13:["$","div",null,{"className":"mx-auto max-w-7xl px-6 py-10","children":[["$","div",null,{"className":"mb-2","children":["$","$L2",null,{"href":"/stigs","className":"text-link text-sm hover:underline","children":"← Back to STIGs"}]}],["$","div",null,{"className":"mb-6 flex flex-wrap items-center gap-3","children":[["$","h1",null,{"className":"font-display text-3xl font-bold","children":"SUSE Linux Enterprise Server 15 Security Technical Implementation Guide"}],["$","span",null,{"className":"bg-badge-archived-bg text-badge-archived-text rounded-full px-3 py-1 text-xs font-medium","children":"Archived"}],["$","$L1d",null,{}]]}],["$","section",null,{"className":"border-border bg-surface mb-8 rounded-lg border p-6","children":[["$","div",null,{"className":"grid grid-cols-2 gap-4 sm:grid-cols-5","children":[["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Version"}],["$","p",null,{"className":"font-semibold","children":["V","2","R","7"]}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Release Date"}],["$","p",null,{"className":"font-semibold","children":"Feb 19, 2026"}]]}],["$","div",null,{"className":"min-w-0","children":[["$","p",null,{"className":"text-text-muted text-xs","children":"SCAP Benchmark ID"}],["$","p",null,{"className":"truncate font-mono text-sm","title":"SLES_15_STIG","children":"SLES_15_STIG"}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Total Checks"}],["$","p",null,{"className":"font-semibold","children":214}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Tags"}],["$","div",null,{"className":"flex flex-wrap gap-1","children":[["$","span","linux",{"className":"bg-tag-bg text-tag-text rounded-full px-2 py-0.5 text-xs","children":"linux"}]]}]]}]]}],["$","div",null,{"className":"mt-4 flex gap-4","children":[["$","span",null,{"className":"bg-severity-high-bg text-severity-high-text rounded px-3 py-1 text-sm font-medium","children":["CAT I: ",20]}],["$","span",null,{"className":"bg-severity-medium-bg text-severity-medium-text rounded px-3 py-1 text-sm font-medium","children":["CAT II: ",172]}],["$","span",null,{"className":"bg-severity-low-bg text-severity-low-text rounded px-3 py-1 text-sm font-medium","children":["CAT III: ",22]}]]}],["$","p",null,{"className":"text-text-secondary mt-4 text-sm","children":"This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil."}],["$","div",null,{"className":"mt-4 flex flex-wrap gap-3","children":[["$","a",null,{"href":"/api/export/checklist?stigTitle=SUSE%20Linux%20Enterprise%20Server%2015%20Security%20Technical%20Implementation%20Guide&format=ckl","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export CKL"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=SUSE%20Linux%20Enterprise%20Server%2015%20Security%20Technical%20Implementation%20Guide&format=csv","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export CSV"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=SUSE%20Linux%20Enterprise%20Server%2015%20Security%20Technical%20Implementation%20Guide&format=json","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export JSON"}],false]}]]}],["$","$L1e",null,{"checks":[{"id":"cbdf1d2d-3408-400e-a18a-42da4b24d990","vulnId":"V-234800","severity":"high","ruleTitle":"The SUSE operating system must be a vendor-supported release.","description":"A SUSE operating system release is considered \"supported\" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.\n\nRelease\t\tReleased\t\tGeneral Support\t\tLong Term Support\n15.1\t\t24 Jun 2019\t\t31 Jan 2021\t\t\t31 Jan 2024\n15.2\t\t21 Jul 2020\t\t31 Dec 2021\t\t\t31 Dec 2024\n15.3\t\t22 Jun 2021\t\t31 Dec 2022\t\t\t31 Dec 2025\n15.4\t\t21 Jun 2022\t\t31 Dec 2023\t\t\t31 Dec 2026\n15.5\t\t20 Jun 2023\t\t31 Dec 2024\t\t\t31 Dec 2027\n15.6\t\t26 Jun 2024\t\t31 Dec 2025\t\t\t31 Dec 2028\n15.7\t\t17 Jun 2025\t\t31 Jul 2031\t\t\t31 Jul 2034","checkContent":"Verify the SUSE operating system is a vendor-supported release.\n\nUse the following command to verify the SUSE operating system is a vendor-supported release:\n\n> cat /etc/os-release\n\nNAME=\"SLES\"\nVERSION=\"15\"\n\nOr any SUSE Linux Enterprise 15 Service Pack follow up release.\n\nNAME=\"SLES\"\nVERSION=\"15-SPx\"\n\nCurrent End of Life for SLES 15 General Support is 31 Jul 2028 and Long-term Support is until 31 Jul 2031.