems to have equivalent status of an employee (e.g., contractors and guest researchers). Non-organizational users must be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization when related to the use of anonymous access. Check_Content Verify the SLES for vRealize uniquely identifies and authenticates non-organizational users by running the following commands: # awk -F: '{print $3}' /etc/passwd | sort | uniq -d If the output is not blank, this is a finding. Fix_Text Configure the SLES for vRealize to uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). UNIQUE_USER_ID is a unique numerical value that must be non-negative. USERNAME is the username of the user whose user ID you wish to change. # usermod -u [UNIQUE_USER_ID] [USERNAME] Not_Reviewed Vuln_Num V-239559 Rule_ID SV-239559r662128_rule Severity medium Rule_Title The SLES for vRealize must be configured such that emergency administrator accounts are never automatically removed or disabled. Vuln_Discuss Emergency administrator accounts are privileged accounts which are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. Emergency administrator accounts are different from infrequently used accounts (i.e., local logon accounts used by system administrators when network or normal logon/access is not available). Infrequently used accounts also remain available and are not subject to automatic termination dates. However, an emergency administrator account is normally a different account that is created for use by vendors or system maintainers. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements. Check_Content For each emergency administrator account run the following command: chage -l [user] If the output shows an expiration date for the account, this is a finding. Fix_Text For each emergency administrator account run the following command to remove the expiration date: chage -E -1 [user] Not_Reviewed Vuln_Num V-239560 Rule_ID SV-239560r877395_rule Severity medium Rule_Title The SLES for vRealize must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions. Vuln_Discuss If maintenance tools are used by unauthorized personnel, they may accidentally or intentionally damage or compromise the system. The act of managing systems and applications includes the ability to access sensitive application information, such as system configuration details, diagnostic information, user information, and potentially sensitive application data. Some maintenance and test tools are either standalone devices with their own operating systems or are applications bundled with an operating system. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Check_Content Check the SSH daemon configuration for DoD-approved encryption to protect the confidentiality of SSH remote connections by performing the following commands: Check the Cipher setting in the sshd_config file. # grep -i Ciphers /etc/ssh/sshd_config | grep -v '#' The output must contain either none or any number of the following algorithms: aes128-ctr, aes256-ctr. If the output contains an algorithm not listed above, this is a finding. Expected Output: Ciphers aes256-ctr,aes128-ctr Fix_Text Update the Ciphers directive with the following command: # sed -i "/^[^#]*Ciphers/ c\Ciphers aes256-ctr,aes128-ctr" /etc/ssh/sshd_config Save and close the file. Restart the sshd process: # service sshd restart Not_Reviewed Vuln_Num V-239561 Rule_ID SV-239561r662134_rule Severity medium Rule_Title The SLES for vRealize must terminate all sessions and network connections related to nonlocal maintenance when nonlocal maintenance is completed. Vuln_Discuss If a maintenance session or connection remains open after maintenance is completed, it may be hijacked by an attacker and used to compromise or damage the system. Some maintenance and test tools are either standalone devices with their own operating systems or are applications bundled with an operating system. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Check_Content Check for the existence of the "/etc/profile.d/tmout.sh" file: # ls -al /etc/profile.d/tmout.sh Check for the presence of the "TMOUT" variable: # grep TMOUT /etc/profile.d/tmout.sh The value of "TMOUT" should be set to "900" seconds (15 minutes). If the file does not exist, or the "TMOUT" variable is not set to "900", this is a finding. Fix_Text Ensure the file exists and is owned by "root". If the files does not exist, use the following commands to create the file: # touch /etc/profile.d/tmout.sh # chown root:root /etc/profile.d/tmout.sh # chmod 644 /etc/profile.d/tmout.sh Edit the file "/etc/profile.d/tmout.sh", and add the following lines: TMOUT=900 readonly TMOUT export TMOUT mesg n 2>/dev/null Not_Reviewed Vuln_Num V-239562 Rule_ID SV-239562r662137_rule Severity medium Rule_Title The SLES for vRealize must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks. Vuln_Discuss DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Managing excess capacity ensures that sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning. Check_Content Check that SLES for vRealize is configured to use TCP syncookies when experiencing a TCP SYN flood. # cat /proc/sys/net/ipv4/tcp_syncookies If the result is not "1", this is a finding. Fix_Text Configure SLES for vRealize to use TCP syncookies when experiencing a TCP SYN flood. # sed -i 's/^.*\bnet.ipv4.tcp_syncookies\b.*$/net.ipv4.tcp_syncookies=1/' /etc/sysctl.conf Reload sysctl to verify the new change: # sysctl -p Not_Reviewed Vuln_Num V-239563 Rule_ID SV-239563r662140_rule Severity medium Rule_Title The SLES for vRealize must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks. Vuln_Discuss DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Managing excess capacity ensures that sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning. Check_Content Check that SLES for vRealize has an appropriate TCP backlog queue size to mitigate against TCP SYN flood DOS attacks with the following command: # cat /proc/sys/net/ipv4/tcp_max_syn_backlog The recommended default setting is "1280". If the TCP backlog queue size is not set to "1280", this is a finding. Fix_Text Configure the TCP backlog queue size with the following command: # sed -i 's/^.*\bnet.ipv4.tcp_max_syn_backlog\b.*$/net.ipv4.tcp_max_syn_backlog=1280/' /etc/sysctl.conf Reload sysctl to verify the new change: # sysctl -p Not_Reviewed Vuln_Num V-239564 Rule_ID SV-239564r662405_rule Severity medium Rule_Title The SLES for vRealize must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; and for user sessions (non-privileged session), the session must be terminated after 15 minutes of inactivity, except to fulfill documented and validated mission requirements. Vuln_Discuss Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that SLES for vRealize terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. Check_Content Check for the existence of the "/etc/profile.d/tmout.sh" file: # ls -al /etc/profile.d/tmout.sh Check for the presence of the "TMOUT" variable: # grep TMOUT /etc/profile.d/tmout.sh The value of "TMOUT" should be set to "900" seconds (15 minutes). If the file does not exist, or the "TMOUT" variable is not set to "900", this is a finding. Fix_Text Ensure the file exists and is owned by "root". If the files does not exist, use the following commands to create the file: # touch /etc/profile.d/tmout.sh # chown root:root /etc/profile.d/tmout.sh # chmod 644 /etc/profile.d/tmout.sh Edit the file "/etc/profile.d/tmout.sh", and add the following lines: TMOUT=900 readonly TMOUT export TMOUT mesg n 2>/dev/null Not_Reviewed Vuln_Num V-239565 Rule_ID SV-239565r662146_rule Severity medium Rule_Title The /var/log directory must be group-owned by root. Vuln_Discuss Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SLES for vRealize system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Check_Content Verify the "/var/log" directory is group-owned by "root" by running the following command: # ls -lad /var/log | cut -d' ' -f4 The output must look like the following example: ls -lad /var/log | cut -d' ' -f4 root If "root" is not returned as a result, this is a finding. Fix_Text Change the group of the directory "/var/log" to "root" by running the following command: # chgrp root /var/log Not_Reviewed Vuln_Num V-239566 Rule_ID SV-239566r662149_rule Severity medium Rule_Title The /var/log directory must be owned by root. Vuln_Discuss Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SLES for vRealize system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Check_Content Verify that the "/var/log" directory is owned by "root" by running the following command: # ls -lad /var/log | cut -d' ' -f3 The output must look like the following example: ls -lad /var/log | cut -d' ' -f3 root If "root" is not returned as a result, this is a finding. Fix_Text Change the owner of the directory "/var/log" to "root" by running the following command: # chown root /var/log Not_Reviewed Vuln_Num V-239567 Rule_ID SV-239567r662152_rule Severity medium Rule_Title The /var/log directory must have mode 0750 or less permissive. Vuln_Discuss Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SLES for vRealize system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Check_Content Verify that the "/var/log" directory is the mode 0750 or less permissive by running the following command: # ls -lad /var/log | cut -d' ' -f1 The output must look like the following example: ls -lad /var/log | cut -d' ' -f1 drwxr-x--- If "drwxr-x---" is not returned as a result, this is a finding. Fix_Text Change the permissions of the directory "/var/log" to "0750" by running the following command: # chmod 0750 /var/log Not_Reviewed Vuln_Num V-239568 Rule_ID SV-239568r662155_rule Severity medium Rule_Title The /var/log/messages file must be group-owned by root. Vuln_Discuss Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SLES for vRealize system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Check_Content Verify that the "/var/log/messages" file is group-owned by "root" by running the following command: # ls -la /var/log/messages | cut -d' ' -f4 The output must look like the following example: ls -la /var/log/messages | cut -d' ' -f4 root If "root" is not returned as a result, this is a finding. Fix_Text Change the group of the file "/var/log/messages" to "root" by running the following command: # chgrp root /var/log/messages Not_Reviewed Vuln_Num V-239569 Rule_ID SV-239569r662158_rule Severity medium Rule_Title The /var/log/messages file must be owned by root. Vuln_Discuss Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SLES for vRealize system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Check_Content Verify that the "/var/log/messages" file is owned by "root" by running the following command: # ls -la /var/log/messages | cut -d' ' -f3 The output must look like the following example: ls -la /var/log/messages | cut -d' ' -f3 root If "root" is not returned as a result, this is a finding. Fix_Text Change the owner of the file "/var/log/messages" to "root" by running the following command: # chown root /var/log/messages Not_Reviewed Vuln_Num V-239570 Rule_ID SV-239570r662161_rule Severity medium Rule_Title The /var/log/messages file must have mode 0640 or less permissive. Vuln_Discuss Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SLES for vRealize system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Check_Content Verify that the "/var/log/messages" file is 0640 or less permissive by running the following command: # ls -lad /var/log/messages | cut -d' ' -f1 The output must look like the following example: ls -lad /var/log/messages | cut -d' ' -f1 -rw-r----- If "-rw-r-----" is not returned as a result, this is a finding. Fix_Text Change the permissions of the file "/var/log/messages" to "0640" by running the following command: # chmod 0640 /var/log/messages Not_Reviewed Vuln_Num V-239571 Rule_ID SV-239571r662164_rule Severity medium Rule_Title The SLES for vRealize must reveal error messages only to authorized users. Vuln_Discuss Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SLES for vRealize system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Check_Content Check the permissions of the syslog configuration file(s): # ls -lL /etc/syslog-ng/syslog-ng.conf If the mode of the file is more permissive than "0640", this is a finding. Fix_Text Change the permissions of the syslog configuration file(s): # chmod 640 /etc/syslog-ng/syslog-ng.conf Not_Reviewed Vuln_Num V-239572 Rule_ID SV-239572r662167_rule Severity medium Rule_Title The SLES for vRealize must reveal error messages only to authorized users. Vuln_Discuss Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SLES for vRealize system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Check_Content Check the permissions of the syslog configuration file(s): # ls -lL /etc/syslog-ng/syslog-ng.conf If the file is not owned by "root", this is a finding. Fix_Text Use the chown command to set the owner to "root": # chown root /etc/syslog-ng/syslog-ng.conf Not_Reviewed Vuln_Num V-239573 Rule_ID SV-239573r662170_rule Severity medium Rule_Title The SLES for vRealize must reveal error messages only to authorized users. Vuln_Discuss Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SLES for vRealize system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Check_Content Check the permissions of the syslog configuration file(s): # ls -lL /etc/syslog-ng/syslog-ng.conf If the file is not group owned by "root", this is a finding. Fix_Text Change the group-owner of the "/etc/rsyslog.conf" file to "root": # chgrp root /etc/syslog-ng/syslog-ng.conf Not_Reviewed Vuln_Num V-239575 Rule_ID SV-239575r662176_rule Severity medium Rule_Title