\n\nIf the release is not supported by the vendor, this is a finding.","fixText":"Upgrade the SUSE operating system to a version supported by the vendor. If the system is not registered with the SUSE Customer Center, register the system against the correct subscription.\n\nIf the system requires Long-Term Service Pack Support (LTSS), obtain the correct LTSS subscription for the system."},{"id":"1c25b25e-3b85-4374-bf98-d86dbf647a48","vulnId":"V-234802","severity":"medium","ruleTitle":"Vendor-packaged SUSE operating system security patches and updates must be installed and up to date.","description":"Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep SUSE operating system and application software patched is a common mistake made by IT professionals. New patches are released frequently, and it is often difficult for even experienced System Administrators (SAs) to keep abreast of all the new patches. When new weaknesses in a SUSE operating system exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.","checkContent":"Verify the SUSE operating system security patches and updates are installed and up to date.\n\nNote: Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO).\n\nCheck for required SUSE operating system patches and updates with the following command:\n\n> sudo zypper patch-check\n\n0 patches needed (0 security patches)\n\nIf the patch repository data is corrupt, check that the available package security updates have been installed on the system with the following command:\n\n> cut -d \"|\" -f 1-4 -s --output-delimiter \" | \" /var/log/zypp/history | grep -v \" radd \"\n\n2016-12-14 11:59:36 | install | libapparmor1-32bit | 2.8.0-2.4.1\n2016-12-14 11:59:36 | install | pam_apparmor | 2.8.0-2.4.1\n2016-12-14 11:59:36 | install | pam_apparmor-32bit | 2.8.0-2.4.1\n\nIf the SUSE operating system has not been patched within the site or PMO frequency, this is a finding.","fixText":"Install the applicable SUSE operating system patches available from SUSE by running the following command:\n\n> sudo zypper patch"},{"id":"ce21baf7-d3a5-448e-b30a-48da3cf5a372","vulnId":"V-234803","severity":"medium","ruleTitle":"The SUSE operating system must display the Standard Mandatory DOD Notice and Consent Banner before granting access via local console.","description":"$1f","checkContent":"$20","fixText":"$21"},{"id":"9700e6cc-ba85-484a-b7b7-7815b1ff834a","vulnId":"V-234804","severity":"high","ruleTitle":"The SUSE operating system must not have the vsftpd package installed if not required for operational support.","description":"It is detrimental for SUSE operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked, and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nSUSE operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions and functions).\n\nExamples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but which cannot be disabled.\n\nSatisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000095-GPOS-00049","checkContent":"Verify the vsftpd package is not installed on the SUSE operating system.\n\nCheck that the vsftpd package is not installed on the SUSE operating system by running the following command:\n\n> zypper info vsftpd | grep Installed\n\nIf \"vsftpd\" is installed and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.","fixText":"Document the \"vsftpd\" package with the ISSO as an operational requirement or remove it from the system with the following command:\n\n> sudo zypper remove vsftpd"},{"id":"2eb2ff0b-39c2-4884-ba73-e7020dbf3a08","vulnId":"V-234805","severity":"medium","ruleTitle":"The SUSE operating system must display the Standard Mandatory DOD Notice and Consent Banner before granting access via SSH.","description":"$22","checkContent":"$23","fixText":"$24"},{"id":"296e38c4-5f30-40f1-ab57-fdd7feb796fa","vulnId":"V-234806","severity":"medium","ruleTitle":"The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access to the local graphical user interface (GUI).","description":"The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access to the local graphical user interface (GUI).\n\nSatisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007","checkContent":"Verify the SUSE operating system displays the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on via the local GUI. \n\nNote: If a graphical user interface is not installed, this requirement is Not Applicable.\n\nCheck the configuration by running the following command:\n\n> more /etc/gdm/Xsession\n\nThe beginning of the file must contain the following text immediately after (#!/bin/sh):\n\nif ! zenity --text-info \\\n--title \"Consent\" \\\n--filename=/etc/gdm/banner \\\n--no-markup \\\n--checkbox=\"Accept.\" 10 10; then\nsleep 1;\nexit 1;\nfi\n\nIf the beginning of the file does not contain the above text immediately after the line (#!/bin/sh), this is a finding.","fixText":"Configure the SUSE operating system to display the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access.\n\nNote: If a graphical user interface is not installed, this requirement is Not Applicable.\n\nEdit the file \"/etc/gdm/Xsession\".\n\nAdd the following content to the file \"/etc/gdm/Xsession\" below the line #!/bin/sh:\n\nif ! zenity --text-info \\\n--title \"Consent\" \\\n--filename=/etc/gdm/banner \\\n--no-markup \\\n--checkbox=\"Accept.\" 10 10; then\nsleep 1;\nexit 1;\nfi\n\nSave the file \"/etc/gdm/Xsession\"."},{"id":"71e4a80f-3626-4271-b2eb-e5aa1069f6d4","vulnId":"V-234807","severity":"medium","ruleTitle":"The SUSE operating system file /etc/gdm/banner must contain the Standard Mandatory DoD Notice and Consent banner text.","description":"The banner must be acknowledged by the user prior to allowing the user access to the SUSE operating system. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD will not be in compliance with system use notifications required by law.\n\nTo establish acceptance of the application usage policy, a click-through banner at system logon is required. The system must prevent further activity until the user executes a positive action to manifest agreement by clicking on a box indicating \"OK\".","checkContent":"$25","fixText":"$26"},{"id":"caea6775-86b0-4630-9e33-983c6feacd37","vulnId":"V-234808","severity":"medium","ruleTitle":"The SUSE operating system must display a banner before granting local or remote access to the system via a graphical user logon.","description":"$27","checkContent":"Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable.\n\nVerify the SUSE operating system displays a banner before local or remote access to the system via a graphical user logon.\n\nCheck that the SUSE operating system displays a banner at the logon screen by performing the following command:\n\n> grep banner-message-enable /etc/dconf/db/gdm.d/*\nbanner-message-enable=true\n\n> cat /etc/dconf/profile/gdm\nuser-db:user\nsystem-db:gdm\nfile-db:/usr/share/gdm/greeter-dconf-defaults\n\nIf \"banner-message-enable\" is set to \"false\" or is missing completely, this is a finding.","fixText":"Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable.\n\nConfigure the SUSE operating system to display a banner before local or remote access to the system via a graphical user logon.\n\nCreate a database that will contain the system-wide graphical user logon settings (if it does not already exist) with the following command:\n\n> sudo mkdir -p /etc/dconf/db/gdm.d\n> sudo touch /etc/dconf/db/gdm.d/01-banner-message\n\nAdd the following content into /etc/dconf/profile/gdm:\n\nuser-db:user\nsystem-db:gdm\nfile-db:/usr/share/gdm/greeter-dconf-defaults\n\nAdd the following line to the \"[org/gnome/login-screen]\" section of the \"/etc/dconf/db/gdm.d/01-banner-message\" file:\n\n[org/gnome/login-screen]\nbanner-message-enable=true\n\nUpdate the system databases:\n\n> sudo dconf update\n\nUsers must log out and back in again before the system-wide settings take effect."},{"id":"86c06799-6ea8-4d22-95ee-7bc48f5eb26a","vulnId":"V-234809","severity":"medium","ruleTitle":"The SUSE operating system must display the approved Standard Mandatory DoD Notice before granting local or remote access to the system via a graphical user logon.","description":"$28","checkContent":"$29","fixText":"$2a"},{"id":"a96ff228-0716-4d5a-ae7e-597a51e7ed41","vulnId":"V-234810","severity":"medium","ruleTitle":"The SUSE operating system must be able to lock the graphical user interface (GUI).","description":"A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n\nThe session lock is implemented at the point where session activity can be determined.\n\nRegardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system.