The SLES for vRealize must audit all account modifications. Vuln_Discuss Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply modify an existing account. Auditing of account modification is one method for mitigating this risk. To address access requirements, many SLES for vRealize systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Check_Content Determine if execution of the "usermod" and "groupmod" executable are audited. # auditctl -l | egrep '(usermod|groupmod)' | grep perm=x If either "usermod" or "groupmod" are not listed with a permissions filter of at least "x", this is a finding. Fix_Text Configure execute auditing of the "usermod" and "groupmod" executables run the DoD.script with the following command as "root": # /etc/dodscript.sh OR Configure execute auditing of the "usermod" and "groupmod" executables. Add the following to the audit.rules file: -w /usr/sbin/usermod -p x -k usermod -w /usr/sbin/groupmod -p x -k groupmod Restart the auditd service. # service auditd restart Not_Reviewed Vuln_Num V-239576 Rule_ID SV-239576r662179_rule Severity medium Rule_Title The SLES for vRealize must audit all account modifications. Vuln_Discuss Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply modify an existing account. Auditing of account modification is one method for mitigating this risk. To address access requirements, many SLES for vRealize systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Check_Content Determine if "/etc/passwd", "/etc/shadow", "/etc/group", and "/etc/gshadow" are audited for writing. # auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow)' | grep perm=w If any of these are not listed with a permissions filter of at least "w", this is a finding. Fix_Text Configure append auditing of the "passwd", "shadow", "group", and "gshadow" files run the DoD.script with the following command as root: # /etc/dodscript.sh OR Configure append auditing of the "passwd", "shadow", "group", and "gshadow" files. Add the following to the audit.rules file: -w /etc/passwd -p w -k passwd -w /etc/shadow -p w -k shadow -w /etc/group -p w -k group -w /etc/gshadow -p w -k gshadow Restart the auditd service. # service auditd restart Not_Reviewed Vuln_Num V-239577 Rule_ID SV-239577r662182_rule Severity medium Rule_Title The SLES for vRealize must audit all account-disabling actions. Vuln_Discuss When SLES for vRealize accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the SLES for vRealize processes themselves. In order to detect and respond to events affecting user accessibility and system processing, SLES for vRealize must audit account disabling actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that SLES for vRealize accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes. To address access requirements, many SLES for vRealize systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Check_Content Determine if execution of the "passwd" executable is audited: # auditctl -l | grep watch=/usr/bin/passwd If "/usr/bin/passwd" is not listed with a permissions filter of at least "x", this is a finding. Fix_Text Configure SLES for vRealize to automatically audit account-disabling actions by running the following command: # /etc/dodscript.sh OR # echo '-w /usr/bin/passwd -p x -k passwd' >> /etc/audit/audit.rules Restart the auditd service. # service auditd restart Not_Reviewed Vuln_Num V-239578 Rule_ID SV-239578r662185_rule Severity medium Rule_Title The SLES for vRealize must audit all account removal actions. Vuln_Discuss When SLES for vRealize accounts are removed, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the SLES for vRealize processes themselves. In order to detect and respond to events affecting user accessibility and system processing, operating systems must audit account removal actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that SLES for vRealize accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes. To address access requirements, many SLES for vRealize systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Check_Content Determine if execution of the "userdel" and "groupdel" executable are audited: # auditctl -l | egrep '(userdel|groupdel)' If either "userdel" or "groupdel" are not listed with a permissions filter of at least "x", this is a finding. Fix_Text Configure execute auditing of the "userdel" and "groupdel" executables. Add the following to the "/etc/audit/audit.rules" file: -w /usr/sbin/userdel -p x -k userdel -w /usr/sbin/groupdel -p x -k groupdel Not_Reviewed Vuln_Num V-239579 Rule_ID SV-239579r877394_rule Severity medium Rule_Title The SLES for vRealize must implement cryptography to protect the integrity of remote access sessions. Vuln_Discuss Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. Check_Content Check the SSH daemon configuration for DoD-approved encryption to protect the confidentiality of SSH remote connections by performing the following commands: Check the Cipher setting in the "sshd_config" file. # grep -i Ciphers /etc/ssh/sshd_config | grep -v '#' The output must contain either none or any number of the following algorithms: aes128-ctr, aes256-ctr. If the output contains an algorithm not listed above, this is a finding. Expected Output: Ciphers aes256-ctr,aes128-ctr Fix_Text Update the Ciphers directive with the following command: # sed -i "/^[^#]*Ciphers/ c\Ciphers aes256-ctr,aes128-ctr" /etc/ssh/sshd_config Save and close the file. Restart the sshd process: # service sshd restart Not_Reviewed Vuln_Num V-239580 Rule_ID SV-239580r662191_rule Severity medium Rule_Title The SLES for vRealize must initiate session audits at system start-up. Vuln_Discuss If auditing is enabled late in the start-up process, the actions of some start-up processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. Check_Content Check for the "audit=1" kernel parameter. # grep "audit=1" /proc/cmdline If no results are returned, this is a finding. Fix_Text Edit the grub bootloader file "/boot/grub/menu.lst" by appending the "audit=1" parameter to the kernel boot line. Reboot the system for the change to take effect. Not_Reviewed Vuln_Num V-239581 Rule_ID SV-239581r662194_rule Severity medium Rule_Title The SLES for vRealize must produce audit records containing information to establish the identity of any individual or process associated with the event. Vuln_Discuss Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine responsibility for the potentially harmful event. Check_Content Verify SLES for vRealize produces audit records by running the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, the returned message must contain the following text: Checking for service auditd running If the service is not running, this is a finding. Fix_Text Enable the "auditd" service by performing the following commands: # chkconfig auditd on # service auditd start Not_Reviewed Vuln_Num V-239582 Rule_ID SV-239582r662197_rule Severity medium Rule_Title The SLES for vRealize must protect audit tools from unauthorized access. Vuln_Discuss Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. SLES for vRealize systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. Check_Content The following command will list which audit files on the system have permissions different from what is expected by the RPM database: # rpm -V audit | grep '^.M' If there is any output, for each file or directory found, compare the RPM-expected permissions with the permissions on the file or directory: # rpm -q --queryformat "[%{FILENAMES} %{FILEMODES:perms}\n]" audit | grep [filename] # ls -lL [filename] If the existing permissions are more permissive than those expected by the RPM database, this is a finding. Fix_Text For each file that has permissions that are more permissive than those expected by the RPM database, alter the permission of the file with the following command: # chmod <permission> <filename> Not_Reviewed Vuln_Num V-239583 Rule_ID SV-239583r662200_rule Severity medium Rule_Title The SLES for vRealize must protect audit tools from unauthorized modification. Vuln_Discuss Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. SLES for vRealize systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user has in order to make access decisions regarding the modification of audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. Check_Content The following command will list which audit files on the system where the group ownership has been modified: # rpm -V audit | grep '^......G' If there is output, this is a finding. Fix_Text For each file that has the incorrect group modification, alter the group ownership of the file with the following command: # chgrp <group> <filename> Not_Reviewed Vuln_Num V-239584 Rule_ID SV-239584r662203_rule Severity medium Rule_Title The SLES for vRealize must protect audit tools from unauthorized deletion. Vuln_Discuss Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. SLES for vRealize systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user has in order to make access decisions regarding the deletion of audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. Check_Content The following command will list which audit files on the system where the ownership has been modified: # rpm -V audit | grep '^.....U' If there is output, this is a finding. Fix_Text For each file that has the incorrect owner modification, alter the ownership of the file with the following command: # chown <owner> <filename> Not_Reviewed Vuln_Num V-239585 Rule_ID SV-239585r662206_rule Severity medium Rule_Title The SLES for vRealize must enforce password complexity by requiring that at least one special character be used. Vuln_Discuss Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor in determining how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Special characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *. Check_Content Verify SLES for vRealize enforces password complexity by requiring that at least one special character be used by using the following command: Check the password "ocredit" option: # grep pam_cracklib.so /etc/pam.d/common-password Confirm the "ocredit" option is set to "-1" as in the example: password requisite pam_cracklib.so ocredit=-1 There may be other options on the line. If no such line is found, or the "ocredit" is not "-1", this is a finding. Fix_Text Configure SLES for vRealize to enforce password complexity by requiring that at least one special character be used by running the following command: If "ocredit" was not set at all in "/etc/pam.d/common-password-vmware.local" file then run the following command: # sed -i '/pam_cracklib.so/ s/$/ ocredit=-1/' /etc/pam.d/common-password-vmware.local If "ocredit" was set incorrectly, run the following command: # sed -i '/pam_cracklib.so/ s/ocredit=../ocredit=-1/' /etc/pam.d/common-password-vmware.local Not_Reviewed Vuln_Num V-239586 Rule_ID SV-239586r662209_rule Severity low Rule_Title The SLES for vRealize must notify System Administrators and Information Systems Security Officer when accounts are created. Vuln_Discuss Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Notification of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail, which documents the creation of SLES for vRealize user accounts and notifies System Administrators and Information System Security Officers (ISSO) that it exists. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. To address access requirements, many SLES for vRealize systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Check_Content Check the syslog configuration file for remote syslog servers: # cat /etc/syslog-ng/syslog-ng.conf | grep logserver If no line is returned, or the "logserver" is commented out, this is a finding. Fix_Text Edit the syslog configuration file and add an appropriate remote syslog server: In the "/etc/syslog-ng/syslog-ng.conf" file, the remote logging entries must be uncommented and the IP address must be modified to point to the remote syslog server: # # Enable this and adopt IP to send log messages to a log server. # #destination logserver { udp("10.10.10.10" port(514)); }; #log { source(src); destination(logserver); }; Not_Reviewed Vuln_Num V-239587 Rule_ID SV-239587r662212_rule Severity low Rule_Title The SLES for vRealize must notify System Administrators and Information System Security Officers when accounts are modified. Vuln_Discuss Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply modify an existing account. Notification of account modification is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail, which documents the creation of SLES for vRealize user accounts and notifies System Administrators and Information System Security Officers (ISSO) that it exists. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. To address access requirements, many SLES for vRealize systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Check_Content Check the syslog configuration file for remote syslog servers: # cat /etc/syslog-ng/syslog-ng.conf | grep logserver If no line is returned, or the "logserver" is commented out, this is a finding. Fix_Text Edit the syslog configuration file and add an appropriate remote syslog server: In the "/etc/syslog-ng/syslog-ng.conf" file, the remote logging entries must be uncommented and the IP address must be modified to point to the remote syslog server: # # Enable this and adopt IP to send log messages to a log server. # #destination logserver { udp("10.10.10.10" port(514)); }; #log { source(src); destination(logserver); }; Not_Reviewed Vuln_Num V-239588 Rule_ID SV-239588r662215_rule Severity low Rule_Title The SLES for vRealize must notify System Administrators and Information System Security Officers when accounts are disabled. Vuln_Discuss When SLES for vRealize accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual SLES for vRealize users or for identifying the SLES for vRealize processes themselves. In order to detect and respond to events that affect user accessibility and system processing, operating systems must audit account disabling actions and, as required, notify System Administrators and Information System Security Officers (ISSO) so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. To address access requirements, many SLES for vRealize systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Check_Content Check the syslog configuration file for remote syslog servers: # cat /etc/syslog-ng/syslog-ng.conf | grep logserver If no line is returned, or the "logserver" is commented out, this is a finding. Fix_Text Edit the syslog configuration file and add an appropriate remote syslog server: In the "/etc/syslog-ng/syslog-ng.conf" file, the remote logging entries must be uncommented and the IP address must be modified to point to the remote syslog server: # # Enable this and adopt IP to send log messages to a log server. # #destination logserver { udp("10.10.10.10" port(514)); }; #log { source(src); destination(logserver); }; Not_Reviewed Vuln_Num V-239589 Rule_ID SV-239589r662218_rule Severity low Rule_Title The SLES for vRealize must notify System Administrators and Information System Security Officers when accounts are removed. Vuln_Discuss When SLES for vRealize accounts are removed, user accessibility is affected. Accounts are utilized for identifying individual SLES for vRealize users or for identifying the SLES for vRealize processes themselves. In order to detect and respond to events that affect user accessibility and system processing, SLES for vRealize must audit account removal actions and, as required, notify System Administrators and Information System Security Officers (ISSO) so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Check_Content Check the syslog configuration file for remote syslog servers: # cat /etc/syslog-ng/syslog-ng.conf | grep logserver If no line is returned, or the "logserver" is commented out, this is a finding. Fix_Text Edit the syslog configuration file and add an appropriate remote syslog server: In the "/etc/syslog-ng/syslog-ng.conf" file, the remote logging entries must be uncommented and the IP address must be modified to point to the remote syslog server: # # Enable this and adopt IP to send log messages to a log server. # #destination logserver { udp("10.10.10.10" port(514)); }; #log { source(src); destination(logserver); }; Not_Reviewed Vuln_Num V-239590 Rule_ID SV-239590r877393_rule Severity medium Rule_Title The SLES for vRealize must use cryptographic mechanisms to protect the integrity of audit tools. Vuln_Discuss Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. It is not uncommon for attackers to replace the audit tools or inject code into the existing tools with the purpose of providing the capability to hide or erase system activity from the audit logs. To address this risk, audit tools must be cryptographically signed in order to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files. Check_Content The following command will list which audit files on the system have file hashes different from what is expected by the RPM database: # rpm -V audit | grep '$1 ~ /..5/ && $2 != "c"' If there is output, this is a finding. Fix_Text The RPM package management system can check the hashes of audit system package files. Run the following command to list which audit files on the system have hashes that differ from what is expected by the RPM database: # rpm -V audit | grep '^..5' A "c" in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file that has changed was not expected to, refresh from distribution media or online repositories. rpm -Uvh [affected_package] Not_Reviewed Vuln_Num V-239591 Rule_ID SV-239591r852588_rule Severity medium Rule_Title The SLES for vRealize must automatically terminate a user session after inactivity time-outs have expired or at shutdown. Vuln_Discuss Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use. This capability is typically reserved for specific operating system functionality where the system owner, data owner, or organization requires additional assurance. Check_Content Check for the existence of the "/etc/profile.d/tmout.sh" file: # ls -al /etc/profile.d/tmout.sh Check for the presence of the "TMOUT" variable: # grep TMOUT /etc/profile.d/tmout.sh The value of "TMOUT" should be set to "900" seconds (15 minutes). If the file does not exist, or the "TMOUT" variable is not set to "900", this is a finding. Fix_Text Ensure the file exists and is owned by "root". If the files does not exist, use the following commands to create the file: # touch /etc/profile.d/tmout.sh # chown root:root /etc/profile.d/tmout.sh # chmod 644 /etc/profile.d/tmout.sh Edit the file "/etc/profile.d/tmout.sh", and add the following lines: TMOUT=900 readonly TMOUT export TMOUT mesg n 2>/dev/null Not_Reviewed Vuln_Num V-239592 Rule_ID SV-239592r852589_rule Severity medium Rule_Title The SLES for vRealize must control remote access methods. Vuln_Discuss Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. SLES for vRealize functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets). Check_Content Check the SSH daemon configuration for listening network addresses: # grep -i Listen /etc/ssh/sshd_config | grep -v '^#' If no configuration is returned, or if a returned "Listen" configuration contains addresses not designated for management traffic, this is a finding. Fix_Text Edit the SSH daemon configuration with the following command: # sed -i "/^[^#]ListenAddress/ c\ListenAddress = 0.0.0.0" /etc/ssh/sshd_config Replace "0.0.0.0" with the listening network addresses designated for management traffic. Not_Reviewed Vuln_Num V-239593 Rule_ID SV-239593r852590_rule Severity medium Rule_Title The SLES for vRealize must audit all account enabling actions. Vuln_Discuss Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Notification of account enabling is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail, which documents the creation of SLES for vRealize user accounts and notifies System Administrators and Information System Security Officers (ISSO) that it exists. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. To address access requirements, many SLES for vRealize systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Check_Content Determine if execution of the usermod and groupmod executable are audited: # auditctl -l | egrep '(usermod|groupmod)' If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of the "userdel" and "groupdel" executable are audited: # auditctl -l | egrep '(userdel|groupdel)' If either "userdel" or "groupdel" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of "useradd" and "groupadd" are audited: # auditctl -l | egrep '(useradd|groupadd)' If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of the passwd executable is audited: # auditctl -l | grep "/usr/bin/passwd" If "/usr/bin/passwd" is not listed with a permissions filter of at least "x", this is a finding. Determine if "/etc/passwd", "/etc/shadow", "etc/group", and "etc/security/opasswd" are audited for writing: # auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/security/opasswd)' If any of these are not listed with a permissions filter of at least "w", this is a finding. Fix_Text Configure execute auditing of the "usermod" and "groupmod" executables. Add the following to the "/etc/audit/audit.rules" file: -w /usr/sbin/usermod -p x -k usermod -w /usr/sbin/groupmod -p x -k groupmod Configure execute auditing of the "userdel" and "groupdel" executables. Add the following to the "/etc/audit/audit.rules" file: -w /usr/sbin/userdel -p x -k userdel -w /usr/sbin/groupdel -p x -k groupdel Configure execute auditing of the "useradd" and "groupadd" executables. Add the following to audit.rules: -w /usr/sbin/useradd -p x -k useradd -w /usr/sbin/groupadd -p x -k groupadd Configure execute auditing of the "passwd" executable. Add the following to the aud.rules: -w /usr/bin/passwd -p x -k passwd Configure write auditing of the "passwd", "shadow", "group", and "opasswd" files. Add the following to the "/etc/audit/audit.rules" file: -w /etc/passwd -p wa -k passwd -w /etc/shadow -p wa -k shadow -w /etc/group -p wa -k group -w /etc/security/opasswd -p wa -k opasswd Restart the auditd service: # service auditd restart Not_Reviewed Vuln_Num V-239594 Rule_ID SV-239594r852591_rule Severity medium Rule_Title The SLES for vRealize must notify System Administrators and Information System Security Officers when accounts are created, or enabled when previously disabled. Vuln_Discuss Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Notification of account enabling is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail, which documents the creation of SLES for vRealize user accounts and notifies System Administrators and Information System Security Officers (ISSO) that it exists. Such a process greatly reduces the risk that accounts will be surreptitiously enabled and provides logging that can be used for forensic purposes. In order to detect and respond to events that affect user accessibility and application processing, SLES for vRealize systems must audit account enabling actions and, as required, notify the appropriate individuals so they can investigate the event. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Check_Content Determine if execution of the "usermod" and "groupmod" executable are audited: # auditctl -l | egrep '(usermod|groupmod)' If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of the "userdel" and "groupdel" executable are audited: # auditctl -l | egrep '(userdel|groupdel)' If either "userdel" or "groupdel" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of "useradd" and "groupadd" are audited: # auditctl -l | egrep '(useradd|groupadd)' If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of the "passwd" executable is audited: # auditctl -l | grep "/usr/bin/passwd" If "/usr/bin/passwd" is not listed with a permissions filter of at least "x", this is a finding. Determine if "/etc/passwd", "/etc/shadow", "/etc/group", and "/etc/security/opasswd" are audited for writing: # auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/security/opasswd)' If any of these are not listed with a permissions filter of at least "w", this is a finding. Fix_Text Configure execute auditing of the "usermod" and "groupmod" executables. Add the following to the "/etc/audit/audit.rules" file: -w /usr/sbin/usermod -p x -k usermod -w /usr/sbin/groupmod -p x -k groupmod Configure execute auditing of the "userdel" and "groupdel" executables. Add the following to the "/etc/audit/audit.rules" file: -w /usr/sbin/userdel -p x -k userdel -w /usr/sbin/groupdel -p x -k groupdel Configure execute auditing of the "useradd" and "groupadd" executables. Add the following to audit.rules: -w /usr/sbin/useradd -p x -k useradd -w /usr/sbin/groupadd -p x -k groupadd Configure execute auditing of the "passwd" executable. Add the following to the aud.rules: -w /usr/bin/passwd -p x -k passwd Configure write auditing of the "passwd", "shadow", "group", and "opasswd" files. Add the following to the "/etc/audit/audit.rules" file: -w /etc/passwd -p wa -k passwd -w /etc/shadow -p wa -k shadow -w /etc/group -p wa -k group -w /etc/security/opasswd -p wa -k opasswd Restart the auditd service: # service auditd restart Not_Reviewed Vuln_Num V-239595 Rule_ID SV-239595r852592_rule Severity low Rule_Title The SLES for vRealize must audit the execution of privileged functions. Vuln_Discuss Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. Check_Content To verify that auditing of privileged command use is configured, run the following command to find relevant setuid programs: # find / -xdev -type f -perm -4000 -o -perm -2000 2>/dev/null Run the following command to verify entries in the audit rules for all programs found with the previous command: # grep path /etc/audit/audit.rules It should be the case that all relevant setuid programs have a line in the audit rules. If it is not the case, this is a finding. Fix_Text At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid programs: # find / -xdev -type f -perm -4000 -o -perm -2000 2>/dev/null Then, for each setuid program on the system, add a line of the following form to "/etc/audit/audit.rules", where [SETUID_PROG_PATH] is the full path to each setuid program in the list: -a always,exit -F path=[SETUID_PROG_PATH] -F perm=x -F auid>=500 -k privileged OR # /etc/dodscript.sh Not_Reviewed Vuln_Num V-239596 Rule_ID SV-239596r852593_rule Severity low Rule_Title The SLES for vRealize must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur. Vuln_Discuss By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account. Check_Content Check the "pam_tally2" configuration: # more /etc/pam.d/common-auth Confirm the following line is configured: auth required pam_tally2.so deny=3 onerr=fail even_deny_root unlock_ti me=86400 root_unlock_time=300 # more /etc/pam.d/common-account Confirm the following line is configured: account required pam_tally2.so If no such lines are found, this is a finding. Fix_Text Edit "/etc/pam.d/common-auth" file and add the following line: auth required pam_tally2.so deny=3 onerr=fail even_deny_root unlock_time=86400 root_unlock_time=300 Edit "/etc/pam.d/common-account" file and add the following line: account required pam_tally2.so Not_Reviewed Vuln_Num V-239597 Rule_ID SV-239597r877390_rule Severity low Rule_Title The SLES for vRealize must off-load audit records onto a different system or media from the system being audited. Vuln_Discuss Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. Check_Content Check the syslog configuration file for remote syslog servers: # cat /etc/syslog-ng/syslog-ng.conf | grep logserver If no line is returned, or the "logserver" is commented out, this is a finding. Fix_Text Edit the syslog configuration file and add an appropriate remote syslog server: In the "/etc/syslog-ng/syslog-ng.conf" file, the remote logging entries must be uncommented and the IP address must be modified to point to the remote syslog server: # # Enable this and adopt IP to send log messages to a log server. # #destination logserver { udp("10.10.10.10" port(514)); }; #log { source(src); destination(logserver); }; Not_Reviewed Vuln_Num V-239598 Rule_ID SV-239598r877389_rule Severity medium Rule_Title The SLES for vRealize must immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity. Vuln_Discuss If security personnel are not notified immediately when storage volume reaches 75% utilization, they are unable to plan for audit record storage capacity expansion. Check_Content Check "/etc/audit/auditd.conf" file for the "space_left_action" parameter with the following command: # cat /etc/audit/auditd.conf | grep space_left_action If the "space_left_action" parameter is missing, set to "ignore", set to "suspend", set to "single", set to "halt", or is blank, this is a finding Expected Result: space_left_action = SYSLOG Notes: If the "space_left_action" parameter is set to "exec" the system executes a designated script. If this script informs the SA of the event, this is not a finding. If the "space_left_action" parameter is set to "email" and the "action_mail_acct" parameter is not set to the email address of the system administrator, this is a finding. The "action_mail_acct" parameter, if missing, defaults to "root". Note that if the email address of the system administrator is on a remote system "sendmail" must be available. Fix_Text Set the "space_left_action" parameter to the valid setting "SYSLOG", by running the following command: # sed -i "/^[^#]*space_left_action/ c\admin_space_left_action = SYSLOG" /etc/audit/auditd.conf Restart the audit service: # service auditd restart Not_Reviewed Vuln_Num V-239599 Rule_ID SV-239599r852596_rule Severity medium Rule_Title The SLES for vRealize must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts. Vuln_Discuss It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less). Check_Content Check "/etc/audit/auditd.conf" file for the "space_left_action" parameter with the following command: # cat /etc/audit/auditd.conf | grep space_left_action If the "space_left_action" parameter is missing, set to "ignore", set to "suspend", set to "single", set to "halt", or is blank, this is a finding Expected Result: space_left_action = SYSLOG Notes: If the "space_left_action" parameter is set to "exec" the system executes a designated script. If this script informs the SA of the event, this is not a finding. If the "space_left_action" parameter is set to "email" and the "action_mail_acct" parameter is not set to the email address of the system administrator, this is a finding. The "action_mail_acct" parameter, if missing, defaults to "root". Note that if the email address of the system administrator is on a remote system "sendmail" must be available. Fix_Text Set the "space_left_action" parameter to the valid setting "SYSLOG", by running the following command: # sed -i "/^[^#]*space_left_action/ c\admin_space_left_action = SYSLOG" /etc/audit/auditd.conf Restart the audit service: # service auditd restart Not_Reviewed Vuln_Num V-239600 Rule_ID SV-239600r878121_rule Severity medium Rule_Title The SLES for vRealize must, for networked systems, compare internal information system clocks at least every 24 hours with a server which is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS). Vuln_Discuss Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider endpoints that may not have regular access to the authoritative timeserver (e.g., mobile, teleworking, and tactical endpoints). Check_Content A remote NTP server should be configured for time synchronization. To verify one is configured, open the following files: # cat /etc/ntp.conf | grep server | grep -v '^#' # cat /etc/ntp.conf | grep peer | grep -v '^#' # cat /etc/ntp.conf | grep multicastclient | grep -v '^#' Confirm the servers and peers or multicastclient (as applicable) are local or an authoritative U.S. DoD source. If a non-local/non-authoritative time-server is used, this is a finding. Fix_Text To specify a remote NTP server for time synchronization, edit the file "/etc/ntp.conf". Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver by using the following command: # echo "server [ntpserver]" >> /etc/ntp.conf Replace [ntpserver] with one of the USNO time servers. This instructs the NTP software to contact that remote server to obtain time data. Restart the service with: # service ntp restart Not_Reviewed Vuln_Num V-239601 Rule_ID SV-239601r877038_rule Severity medium Rule_Title The time synchronization configuration file (such as /etc/ntp.conf) must be owned by root. Vuln_Discuss A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for synchronization, the integrity of system logs and the security of the system could be compromised. If the configuration files controlling time synchronization are not owned by a system account, unauthorized modifications could result in the failure of time synchronization. Check_Content Check the ownership of the NTP configuration file: # ls -l /etc/ntp.conf If the owner is not "root", this is a finding. Fix_Text Change the owner of the NTP configuration file to "root": # chown root /etc/ntp.conf Not_Reviewed Vuln_Num V-239602 Rule_ID SV-239602r877038_rule Severity medium Rule_Title The time synchronization configuration file (such as /etc/ntp.conf) must be group-owned by root, bin, sys, or system. Vuln_Discuss A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for synchronization, the integrity of system logs and the security of the system could be compromised. If the configuration files controlling time synchronization are not owned by a system group, unauthorized modifications could result in the failure of time synchronization. Check_Content Check the group ownership of the NTP configuration file: # ls -lL /etc/ntp.conf If the group-owner is not "root", "bin", "sys", or "system", this is a finding. Fix_Text Change the group-owner of the NTP configuration file: # chgrp root /etc/ntp.conf Not_Reviewed Vuln_Num V-239603 Rule_ID SV-239603r877038_rule Severity medium Rule_Title The time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive. Vuln_Discuss A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for synchronization, the integrity of system logs and the security of the system could be compromised. If the configuration files controlling time synchronization are not protected, unauthorized modifications could result in the failure of time synchronization. Check_Content Check that the mode for the NTP configuration file is not more permissive than "0640": # ls -l /etc/ntp.conf If the mode is more permissive than "0640", this is a finding. Fix_Text Change the mode of the NTP configuration file to "0640" or less permissive: # chmod 0640 /etc/ntp.conf Not_Reviewed Vuln_Num V-239604 Rule_ID SV-239604r852601_rule Severity medium Rule_Title The SLES for vRealize must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second. Vuln_Discuss Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider setting time periods for different types of systems (e.g., financial, legal, or mission-critical systems). Organizations should also consider endpoints that may not have regular access to the authoritative timeserver (e.g., mobile, teleworking, and tactical endpoints). This requirement is related to the comparison done every 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the time difference. Check_Content Run the following command to determine the current status of the "ntpd" service: # service ntp status If the service is configured, the command should show a list of the ntp servers and the status of the synchronization. If nothing is returned, this is a finding. If the service is configured, but does not show a status of "on", this is a finding. Fix_Text The "ntp" service can be enabled with the following command: # chkconfig ntp on # service ntp start Not_Reviewed Vuln_Num V-239605 Rule_ID SV-239605r852602_rule Severity medium Rule_Title The SLES for vRealize must notify designated personnel if baseline configurations are changed in an unauthorized manner. Vuln_Discuss Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the SLES for vRealize. SLES for vRealize’s IMO/ISSO and SAs must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. Check_Content Verify SLES for vRealize produces audit records by running the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, the returned message must contain the following text: Checking for service auditd running If the service is not running, this is a finding. Fix_Text Enable the "auditd" service by performing the following commands: # chkconfig auditd on # service auditd start Not_Reviewed Vuln_Num V-239606 Rule_ID SV-239606r852603_rule Severity medium Rule_Title The SLES for vRealize must audit the enforcement actions used to restrict access associated with changes to the system. Vuln_Discuss Without auditing the enforcement of access restrictions against changes to the application configuration, it will be difficult to identify attempted attacks and an audit trail will not be available for forensic investigation for after-the-fact actions. Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Audit items may consist of lists of actions blocked by access restrictions or changes identified after the fact. Check_Content Verify SLES for vRealize produces audit records by running the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, the returned message must contain the following text: Checking for service auditd running If the service is not running, this is a finding. Fix_Text Enable the "auditd" service by performing the following commands: # chkconfig auditd on # service auditd start Not_Reviewed Vuln_Num V-239607 Rule_ID SV-239607r877463_rule Severity medium Rule_Title The RPM package management tool must cryptographically verify the authenticity of all software packages during installation. Vuln_Discuss Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or SLES for vRealize components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. SLES for vRealize should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA. Check_Content Verify RPM signature validation is not disabled: # grep nosignature /usr/lib/rpm/rpmrc ~root/.rpmrc The result should either respond with no such file or directory, or an empty return. If any configuration is found, this is a finding. Fix_Text Edit the RPM configuration files containing the "nosignature" option and remove the option. Not_Reviewed Vuln_Num V-239608 Rule_ID SV-239608r852605_rule Severity medium Rule_Title The SLES for vRealize must audit all activities performed during nonlocal maintenance and diagnostic sessions. Vuln_Discuss If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. This requirement addresses auditing-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. Check_Content Verify that all commands run by "root" are being audited with the following command: # cat /etc/audit/audit.rules | grep execve If the following lines are not displayed, this is a finding. -a exit,always -F arch=b64 -F euid=0 -S execve -a exit,always -F arch=b32 -F euid=0 -S execve Fix_Text Configure SLES for vRealize to log all commands run by "root" with the following command: # echo "-a exit,always -F arch=b64 -F euid=0 -S execve" >> /etc/audit/audit.rules # echo "-a exit,always -F arch=b32 -F euid=0 -S execve" >> /etc/audit/audit.rules Restart the audit service: # service auditd restart Not_Reviewed Vuln_Num V-239609 Rule_ID SV-239609r877382_rule Severity medium Rule_Title The SLES for vRealize must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions. Vuln_Discuss Privileged access contains control and configuration information and is particularly sensitive, so additional protections are necessary. This is maintained by using cryptographic mechanisms, such as a hash function or digital signature, to protect integrity. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. The SLES for vRealize can meet this requirement through leveraging a cryptographic module. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system (e.g., the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch). Check_Content Check the SSH daemon configuration for DoD-approved encryption to protect the confidentiality of SSH remote connections by performing the following commands: Check the Cipher setting in the "sshd_config" file. # grep -i Ciphers /etc/ssh/sshd_config | grep -v '#' The output must contain either none or any number of the following algorithms: aes128-ctr, aes256-ctr. If the output contains an algorithm not listed above, this is a finding. Expected Output: Ciphers aes256-ctr,aes128-ctr Fix_Text Update the Ciphers directive with the following command: # sed -i '/^[^#]*Ciphers/ c\Ciphers aes256-ctr,aes128-ctr' /etc/ssh/sshd_config Save and close the file. Restart the sshd process: # service sshd restart Not_Reviewed Vuln_Num V-239610 Rule_ID SV-239610r877381_rule Severity medium Rule_Title The SLES for vRealize must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions. Vuln_Discuss Privileged access contains control and configuration information and is particularly sensitive, so additional protections are necessary. This is maintained by using cryptographic mechanisms such as encryption to protect confidentiality. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system (e.g., the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch). The SLES for vRealize can meet this requirement through leveraging a cryptographic module. Check_Content Check the SSH daemon configuration for allowed MACs: # grep -i macs /etc/ssh/sshd_config | grep -v '^#' If no lines are returned, or the returned MACs list contains any MAC other than "hmac-sha1", this is a finding. Fix_Text Edit the SSH daemon configuration and remove any MACs other than "hmac-sha1". If necessary, add a "MACs" line. # sed -i "/^[^#]*MACs/ c\MACs hmac-sha1" /etc/ssh/sshd_config Not_Reviewed Vuln_Num V-239611 Rule_ID SV-239611r877380_rule Severity high Rule_Title The SLES for vRealize must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Vuln_Discuss Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The SLES for vRealize must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. Check_Content Check the SSH daemon configuration for DoD-approved encryption to protect the confidentiality of SSH remote connections by performing the following commands: Check the Cipher setting in the "sshd_config" file. # grep -i Ciphers /etc/ssh/sshd_config | grep -v '#' The output must contain either none or any number of the following algorithms: aes128-ctr, aes256-ctr. If the output contains an algorithm not listed above, this is a finding. Expected Output: Ciphers aes256-ctr,aes128-ctr Fix_Text Update the Ciphers directive with the following command: # sed -i "/^[^#]*Ciphers/ c\Ciphers aes256-ctr,aes128-ctr" /etc/ssh/sshd_config Save and close the file. Restart the sshd process: # service sshd restart Not_Reviewed Vuln_Num V-239612 Rule_ID SV-239612r916422_rule Severity high Rule_Title The SLES for vRealize must protect the confidentiality and integrity of transmitted information. Vuln_Discuss Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. Check_Content Check the SSH daemon configuration for DoD-approved encryption to protect the confidentiality of SSH remote connections by performing the following commands: Check the Cipher setting in the "sshd_config" file. # grep -i Ciphers /etc/ssh/sshd_config | grep -v '#' The output must contain either none or any number of the following algorithms: aes128-ctr, aes256-ctr. If the output contains an algorithm not listed above, this is a finding. Expected Output: Ciphers aes256-ctr,aes128-ctr Fix_Text Update the Ciphers directive with the following command: # sed -i "/^[^#]*Ciphers/ c\Ciphers aes256-ctr,aes128-ctr" /etc/ssh/sshd_config Save and close the file. Restart the sshd process: # service sshd restart Not_Reviewed Vuln_Num V-239613 Rule_ID SV-239613r878122_rule Severity high Rule_Title The SLES for vRealize must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS). Vuln_Discuss Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions that have common application in digital signatures, checksums, and message authentication codes. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, operating systems need to leverage transmission protection mechanisms such as TLS, SSL VPNs, or IPsec. Alternative physical protection measures include PDS. PDSs are used to transmit unencrypted classified National Security Information (NSI) through an area of lesser classification or control. Since the classified NSI is unencrypted, the PDS must provide adequate electrical, electromagnetic, and physical safeguards to deter exploitation. Check_Content Check the SSH daemon configuration for allowed MACs: # grep -i macs /etc/ssh/sshd_config | grep -v '^#' If no lines are returned, or the returned MACs list contains any MAC other than "hmac-sha1", this is a finding. Fix_Text Edit the SSH daemon configuration and remove any MACs other than "hmac-sha1". If necessary, add a "MACs" line. # sed -i "/^[^#]*MACs/ c\MACs hmac-sha1" /etc/ssh/sshd_config Not_Reviewed Vuln_Num V-239614 Rule_ID SV-239614r852611_rule Severity medium Rule_Title The SLES for vRealize must implement non-executable data to protect its memory from unauthorized code execution. Vuln_Discuss Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. Examples of attacks are buffer overflow attacks. Check_Content The stock kernel has support for non-executable program stacks compiled in by default. Verify that the option was specified when the kernel was built: # grep -i "execute" /var/log/boot.msg The message: "NX (Execute Disable) protection: active" will be written in the boot log when compiled in the kernel. This is the default for x86_64. To activate this support, the "noexec=on" kernel parameter must be specified at boot time. Check for a message with the following command: # grep –i "noexec" /var/log/boot.msg The message: "Kernel command line: <boot parameters> noexec=on" will be written to the boot log when properly appended to the "/boot/grub/menu.lst" file. If non-executable program stacks have not been configured, this is a finding. Fix_Text Edit the "/boot/grub/menu.lst" file and add "noexec=on" to the end of each kernel line entry. A system restart is required to implement this change. Not_Reviewed Vuln_Num V-239615 Rule_ID SV-239615r852612_rule Severity medium Rule_Title The SLES for vRealize must implement address space layout randomization to protect its memory from unauthorized code execution. Vuln_Discuss Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. Examples of attacks are buffer overflow attacks. Check_Content Verify "randomize_va_space" has not been changed from the default "1" setting. # sysctl kernel.randomize_va_space If the return value is not "kernel.randomize_va_space = 1", this is a finding. Fix_Text Run the following command: #sysctl kernel.randomize_va_space=1 Not_Reviewed Vuln_Num V-239616 Rule_ID SV-239616r852613_rule Severity medium Rule_Title The SLES for vRealize must shut down the information system, restart the information system, and/or notify the system administrator when anomalies in the operation of any security functions are discovered. Vuln_Discuss If anomalies are not acted upon, security functions may fail to secure the system. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Notifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights. This capability must take into account operational requirements for availability for selecting an appropriate response. The organization may choose to shut down or restart the information system upon security function anomaly detection. Check_Content Check the syslog configuration file for remote syslog servers: # cat /etc/syslog-ng/syslog-ng.conf | grep logserver If no line is returned, or the "logserver" is commented out, this is a finding. Fix_Text Edit the syslog configuration file and add an appropriate remote syslog server: In the "/etc/syslog-ng/syslog-ng.conf" file, the remote logging entries must be uncommented and the IP address must be modified to point to the remote syslog server: # # Enable this and adopt IP to send log messages to a log server. # #destination logserver { udp("10.10.10.10" port(514)); }; #log { source(src); destination(logserver); }; Not_Reviewed Vuln_Num V-239617 Rule_ID SV-239617r662302_rule Severity medium Rule_Title The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access security objects occur. Vuln_Discuss Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Check_Content To verify that auditing is configured for system administrator actions, run the following command: # auditctl -l | grep "watch=/etc/sudoers" The result should return a rule for sudoers, such as: LIST_RULES: exit,always watch=/etc/sudoers perm=wa key=sudoers If there is no output, this is a finding. Fix_Text At a minimum, the audit system should collect administrator actions for all users and "root". Add the following to the "/etc/audit/audit.rules" file: -w /etc/sudoers -p wa -k sudoers OR # /etc/dodscript.sh Not_Reviewed Vuln_Num V-239618 Rule_ID SV-239618r662305_rule Severity medium Rule_Title The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur. Vuln_Discuss Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Check_Content Verify the SLES for vRealize produces audit records by running the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, the returned message must contain the following text: Checking for service auditd running If the service is not running, this is a finding. Fix_Text Enable the "auditd" service by performing the following commands: # chkconfig auditd on # service auditd start Not_Reviewed Vuln_Num V-239619 Rule_ID SV-239619r662308_rule Severity medium Rule_Title The SLES for vRealize must generate audit records when successful/unsuccessful attempts to modify privileges occur. Vuln_Discuss Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Check_Content To determine if SLES for vRealize is configured to audit calls to the "chmod" system call, run the following command: # auditctl -l | grep syscall | grep chmod If the system is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid=0 syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid>=500 (0x1f4) auid!=-1 (0xffffffff) syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=1073741827 (0x40000003) syscall=chmod,lchown,sethostname,fchmod,fchown,adjtimex,init_module,delete_module,chown,lchown32,fchown32,chown32,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime,fchownat,fchmodat If no lines are returned, this is a finding. Fix_Text At a minimum, the audit system should collect file permission changes for all users and "root". Add the following to the "/etc/audit/audit.rules" file: -a always,exit -F arch=b64 -S chmod -F auid=0 -a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 -a always,exit -F arch=b32 -S chmod OR # /etc/dodscript.sh Not_Reviewed Vuln_Num V-239620 Rule_ID SV-239620r662311_rule Severity medium Rule_Title The SLES for vRealize must generate audit records when successful/unsuccessful attempts to modify security objects occur. Vuln_Discuss Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Check_Content To verify that auditing is configured for system administrator actions, run the following command: # auditctl -l | grep "watch=/etc/sudoers" The result should return a rule for sudoers, such as: LIST_RULES: exit,always watch=/etc/sudoers perm=wa key=sudoers If there is no output, this is a finding. Fix_Text At a minimum, the audit system should collect administrator actions for all users and root. Add the following to the "/etc/audit/audit.rules" file: -w /etc/sudoers -p wa -k sudoers OR # /etc/dodscript.sh Not_Reviewed Vuln_Num V-239621 Rule_ID SV-239621r662314_rule Severity medium Rule_Title The SLES for vRealize must generate audit records when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur. Vuln_Discuss Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Check_Content Verify the SLES for vRealize produces audit records by running the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, the returned message must contain the following text: Checking for service auditd running If the service is not running, this is a finding. Fix_Text Enable the "auditd" service by performing the following commands: # chkconfig auditd on # service auditd start Not_Reviewed Vuln_Num V-239622 Rule_ID SV-239622r662317_rule Severity medium Rule_Title The SLES for vRealize must generate audit records when successful/unsuccessful attempts to delete privileges occur. Vuln_Discuss Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Check_Content To determine if SLES for vRealize is configured to audit calls to the "chmod" system call, run the following command: # auditctl -l | grep syscall | grep chmod If the system is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid=0 syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid>=500 (0x1f4) auid!