\n\nSatisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011","checkContent":"Verify the SUSE operating system allows the user to lock the GUI. \n\nNote: If the system does not have a graphical user interface installed, this requirement is Not Applicable.\n\nRun the following command:\n\n> sudo gsettings get org.gnome.desktop.lockdown disable-lock-screen\n\nIf the result is \"true\", this is a finding.","fixText":"Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable. This command must be run from an X11 session; otherwise, the command will not work correctly.\n\nConfigure the SUSE operating system to allow the user to lock the GUI.\n\nRun the following command to configure the SUSE operating system to allow the user to lock the GUI:\n\n> sudo gsettings set org.gnome.desktop.lockdown disable-lock-screen false"},{"id":"e3309ca5-d02c-4e52-b5cb-96c77fee50f6","vulnId":"V-234811","severity":"low","ruleTitle":"The SUSE operating system must utilize vlock to allow for session locking.","description":"A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n\nThe session lock is implemented at the point where session activity can be determined.\n\nRegardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system.\n\nSatisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, SRG-OS-000031-GPOS-00012","checkContent":"Check that the SUSE operating system has the \"vlock\" package installed by running the following command: \n\n> zypper search --installed-only --match-exact --provides vlock\n\nIf the command outputs \"no matching items found\", this is a finding.","fixText":"Allow users to lock the console by installing the \"kbd\" package using zypper:\n\n> sudo zypper install kbd"},{"id":"f04e5bcf-664f-4ab4-9cec-6a812a8060a8","vulnId":"V-234812","severity":"medium","ruleTitle":"The SUSE operating system must initiate a session lock after a 15-minute period of inactivity for the graphical user interface (GUI).","description":"A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. \n\nRather than relying on the users to manually lock their SUSE operating system session prior to vacating the vicinity, the SUSE operating system needs to be able to identify when a user's session has idled and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled.","checkContent":"Verify the SUSE operating system initiates a session lock after a 15-minute period of inactivity via the GUI by running the following command:\n\nNote: If the system does not have a graphical user interface installed, this requirement is Not Applicable.\n\n> sudo gsettings get org.gnome.desktop.session idle-delay\n\nuint32 900\n\nIf the command does not return a value less than or equal to \"900\", this is a finding.","fixText":"Configure the SUSE operating system to initiate a session lock after a 15-minute period of inactivity of the GUI by running the following command:\n\nNote: If the system does not have a graphical user interface installed, this requirement is Not Applicable. This command must be run from an X11 session, otherwise the command will not work correctly.\n\n> sudo gsettings set org.gnome.desktop.session idle-delay 900"},{"id":"46fef0dc-ada9-4f34-ba73-b719932813f7","vulnId":"V-234813","severity":"medium","ruleTitle":"The SUSE operating system must initiate a session lock after a 10-minute period of inactivity.","description":"A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. \n\nRather than relying on the users to manually lock their SUSE operating system session prior to vacating the vicinity, the SUSE operating system needs to be able to identify when a user's session has idled and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled.","checkContent":"Verify the SUSE operating system must initiate a session logout after a 10-minute period of inactivity for all connection types. \n\nCheck the proper script exists to kill an idle session after a 10-minute period of inactivity with the following command:\n\n> cat /etc/profile.d/autologout.sh\nTMOUT=600\nreadonly TMOUT\nexport TMOUT\n\nIf the file \"/etc/profile.d/autologout.sh\" does not exist or the output from the function call is not the same, this is a finding.","fixText":"Configure the SUSE operating system to initiate a session lock after a 10-minute period of inactivity by modifying or creating (if it does not already exist) the \"/etc/profile.d/autologout.sh\" file and add the following lines to it:\n\nTMOUT=600\nreadonly TMOUT\nexport TMOUT\n\nSet the proper permissions for the \"/etc/profile.d/autologout.sh\" file with the following command:\n\n> sudo chmod +x /etc/profile.d/autologout.sh"},{"id":"736c65e6-425f-4c31-8792-cd44b3ef5039","vulnId":"V-234814","severity":"low","ruleTitle":"The SUSE operating system must conceal, via the session lock, information previously visible on the display with a publicly viewable image in the graphical user interface (GUI).","description":"A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence.\n\nThe session lock is implemented at the point where session activity can be determined. The SUSE operating system session lock event must include an obfuscation of the display screen to prevent other users from reading what was previously displayed.\n\nPublicly viewable images can include static or dynamic images, such as patterns used with screen savers, photographic images, solid colors, a clock, a battery life indicator, or a blank screen, with the additional caveat that none of the images conveys sensitive information.","checkContent":"Verify the SUSE operating system conceals via the session lock information previously visible on the display with a publicly viewable image in the GUI.\n\nNote: If the system does not have X Windows installed, this requirement is Not Applicable.\n\nCheck that the lock screen is set to a publicly viewable image by running the following command:\n\n> sudo gsettings get org.gnome.desktop.screensaver picture-uri \n'file:///usr/share/wallpapers/SLE-default-static.xml'\n\nIf nothing is returned or \"org.gnome.desktop.screensaver\" is not set, this is a finding.","fixText":"Note: If the system does not have X Windows installed, this requirement is Not Applicable.\n\nConfigure the SUSE operating system to use a publically viewable image by finding the Settings menu and then navigate to the Background selection section: \n\n- Click \"Activities\" on the top left.\n- Click \"Show Applications\" at the bottom of the Activities menu.\n- Click the \"Settings\" icon.\n- Click \"Background\" from left hand menu.\n- Select image and set the Lock Screen image to the user's choice.\n- Exit Settings Dialog."},{"id":"35c85abe-318b-4c52-9674-ecfc1e42c62b","vulnId":"V-234815","severity":"medium","ruleTitle":"The SUSE operating system must log SSH connection attempts and failures to the server.","description":"Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best.\n\nRemote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).","checkContent":"Verify SSH is configured to verbosely log connection attempts and failed logon attempts to the SUSE operating system.\n\nCheck that the SSH daemon configuration verbosely logs connection attempts and failed logon attempts to the server with the following command:\n\n> sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*loglevel'\n\nThe output message must contain the following text:\n\nLogLevel VERBOSE\n\nIf the output message does not contain \"VERBOSE\", the LogLevel keyword is missing, or the line is commented out, this is a finding.","fixText":"Configure SSH to verbosely log connection attempts and failed logon attempts to the SUSE operating system.\n\nAdd or update the following line in the \"/etc/ssh/sshd_config\" file:\n\nLogLevel VERBOSE\n\nThe SSH service will need to be restarted in order for the changes to take effect."},{"id":"f706a845-e93a-4c6f-aa75-85552ea471d9","vulnId":"V-234816","severity":"medium","ruleTitle":"The SUSE operating system must implement DOD-approved encryption to protect the confidentiality of SSH remote connections.","description":"$2b","checkContent":"Verify the SUSE operating system implements DOD-approved encryption to protect the confidentiality of SSH remote connections.\n\nCheck the SSH daemon configuration for allowed ciphers with the following command:\n\n> sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*ciphers'\n\nCiphers aes256-ctr,aes192-ctr,aes128-ctr\n\nIf any ciphers other than \"aes256-ctr\", \"aes192-ctr\", or \"aes128-ctr\" are listed, the order differs from the example above, or the \"Ciphers\" keyword is missing, this is a finding.","fixText":"Edit the SSH daemon configuration (/etc/ssh/sshd_config) and remove any ciphers not starting with \"aes\" and remove any ciphers ending with \"cbc\". If necessary, add a \"Ciphers\" line:\n\nCiphers aes256-ctr,aes192-ctr,aes128-ctr\n\nRestart the SSH daemon:\n\n> sudo systemctl restart sshd.service"},{"id":"9f17ec8b-a028-40cb-ba70-6e1b05a29605","vulnId":"V-234817","severity":"medium","ruleTitle":"The SUSE operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.","description":"$2c","checkContent":"Verify the SUSE operating system for PKI-based authentication had valid certificates by constructing a certification path (which includes status information) to an accepted trust anchor.\n\nCheck that the certification path to an accepted trust anchor for multifactor authentication is implemented with the following command:\n\n> grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf\n\ncert_policy = ca,oscp_on,signature,crl_auto;\n\nIf \"cert_policy\" is not set to include \"ca\", this is a finding.","fixText":"Configure the SUSE operating system for PKI-based authentication to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.\n\nModify all of the cert_policy lines in \"/etc/pam_pkcs11/pam_pkcs11.conf\" to include \"ca\":\n\ncert_policy = ca,signature,oscp_on;\n\nNote: Additional certificate validation polices are permitted.\n\nAdditional information on the configuration of multifactor authentication on the SUSE operating system can be found at https://www.suse.com/communities/blog/configuring-smart-card-authentication-suse-linux-enterprise/."},{"id":"62e7af70-5eb1-4113-8883-78beddd8c4a9","vulnId":"V-234818","severity":"high","ruleTitle":"The SUSE operating system must not have the telnet-server package installed.","description":"It is detrimental for SUSE operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked, and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nSUSE operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions and functions).\n\nExamples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but which cannot be disabled.\n\nSatisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000095-GPOS-00049","checkContent":"Verify the telnet-server package is not installed on the SUSE operating system.\n\nCheck that the telnet-server package is not installed on the SUSE operating system by running the following command:\n\n> zypper info telnet-server | grep Installed\n\nIf the telnet-server package is installed, this is a finding.","fixText":"Remove the telnet-server package from the SUSE operating system by running the following command:\n\n> sudo zypper remove telnet-server"},{"id":"7956750b-b526-45d8-80dc-31c4a895c2dc","vulnId":"V-234819","severity":"high","ruleTitle":"SUSE operating systems with a basic input/output system (BIOS) must require authentication upon booting into single-user and maintenance modes.","description":"$2d","checkContent":"Verify that the SUSE operating system has set an encrypted root password. \n\nNote: If the system does not use a BIOS this requirement is Not Applicable.\n\nCheck that the encrypted password is set for root with the following command:\n\n> sudo cat /boot/grub2/grub.cfg | grep -i password \n\npassword_pbkdf2 root grub.pbkdf2.sha512.10000.VeryLongString\n\nIf the root password entry does not begin with \"password_pbkdf2\", this is a finding.","fixText":"Note: If the system does not use a BIOS this requirement is Not Applicable.\n\nConfigure the SUSE operating system to encrypt the boot password.\n\nGenerate an encrypted (GRUB2) password for root with the following command:\n\n> grub2-mkpasswd-pbkdf2\nEnter Password:\nReenter Password:\nPBKDF2 hash of your password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG\n\nUsing the hash from the output, modify the \"/etc/grub.d/40_custom\" file and add the following two lines to add a boot password for the root entry:\n\nset superusers=\"root\"\npassword_pbkdf2 root grub.pbkdf2.sha512.VeryLongString\n\nGenerate an updated \"grub.conf\" file with the new password using the following commands:\n\n> sudo grub2-mkconfig --output=/tmp/grub2.cfg\n> sudo mv /tmp/grub2.cfg /boot/grub2/grub.cfg"},{"id":"08002711-84a1-4a68-a14c-7de7df0a9372","vulnId":"V-234820","severity":"high","ruleTitle":"SUSE operating systems with Unified Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.","description":"If the system allows a user to boot into single-user or maintenance mode without authentication, any user that invokes single-user or maintenance mode is granted privileged access to all system information.","checkContent":"Verify that the SUSE operating system has set an encrypted root password. \n\nNote: If the system does not use UEFI, this requirement is Not Applicable.