=-1 (0xffffffff) syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=1073741827 (0x40000003) syscall=chmod,lchown,sethostname,fchmod,fchown,adjtimex,init_module,delete_module,chown,lchown32,fchown32,chown32,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime,fchownat,fchmodat If no lines are returned, this is a finding. Fix_Text At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and root. Add the following to the "/etc/audit/audit.rules" file: -a always,exit -F arch=b64 -S chmod -F auid=0 -a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 -a always,exit -F arch=b32 -S chmod OR # /etc/dodscript.sh Not_Reviewed Vuln_Num V-239623 Rule_ID SV-239623r662320_rule Severity medium Rule_Title The SLES for vRealize must generate audit records when successful/unsuccessful attempts to delete security levels occur. Vuln_Discuss Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Check_Content Verify the SLES for vRealize produces audit records by running the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, the returned message must contain the following text: Checking for service auditd running If the service is not running, this is a finding. Fix_Text Enable the "auditd" service by performing the following commands: # chkconfig auditd on # service auditd start Not_Reviewed Vuln_Num V-239624 Rule_ID SV-239624r662323_rule Severity medium Rule_Title The SLES for vRealize must generate audit records when successful/unsuccessful attempts to delete security objects occur. Vuln_Discuss Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Check_Content To verify that auditing is configured for system administrator actions, run the following command: # auditctl -l | grep "watch=/etc/sudoers" The result should return a rule for sudoers, such as: LIST_RULES: exit,always watch=/etc/sudoers perm=wa key=sudoers If there is no output, this is a finding. Fix_Text At a minimum, the SLES for vRealize audit system should collect administrator actions for all users and root. Add the following to the "/etc/audit/audit.rules" file: -w /etc/sudoers -p wa -k sudoers OR # /etc/dodscript.sh Not_Reviewed Vuln_Num V-239625 Rule_ID SV-239625r662326_rule Severity medium Rule_Title The SLES for vRealize must generate audit records when successful/unsuccessful logon attempts occur. Vuln_Discuss Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Check_Content The message types that are always recorded to the "/var/log/audit/audit.log" file include "LOGIN", "USER_LOGIN", "USER_START", "USER_END" among others and do not need to be added to audit.rules. The log files "/var/log/faillog", "/var/log/lastlog", and "/var/log/tallylog" must be protected from tampering of the login records: # egrep "faillog|lastlog|tallylog" /etc/audit/audit.rules If "/var/log/faillog", "/var/log/lastlog", and "/var/log/tallylog" entries do not exist, this is a finding. Fix_Text Ensure the auditing of logins by modifying the "/etc/audit/audit.rules" file to contain: -w /var/log/faillog -p wa -w /var/log/lastlog -p wa -w /var/log/tallylog -p wa OR # /etc/dodscript.sh Not_Reviewed Vuln_Num V-239626 Rule_ID SV-239626r662329_rule Severity medium Rule_Title The SLES for vRealize must generate audit records for privileged activities or other system-level access. Vuln_Discuss Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Check_Content To verify that auditing of privileged command use is configured, run the following command to find relevant setuid programs: # find / -xdev -type f -perm -4000 -o -perm -2000 2>/dev/null Run the following command to verify entries in the audit rules for all programs found with the previous command: # grep path /etc/audit/audit.rules It should be the case that all relevant setuid programs have a line in the audit rules. If it is not the case, this is a finding. Fix_Text At a minimum, the SLES for vRealize audit system should collect the execution of privileged commands for all users and "root". To find the relevant setuid programs: # find / -xdev -type f -perm -4000 -o -perm -2000 2>/dev/null Then, for each setuid program on the system, add a line of the following form to "/etc/audit/audit.rules", where [SETUID_PROG_PATH] is the full path to each setuid program in the list: -a always,exit -F path=[SETUID_PROG_PATH] -F perm=x -F auid>=500 -k privileged OR # /etc/dodscript.sh Not_Reviewed Vuln_Num V-239627 Rule_ID SV-239627r662332_rule Severity medium Rule_Title The SLES for vRealize audit system must be configured to audit the loading and unloading of dynamic kernel modules. Vuln_Discuss Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Check_Content Determine if "/sbin/insmod" is audited: # cat /etc/audit/audit.rules | grep "/sbin/insmod" If the result does not start with "-w" and contain "-p x", this is a finding. Fix_Text Add the following to the "/etc/audit/audit.rules" file in order to capture kernel module loading and unloading events: -w /sbin/insmod -p x OR # /etc/dodscript.sh Not_Reviewed Vuln_Num V-239628 Rule_ID SV-239628r662335_rule Severity medium Rule_Title The SLES for vRealize must generate audit records showing starting and ending time for user access to the system. Vuln_Discuss Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Check_Content The message types that are always recorded to the "/var/log/audit/audit.log" file include "LOGIN", "USER_LOGIN", "USER_START", "USER_END" among others and do not need to be added to audit.rules. The log files "/var/log/faillog", "/var/log/lastlog", and "/var/log/tallylog" must be protected from tampering of the login records: # egrep "faillog|lastlog|tallylog" /etc/audit/audit.rules If "/var/log/faillog", "/var/log/lastlog", and "/var/log/tallylog" entries do not exist, this is a finding. Fix_Text Ensure the auditing of logins by modifying the "/etc/audit/audit.rules" file to contain: -w /var/log/faillog -p wa -w /var/log/lastlog -p wa -w /var/log/tallylog -p wa OR # /etc/dodscript.sh Not_Reviewed Vuln_Num V-239629 Rule_ID SV-239629r662338_rule Severity medium Rule_Title The SLES for vRealize must generate audit records when concurrent logons to the same account occur from different sources. Vuln_Discuss Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Check_Content The message types that are always recorded to the "/var/log/audit/audit.log" file include "LOGIN", "USER_LOGIN", "USER_START", "USER_END" among others and do not need to be added to audit.rules. The log files "/var/log/faillog", "/var/log/lastlog", and "/var/log/tallylog" must be protected from tampering of the login records: # egrep "faillog|lastlog|tallylog" /etc/audit/audit.rules If "/var/log/faillog", "/var/log/lastlog", and "/var/log/tallylog" entries do not exist, this is a finding. Fix_Text Ensure the auditing of logins by modifying the "/etc/audit/audit.rules" file to contain: -w /var/log/faillog -p wa -w /var/log/lastlog -p wa -w /var/log/tallylog -p wa OR # /etc/dodscript.sh Not_Reviewed Vuln_Num V-239630 Rule_ID SV-239630r662341_rule Severity medium Rule_Title The SLES for vRealize must generate audit records when successful/unsuccessful accesses to objects occur. Vuln_Discuss Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Check_Content Verify the SLES for vRealize produces audit records by running the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, the returned message must contain the following text: Checking for service auditd running If the service is not running, this is a finding. Fix_Text Enable the "auditd" service by performing the following commands: # chkconfig auditd on # service auditd start Not_Reviewed Vuln_Num V-239631 Rule_ID SV-239631r662344_rule Severity medium Rule_Title The SLES for vRealize audit system must be configured to audit failed attempts to access files and programs. Vuln_Discuss Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. Check_Content Verify auditd is configured to audit failed file access attempts. There must be both an "-F exit=-EPERM" and "-F exit=-EACCES" for each access syscall: # cat /etc/audit.rules /etc/audit/audit.rules | grep -e "-a exit,always" | grep -e "-S creat" | grep -e "-F exit=-EPERM" # cat /etc/audit.rules /etc/audit/audit.rules | grep -e "-a exit,always" | grep -e "-S creat" | grep -e "-F exit=-EACCES" There must be both an "-F exit=-EPERM" and "-F exit=-EACCES" for each access syscall. If not, this is a finding. Fix_Text Edit the audit.rules file and add the following line(s) to enable auditing of failed attempts to access files and programs: -a exit,always -F arch=b64 -S creat -F exit=-EPERM -a exit,always -F arch=b64 -S creat -F exit=-EACCES -a exit,always -F arch=b32 -S creat -F exit=-EPERM -a exit,always -F arch=b32 -S creat -F exit=-EACCES Not_Reviewed Vuln_Num V-239632 Rule_ID SV-239632r662347_rule Severity medium Rule_Title The SLES for vRealize audit system must be configured to audit failed attempts to access files and programs. Vuln_Discuss Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. Check_Content Verify auditd is configured to audit failed file access attempts. There must be both an "-F exit=-EPERM" and "-F exit=-EACCES" for each access syscall: # cat /etc/audit.rules /etc/audit/audit.rules | grep -e "-a exit,always" | grep -e "-S open" | grep -e "-F exit=-EPERM" # cat /etc/audit.rules /etc/audit/audit.rules | grep -e "-a exit,always" | grep -e "-S open" | grep -e "-F exit=-EACCES" There must be both an "-F exit=-EPERM" and "-F exit=-EACCES" for each access syscall. If not, this is a finding. Fix_Text Edit the audit.rules file and add the following line(s) to enable auditing of failed attempts to access files and programs: -a exit,always -F arch=b64 -S open -F exit=-EPERM -a exit,always -F arch=b64 -S open -F exit=-EACCES -a exit,always -F arch=b32 -S open -F exit=-EPERM -a exit,always -F arch=b32 -S open -F exit=-EACCES Not_Reviewed Vuln_Num V-239633 Rule_ID SV-239633r662350_rule Severity medium Rule_Title The SLES for vRealize audit system must be configured to audit failed attempts to access files and programs. Vuln_Discuss Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. Check_Content Verify auditd is configured to audit failed file access attempts. There must be an audit rule for each of the access syscalls logging all failed accesses (-F success=0) # cat /etc/audit.rules /etc/audit/audit.rules | grep -e "-a exit,always" | grep -e "-S openat" | grep -e "-F success=0" There must be an audit rule for each of the access syscalls logging all failed accesses (-F success=0). If not, this is a finding. Fix_Text Edit the audit.rules file and add the following line(s) to enable auditing of failed attempts to access files and programs: -a exit,always -F arch=b64 -S openat -F success=0 -a exit,always -F arch=b32 -S openat -F success=0 Not_Reviewed Vuln_Num V-239634 Rule_ID SV-239634r662353_rule Severity medium Rule_Title The SLES for vRealize audit system must be configured to audit failed attempts to access files and programs. Vuln_Discuss Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. Check_Content Verify auditd is configured to audit failed file access attempts. There must be an audit rule for each of the access syscalls logging all failed accesses (-F success=0) # cat /etc/audit.rules /etc/audit/audit.rules | grep -e "-a exit,always" | grep -e "-S truncate" | grep -e "-F success=0" There must be an audit rule for each of the access syscalls logging all failed accesses (-F success=0). If not, this is a finding. Fix_Text Edit the audit.rules file and add the following line(s) to enable auditing of failed attempts to access files and programs: -a exit,always -F arch=b64 -S truncate -F success=0 -a exit,always -F arch=b32 -S truncate -F success=0 Not_Reviewed Vuln_Num V-239635 Rule_ID SV-239635r662356_rule Severity medium Rule_Title The SLES for vRealize audit system must be configured to audit failed attempts to access files and programs. Vuln_Discuss Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. Check_Content Verify auditd is configured to audit failed file access attempts. There must be an audit rule for each of the access syscalls logging all failed accesses (-F success=0) # cat /etc/audit.rules /etc/audit/audit.rules | grep -e "-a exit,always" | grep -e "-S ftruncate" | grep -e "-F success=0" There must be an audit rule for each of the access syscalls logging all failed accesses (-F success=0). If not, this is a finding. Fix_Text Edit the audit.rules file and add the following line(s) to enable auditing of failed attempts to access files and programs: -a exit,always -F arch=b64 -S ftruncate -F success=0 -a exit,always -F arch=b32 -S ftruncate -F success=0 Not_Reviewed Vuln_Num V-239636 Rule_ID SV-239636r662359_rule Severity medium Rule_Title The SLES for vRealize audit system must be configured to audit user deletions of files and programs. Vuln_Discuss Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as detecting malicious processes that attempt to delete log files to conceal their presence. Check_Content To determine if SLES for vRealize is configured to audit calls to the "unlink" system call, run the following command: # auditctl -l | grep syscall | grep unlink | grep -v unlinkat If the system is configured to audit this activity, it will return several lines. To determine if the system is configured to audit calls to the "unlinkat" system call, run the following command: # auditctl -l | grep syscall | grep unlinkat If the system is configured to audit this activity, it will return several lines. To determine if the system is configured to audit calls to the "rename" system call, run the following command: # auditctl -l | grep syscall | grep rename | grep -v renameat If the system is configured to audit this activity, it will return several lines. To determine if the system is configured to audit calls to the "renameat" system call, run the following command: # auditctl -l | grep syscall | grep renameat If the system is configured to audit this activity, it will return several lines. If no line is returned, this is a finding. Fix_Text Edit the audit.rules file and add the following line(s) to enable auditing of deletions of files and programs: -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid=0 -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid=0 -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 Not_Reviewed Vuln_Num V-239637 Rule_ID SV-239637r662362_rule Severity medium Rule_Title The SLES for vRealize audit system must be configured to audit file deletions. Vuln_Discuss If the SLES for vRealize system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise. Check_Content Check SLES for vRealize audit configuration to determine if file and directory deletions are audited: # cat /etc/audit.rules /etc/audit/audit.rules | grep -e "-a exit,always" | grep -i "rmdir" If no results are returned or the results do not contain "-S rmdir", this is a finding. Fix_Text Add the following to the "/etc/audit/audit.rules" file in order to capture file and directory deletion events: -a always,exit -F arch=b64 -S rmdir -S rm -a always,exit -F arch=b32 -S rmdir -S rm Not_Reviewed Vuln_Num V-239638 Rule_ID SV-239638r662365_rule Severity medium Rule_Title Audit logs must be rotated daily. Vuln_Discuss Rotate audit logs daily to preserve audit file system space and to conform to the DISA requirement. If it is not rotated daily and moved to another location, then there is more of a chance for the compromise of audit