\n\nCheck that the encrypted password is set for root with the following command:\n\n> sudo cat /boot/efi/EFI/sles/grub.cfg | grep -i password \n\npassword_pbkdf2 root grub.pbkdf2.sha512.10000.VeryLongString\n\nIf the root password entry does not begin with \"password_pbkdf2\", this is a finding.","fixText":"Note: If the system does not use UEFI, this requirement is Not Applicable.\n\nConfigure the SUSE operating system to encrypt the boot password.\n\nGenerate an encrypted (GRUB2) password for root with the following command:\n\n> grub2-mkpasswd-pbkdf2\nEnter Password:\nReenter Password:\nPBKDF2 hash of your password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG\n\nUsing the hash from the output, modify the \"/etc/grub.d/40_custom\" file and add the following two lines to add a boot password for the root entry:\n\nset superusers=\"root\"\npassword_pbkdf2 root grub.pbkdf2.sha512.VeryLongString\n\nGenerate an updated \"grub.conf\" file with the new password using the following commands:\n\n> sudo grub2-mkconfig --output=/tmp/grub2.cfg\n> sudo mv /tmp/grub2.cfg /boot/efi/EFI/sles/grub.cfg"},{"id":"afbfac45-416c-4c0b-93db-7abe23b16c66","vulnId":"V-234821","severity":"medium","ruleTitle":"The SUSE operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.","description":"$2e","checkContent":"$2f","fixText":"Configure the SUSE operating system is configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments.\n\nAdd/modify /etc/firewalld configuration files to comply with the PPSM CAL.\n\nEnable the \"firewalld.service\" by running the following command:\n\n> sudo systemctl enable firewalld.service\n\nStart the \"firewalld.service\" by running the following command:\n\n> sudo systemctl start firewalld.service"},{"id":"69c54152-6ccf-4379-b56b-fc85afa1919e","vulnId":"V-234822","severity":"medium","ruleTitle":"The SUSE operating system must not have duplicate User IDs (UIDs) for interactive users.","description":"To ensure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system.\n\nInteractive users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Interactive users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: \n\n1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and\n\n2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.\n\nSatisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000121-GPOS-00062","checkContent":"Verify the SUSE operating system contains no duplicate UIDs for interactive users.\n\nCheck that the SUSE operating system contains no duplicate UIDs for interactive users by running the following command:\n\n> awk -F \":\" 'list[$3]++{print $1, $3}' /etc/passwd\n\nIf output is produced, this is a finding.","fixText":"Configure the SUSE operating system to contain no duplicate UIDs for interactive users.\n\nEdit the file \"/etc/passwd\" and provide each interactive user account that has a duplicate UID with a unique UID."},{"id":"368eaeb3-d76a-429f-ad06-102b2768c07b","vulnId":"V-234823","severity":"medium","ruleTitle":"The SUSE operating system must disable the file system automounter.","description":"Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.\n\nSatisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163","checkContent":"Verify the SUSE operating system disables the ability to automount devices.\n\nCheck to see if automounter service is active with the following command:\n\n> systemctl status autofs\nautofs.service - Automounts filesystems on demand\nLoaded: loaded (/usr/lib/systemd/system/autofs.service; disabled)\nActive: inactive (dead)\n\nIf the \"autofs\" status is set to \"active\" this is a finding.","fixText":"Configure the SUSE operating system to disable the ability to automount devices.