data by malicious users. Check_Content Check for a logrotate entry that rotates audit logs. # ls -l /etc/logrotate.d/audit If it exists, check for the presence of the daily rotate flag: # egrep "daily" /etc/logrotate.d/audit The command should produce a "daily" entry in the logrotate file for the audit daemon. If the daily entry is missing, this is a finding. Fix_Text Create or edit the "/etc/logrotate.d/audit" file and add the daily entry, such as: /var/log/audit/audit.log { compress dateext rotate 15 daily missingok notifempty create 600 root root sharedscripts postrotate /sbin/service auditd restart 2> /dev/null > /dev/null || true endscript } Not_Reviewed Vuln_Num V-239639 Rule_ID SV-239639r662368_rule Severity medium Rule_Title The SLES for vRealize must generate audit records for all direct access to the information system. Vuln_Discuss Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Check_Content The message types that are always recorded to the "/var/log/audit/audit.log" file include "LOGIN", "USER_LOGIN", "USER_START", "USER_END" among others and do not need to be added to audit.rules. The log files "/var/log/faillog", "/var/log/lastlog", and "/var/log/tallylog" must be protected from tampering of the login records: # egrep "faillog|lastlog|tallylog" /etc/audit/audit.rules If "/var/log/faillog", "/var/log/lastlog", and "/var/log/tallylog" entries do not exist, this is a finding. Fix_Text Ensure the auditing of logins by modifying the "/etc/audit/audit.rules" file to contain: -w /var/log/faillog -p wa -w /var/log/lastlog -p wa -w /var/log/tallylog -p wa OR # /etc/dodscript.sh Not_Reviewed Vuln_Num V-239640 Rule_ID SV-239640r662371_rule Severity medium Rule_Title The SLES for vRealize must generate audit records for all account creations, modifications, disabling, and termination events. Vuln_Discuss Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Check_Content Determine if execution of the "usermod" and "groupmod" executable are audited: # auditctl -l | egrep '(usermod|groupmod)' If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of the "userdel" and "groupdel" executable are audited: # auditctl -l | egrep '(userdel|groupdel)' If either "userdel" or "groupdel" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of "useradd" and "groupadd" are audited: # auditctl -l | egrep '(useradd|groupadd)' If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of the passwd executable is audited: # auditctl -l | grep "/usr/bin/passwd" If "/usr/bin/passwd" is not listed with a permissions filter of at least "x", this is a finding. Determine if "/etc/passwd", "/etc/shadow", "/etc/group", and "/etc/security/opasswd" are audited for writing: # auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/security/opasswd)' If any of these are not listed with a permissions filter of at least "w", this is a finding. Fix_Text Configure execute auditing of the "usermod" and "groupmod" executables. Add the following to the "/etc/audit/audit.rules" file: -w /usr/sbin/usermod -p x -k usermod -w /usr/sbin/groupmod -p x -k groupmod Configure execute auditing of the "userdel" and "groupdel" executables. Add the following to the "/etc/audit/audit.rules" file: -w /usr/sbin/userdel -p x -k userdel -w /usr/sbin/groupdel -p x -k groupdel Configure execute auditing of the "useradd" and "groupadd" executables. Add the following to audit.rules: -w /usr/sbin/useradd -p x -k useradd -w /usr/sbin/groupadd -p x -k groupadd Configure execute auditing of the "passwd" executable. Add the following to audit.rules: -w /usr/bin/passwd -p x -k passwd Configure write auditing of the "passwd", "shadow", "group", and "opasswd" files. Add the following to the "/etc/audit/audit.rules" file: -w /etc/passwd -p wa -k passwd -w /etc/shadow -p wa -k shadow -w /etc/group -p wa -k group -w /etc/security/opasswd -p wa -k opasswd Restart the auditd service: # service auditd restart OR # /etc/dodscript.sh Not_Reviewed Vuln_Num V-239641 Rule_ID SV-239641r662374_rule Severity medium Rule_Title The SLES for vRealize must generate audit records for all kernel module load, unload, and restart actions, and also for all program initiations. Vuln_Discuss Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Check_Content Determine if "/sbin/insmod" is audited: # cat /etc/audit/audit.rules | grep "/sbin/insmod" If the result does not start with "-w" and contain "-p x", this is a finding. Fix_Text Add the following to "/etc/audit/audit.rules" in order to capture kernel module loading and unloading events: -w /sbin/insmod -p x OR # /etc/dodscript.sh Not_Reviewed Vuln_Num V-239642 Rule_ID SV-239642r878123_rule Severity medium Rule_Title The SLES for vRealize must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Vuln_Discuss Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The SLES for vRealize must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. Check_Content Check the SSH daemon configuration for allowed MACs: # grep -i macs /etc/ssh/sshd_config | grep -v '^#' If no lines are returned, or the returned MACs list contains any MAC other than "hmac-sha1", this is a finding. Fix_Text Edit the SSH daemon configuration and remove any MACs other than "hmac-sha1". If necessary, add a "MACs" line. # sed -i "/^[^#]*MACs/ c\MACs hmac-sha1" /etc/ssh/sshd_config Not_Reviewed Vuln_Num V-239643 Rule_ID SV-239643r852615_rule Severity medium Rule_Title The SLES for vRealize must, at a minimum, off-load interconnected systems in real time and off-load standalone systems weekly. Vuln_Discuss Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. Check_Content Check the syslog configuration file for remote syslog servers: # cat /etc/syslog-ng/syslog-ng.conf | grep logserver If no line is returned, or the "logserver" is commented out, this is a finding. Fix_Text Edit the syslog configuration file and add an appropriate remote syslog server: In the "/etc/syslog-ng/syslog-ng.conf" file, the remote logging entries must be uncommented and the IP address must be modified to point to the remote syslog server: # # Enable this and adopt IP to send log messages to a log server. # #destination logserver { udp("10.10.10.10" port(514)); }; #log { source(src); destination(logserver); }; Not_Reviewed Vuln_Num V-239644 Rule_ID SV-239644r662383_rule Severity medium Rule_Title The SLES for vRealize must prevent the use of dictionary words for passwords. Vuln_Discuss If SLES for vRealize system allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks. Check_Content Check "/etc/pam.d/common-password" for "pam_cracklib" configuration: # grep pam_cracklib /etc/pam.d/common-password* If "pam_cracklib" is not present, this is a finding. Ensure the passwd command uses the common-password settings. # grep common-password /etc/pam.d/passwd If a line "password include common-password" is not found then the password checks in common-password will not be applied to new passwords, this is a finding. Fix_Text Edit "/etc/pam.d/common-password" and configure "pam_cracklib" by adding a line such as "password requisite pam_cracklib.so". Not_Reviewed Vuln_Num V-239645 Rule_ID SV-239645r662386_rule Severity medium Rule_Title The SLES for vRealize must prevent the use of dictionary words for passwords. Vuln_Discuss If SLES for vRealize allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks. Check_Content Verify the module "pam_cracklib.so" is present. Procedure: # ls /lib/security/ Confirm that "pam_cracklib.so" is present in the directory listing. If "pam_cracklib.so" is not present, this is a finding. Verify the file "/etc/pam.d/common-password" is configured. Procedure: # grep pam_cracklib /etc/pam.d/common-password* If a line containing "password required pam_cracklib.so" is not present, this is a finding. Fix_Text Configure SLES for vRealize to prevent the use of dictionary words for passwords. Edit the file "/etc/pam.d/common-password". Configure "common-password" by adding a line such as: password required pam_cracklib.so Save the changes made to the file "/etc/pam.d/common-password". Not_Reviewed Vuln_Num V-239646 Rule_ID SV-239646r662389_rule Severity medium Rule_Title The SLES for vRealize must prevent the use of dictionary words for passwords. Vuln_Discuss If SLES for vRealize allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks. Check_Content Verify the "passwd" command uses the "common-password" settings. Procedure: # grep common-password /etc/pam.d/passwd If line "password include common-password" is not found then the password checks in common-password will not be applied to new passwords, and this is a finding. Fix_Text Configure SLES for vRealize to prevent the use of dictionary words for passwords. Procedure: Edit the file "/etc/pam.d/passwd". Configure "passwd" by adding a line such as: password include common-password Save the changes made to the file. Not_Reviewed Vuln_Num V-239647 Rule_ID SV-239647r662392_rule Severity medium Rule_Title The SLES for vRealize must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt. Vuln_Discuss Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account. Check_Content Check the value of the "FAIL_DELAY" variable and the ability to use it: # grep FAIL_DELAY /etc/login.defs The following result should be displayed: FAIL_DELAY 4 If the value does not exist, or is less than "4", this is a finding. Check for the use of "pam_faildelay": # grep pam_faildelay /etc/pam.d/common-auth* The following result should be displayed: /etc/pam.d/common-auth:auth optional pam_faildelay.so If the "pam_faildelay.so" module is not listed or is commented out, this is a finding. Fix_Text Add the "pam_faildelay" module and set the "FAIL_DELAY" variable. Edit the "/etc/login.defs" file and set the value of the "FAIL_DELAY" variable to "4" or more. Edit "/etc/pam.d/common-auth" and add a "pam_faildelay" entry if one does not exist, such as: auth optional pam_faildelay.so Not_Reviewed Vuln_Num V-239648 Rule_ID SV-239648r662395_rule Severity medium Rule_Title The SLES for vRealize must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt. Vuln_Discuss Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account. Check_Content Verify the SLES for vRealize enforces a delay of at least "4" seconds between logon prompts following a failed logon attempt. Review the file "/etc/login.defs" and verify the parameter "FAIL_DELAY" is a value of "4" or greater. Procedure: # grep FAIL_DELAY /etc/login.defs The typical configuration looks something like this: FAIL_DELAY 4 If the parameter "FAIL_DELAY" does not exists, or is less than "4", this is a finding. Fix_Text Configure SLES for vRealize to enforce a delay of at least "4" seconds between logon prompts following a failed logon attempt. Set the parameter "FAIL_DELAY" to a value of "4" or greater. Edit the file "/etc/login.defs". Set the parameter "FAIL_DELAY" to a value of "4" or greater. The typical configuration looks something like this: FAIL_DELAY 4 Save the changes made to the file. Not_Reviewed Vuln_Num V-239649 Rule_ID SV-239649r662398_rule Severity medium Rule_Title The SLES for vRealize must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt. Vuln_Discuss Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account. Check_Content Verify SLES for vRealize enforces a delay of at least "4" seconds between logon prompts following a failed logon attempt. Verify the use of the "pam_faildelay" module. Procedure: # grep pam_faildelay /etc/pam.d/common-auth* The typical configuration looks something like this: #delay is in micro seconds auth required pam_faildelay.so delay=4000000 If the line is not present, this is a finding. Fix_Text Configure SLES for vRealize to enforce a delay of at least "4" seconds between logon prompts following a failed logon attempt with the following command: # sed -i "/^[^#]*pam_faildelay.so/ c\auth required pam_faildelay.so delay=4000000" /etc/pam.d/common-auth-vmware.local Not_Reviewed Vuln_Num V-239650 Rule_ID SV-239650r662401_rule Severity medium Rule_Title The SLES for vRealize must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. Vuln_Discuss Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. Check_Content Verify SLES for vRealize is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. Fix_Text Configure SLES for vRealize in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. Not_Reviewed Vuln_Num V-239651 Rule_ID SV-239651r662404_rule Severity medium Rule_Title The SLES for vRealize must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. Vuln_Discuss Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access. Check_Content Check for the configured umask value in login.defs with the following command: # grep UMASK /etc/login.defs If the default umask is not "077", this a finding. Note: If the default umask is "000" or allows for the creation of world-writable files this becomes a CAT I finding. Fix_Text To configure the correct UMASK setting run the following command: # sed -i "/^[^#]*UMASK/ c\UMASK 077" /etc/login.defs NOTE: Setting "UMASK 077" will break upgrades and other possible functionality within the product. When making upgrades to the system, you will need to revert this UMASK setting to the default for the duration of upgrades and then re-apply. Not_Reviewed Vuln_Num V-258448 Rule_ID SV-258448r928863_rule Severity high Rule_Title The version of vRealize Operations Manager 6.x SLES running on the system must be a supported version. Vuln_Discuss Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously. Organization-defined time periods for updating security-relevant software may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). This requirement will apply to software patch management solutions used to install patches across the enclave and to applications themselves that are not part of that patch management solution. For example, many browsers today provide the capability to install their own patch software. Patch criticality, as well as system criticality will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the time period used must be a configurable parameter. Time frames for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process. The application will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs). Check_Content vRealize Operations Manager 6.x SLES is no longer supported by the vendor. If the system is running vRealize Operations Manager 6.x SLES, this is a finding. Fix_Text Upgrade to a supported version. Not_Reviewed Vuln_Num V-258512 Rule_ID SV-258512r929628_rule Severity medium Rule_Title Any publicly accessible connection to the SLES for vRealize must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. Vuln_Discuss Display of a standardized and approved use notification before granting access to the publicly accessible SLES for vRealize ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't." Check_Content Check issue file to verify that it contains one of the DoD required banners. # cat /etc/issue "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't." If it does not, this is a finding. Fix_Text To configure SLES for vRealize to display the Standard Mandatory DoD Notice and Consent Banner, run the DoD.script with the following command as "root": # /etc/dodscript.sh Not_Reviewed Vuln_Num V-258513 Rule_ID SV-258513r929631_rule Severity medium Rule_Title The SLES for vRealize audit system must be configured to audit all administrative, privileged, and security actions. Vuln_Discuss Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. Check_Content Check the auditing configuration of the system: # cat /etc/audit/audit.rules | grep -i "auditd.conf" If no results are returned, or the line does not start with "-w", this is a finding. Expected Result: -w /etc/audit/auditd.conf Fix_Text Add the following lines to the "audit.rules" file to enable auditing of administrative, privileged, and security actions: echo '-w /etc/audit/auditd.conf' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh Not_Reviewed Vuln_Num V-258514 Rule_ID SV-258514r929634_rule Severity medium Rule_Title The SLES for vRealize audit system must be configured to audit all attempts to alter system time through adjtimex. Vuln_Discuss Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the SLES for vRealize is capable of generating audit records. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. Check_Content Check if SLES for vRealize system is configured to audit calls to the "adjtimex" system call, run the following command: # grep -w "adjtimex" /etc/audit/audit.rules If SLES for vRealize is configured to audit time changes, it will return at least two lines containing "-S adjtimex" that also contain "arch=b64". If no line is returned, this is a finding. Fix_Text Run the following command: echo '-a exit,always -F arch=b64 -S adjtimex -F auid=0' >> /etc/audit/audit.rules echo '-a exit,always -F arch=b64 -S adjtimex -F auid>=500 -F auid!=4294967295' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh Not_Reviewed Vuln_Num V-258515 Rule_ID SV-258515r929637_rule Severity medium Rule_Title The SLES for vRealize audit system must be configured to audit all attempts to alter system time through settimeofday. Vuln_Discuss Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the SLES for vRealize is capable of generating audit records. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. Check_Content Check if SLES for vRealize is configured to audit calls to the "settimeofday" system call, run the following command: # grep -w "settimeofday" /etc/audit/audit.rules If SLES for vRealize is configured to audit this activity, it will return at least two lines containing "-S settimeofday" that also contain "arch=b64". If no line is returned, this is a finding. Fix_Text Run the following command: echo '-a exit,always -F arch=b64 -S settimeofday -F auid=0' >> /etc/audit/audit.rules echo '-a exit,always -F arch=b64 -S settimeofday -F auid>=500 -F auid!=4294967295' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh Not_Reviewed Vuln_Num V-258516 Rule_ID SV-258516r929640_rule Severity medium Rule_Title The SLES for vRealize audit system must be configured to audit all attempts to alter system time through stime. Vuln_Discuss Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the SLES for vRealize is capable of generating audit records. DoD has defined the list of events for which the SLES for vRealize will provide an audit record generation capability as the following: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. Check_Content Check if SLES for vRealize is configured to audit calls to the "settimeofday" system call, run the following command: # grep -w "stime" /etc/audit/audit.rules If SLES for vRealize is configured to audit this activity, it will return at least two lines containing "-S settimeofday" that also contain "arch=b64". If no line is returned, this is a finding. Fix_Text Run the following command: echo '-a exit,always -F arch=b64 -S stime' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh Not_Reviewed Vuln_Num V-258517 Rule_ID SV-258517r929643_rule Severity medium Rule_Title The SLES for vRealize audit system must be configured to audit all attempts to alter system time through clock_settime. Vuln_Discuss Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the SLES for vRealize is capable of generating audit records. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. Check_Content Check if SLES for vRealize is configured to audit calls to the "clock_settime" system call, run the following command: # grep -w "clock_settime" /etc/audit/audit.rules If SLES for vRealize is configured to audit this activity, it will return at least a line containing "-S clock_settime" that also contain "arch=b64". If no line is returned, this is a finding. Fix_Text Run the following command: echo '-a exit,always -F arch=b64 -S clock_settime' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh Not_Reviewed Vuln_Num V-258518 Rule_ID SV-258518r929646_rule Severity medium Rule_Title The SLES for vRealize audit system must be configured to audit all attempts to alter system time through /etc/localtime. Vuln_Discuss Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the SLES for vRealize is capable of generating audit records. DoD has defined the list of events for which the SLES for vRealize will provide an audit record generation capability as the following: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. Check_Content To determine if SLES for vRealize is configured to audit attempts to alter time via the /etc/localtime file, run the following command: # auditctl -l | grep "watch=/etc/localtime" If SLES for vRealize is configured to audit this activity, it will return a line. LIST_RULES: exit,always watch=/etc/localtime perm=wa key=localtime If no line is returned, this is a finding. Fix_Text To configure the SLES for vRealize to audit attempts to alter time via the /etc/localtime file, run the following command: echo '-w /etc/localtime -p wa -k localtime' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh Not_Reviewed Vuln_Num V-258519 Rule_ID SV-258519r929649_rule Severity medium Rule_Title The SLES for vRealize audit system must be configured to audit all attempts to alter the system through sethostname. Vuln_Discuss Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the SLES for vRealize is capable of generating audit records. DoD has defined the list of events for which the SLES for vRealize will provide an audit record generation capability as the following: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. Check_Content Check if SLES for vRealize is configured to audit calls to the "sethostname" system call, run the following command: # grep -w "sethostname" /etc/audit/audit.rules If SLES for vRealize is configured to audit this activity, it will return at least one line. If no line is returned, this is a finding. Fix_Text Run the following command: # echo '-a exit,always -F arch=b64 -S sethostname' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh Not_Reviewed Vuln_Num V-258520 Rule_ID SV-258520r929652_rule Severity medium Rule_Title The SLES for vRealize audit system must be configured to audit all attempts to alter the system through setdomainname. Vuln_Discuss Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. DoD has defined the list of events for which the SLES for vRealize will provide an audit record generation capability as the following: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. Check_Content Check if SLES for vRealize is configured to audit calls to the "sethostname" system call, run the following command: # grep -w "setdomainname" /etc/audit/audit.rules If SLES for vRealize is configured to audit this activity, it will return a line. If no line is returned, this is a finding. Fix_Text Run the following command: # echo '-a exit,always -F arch=b64 -S setdomainname' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh Not_Reviewed Vuln_Num V-258521 Rule_ID SV-258521r929655_rule Severity medium Rule_Title The SLES for vRealize must be configured to audit all attempts to alter the system through sched_setparam. Vuln_Discuss Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. DoD has defined the list of events for which the SLES for vRealize will provide an audit record generation capability as the following: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. Check_Content Check if SLES for vRealize is configured to audit calls to the "sethostname" system call, run the following command: # grep -w "sched_setparam" /etc/audit/audit.rules If SLES for vRealize is configured to audit this activity, it will return a line. If no line is returned, this is a finding. Fix_Text Run the following command: echo '-a exit,always -F arch=b64 -S sched_setparam' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh Not_Reviewed Vuln_Num V-258522 Rule_ID SV-258522r929658_rule Severity medium Rule_Title The SLES for vRealize must be configured to audit all attempts to alter the system through sched_setscheduler. Vuln_Discuss Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. DoD has defined the list of events for which the SLES for vRealize will provide an audit record generation capability as the following: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. Check_Content Check if SLES for vRealize is configured to audit calls to the "sethostname" system call, run the following command: # grep -w "sched_setscheduler" /etc/audit/audit.rules If SLES for vRealize is configured to audit this activity, it will return a line. If no line is returned, this is a finding. Fix_Text Run the following command: echo '-a exit,always -F arch=b64 -S sched_setscheduler' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh Not_Reviewed Vuln_Num V-258523 Rule_ID SV-258523r929661_rule Severity medium Rule_Title The SLES for vRealize must be configured to audit all attempts to alter /var/log/faillog. Vuln_Discuss Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. DoD has defined the list of events for which the SLES for vRealize will provide an audit record generation capability as the following: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. Check_Content Verify that attempts to alter the log files /var/log/faillog are audited: # egrep "faillog" /etc/audit/audit.rules If "-w /var/log/faillog -p wa" entry does not exist, this is a finding. Fix_Text Ensure attempts to alter /var/log/faillog are audited by modifying /etc/audit/audit.rules to contain "-w /var/log/faillog -p wa" with the following command: echo '-w /var/log/faillog -p wa' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh Not_Reviewed Vuln_Num V-258524 Rule_ID SV-258524r929664_rule Severity medium Rule_Title The SLES for vRealize must be configured to audit all attempts to alter /var/log/lastlog. Vuln_Discuss Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. DoD has defined the list of events for which the SLES for vRealize will provide an audit record generation capability as the following: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. Check_Content Verify that attempts to alter the log files /var/log/lastlog are audited: # egrep "lastlog" /etc/audit/audit.rules If "-w /var/log/lastlog -p wa" entry does not exist, this is a finding. Fix_Text Ensure attempts to alter /var/log/lastlog are audited by modifying /etc/audit/audit.rules to contain "-w /var/log/lastlog -p wa" with the following command: echo '-w /var/log/lastlog -p wa' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh Not_Reviewed Vuln_Num V-258525 Rule_ID SV-258525r929667_rule Severity medium Rule_Title The SLES for vRealize must be configured to audit all attempts to alter /var/log/tallylog. Vuln_Discuss Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. DoD has defined the list of events for which the SLES for vRealize will provide an audit record generation capability as the following: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. Check_Content Verify that attempts to alter the log files /var/log/tallylog are audited: # egrep "tallylog" /etc/audit/audit.rules If "-w /var/log/tallylog -p wa" entry does not exist, this is a finding. Fix_Text Ensure attempts to alter /var/log/tallylog are audited by modifying /etc/audit/audit.rules to contain "-w /var/log/tallylog -p wa" with the following command: echo '-w /var/log/tallylog -p wa' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh Not_Reviewed