\n\nTurn off the automount service with the following commands:\n\n> systemctl stop autofs\n> systemctl disable autofs"},{"id":"bbfc2f4e-8626-4920-9dab-7e38759bbbf0","vulnId":"V-234825","severity":"medium","ruleTitle":"The SUSE operating system must employ FIPS 140-2 approved cryptographic hashing algorithm for system authentication (login.defs).","description":"Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied on to provide confidentiality or integrity, and DoD data may be compromised.\n\nSUSE operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. \n\nFIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system.","checkContent":"Verify the SUSE operating system requires that the \"ENCRYPT_METHOD\" value in \"/etc/login.defs\" is set to \"SHA512\".\n\nCheck the value of \"ENCRYPT_METHOD\" value in \"/etc/login.defs\" with the following command:\n\n> grep \"^ENCRYPT_METHOD \" /etc/login.defs\n\nENCRYPT_METHOD SHA512\n\nIf \"ENCRYPT_METHOD\" is not set to \"SHA512\", if any values other that \"SHA512\" are configured, or if no output is produced, this is a finding.","fixText":"Configure the SUSE operating system to require \"ENCRYPT_METHOD\" of \"SHA512\".\n\nEdit the \"/etc/login.defs\" file with the following line:\n\nENCRYPT_METHOD SHA512"},{"id":"5244aa7e-bcb2-4681-b1f5-102f7630684f","vulnId":"V-234826","severity":"medium","ruleTitle":"The SUSE operating system SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.","description":"Without cryptographic integrity protections, information can be altered by unauthorized users without detection.\n\nRemote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nCryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.\n\nThe system will attempt to use the first hash presented by the client that matches the server list. Listing the values \"strongest to weakest\" is a method to ensure the use of the strongest hash available to secure the SSH connection.\n\nSatisfies: SRG-OS-000125-GPOS-00065, SRG-OS-000394-GPOS-00174","checkContent":"Verify the SUSE operating system SSH daemon is configured to only use MACs that employ FIPS 140-2 approved hashes.\n\nCheck that the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved hashes with the following command:\n\n> sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*macs'\n\nMACs hmac-sha2-512,hmac-sha2-256\n\nIf any ciphers other than \"hmac-sha2-512\" or \"hmac-sha2-256\" are listed, the order differs from the example above, they are missing, or the returned line is commented out, this is a finding.","fixText":"Configure the SUSE operating system SSH daemon to only use MACs that employ FIPS 140-2 approved hashes.\n\nEdit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"MACs\" keyword and set its value to \"hmac-sha2-512\" and/or \"hmac-sha2-256\" (The file might be named differently or be in a different location):\n\nMACs hmac-sha2-512,hmac-sha2-256"},{"id":"fc6b4138-f948-48c3-8d5a-bd85daa7cc38","vulnId":"V-234827","severity":"medium","ruleTitle":"The SUSE operating system SSH daemon must be configured with a timeout interval.","description":"Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. \n\nTerminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the SUSE operating system-level, and deallocating networking assignments at the application level if multiple application sessions are using a single SUSE operating system-level network connection. This does not mean that the SUSE operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.\n\nSatisfies: SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109","checkContent":"Verify the SUSE operating system SSH daemon is configured to timeout idle sessions.\n\nCheck that the \"ClientAliveInterval\" parameter is set to a value of \"600\" with the following command:\n\n> sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*clientaliveinterval'\n\nClientAliveInterval 600\n\nIf \"ClientAliveInterval\" is not set to \"600\" in \"/etc/ssh/sshd_config\", this is a finding.","fixText":"Configure the SUSE operating system SSH daemon to timeout idle sessions.\n\nAdd or modify (to match exactly) the following line in the \"/etc/ssh/sshd_config\" file:\n\nClientAliveInterval 600\n\nThe SSH daemon must be restarted for any changes to take effect."},{"id":"c937fd8b-56d7-4c09-8ed9-8ef0168165ee","vulnId":"V-234828","severity":"medium","ruleTitle":"The sticky bit must be set on all SUSE operating system world-writable directories.","description":"$30","checkContent":"Verify the SUSE operating system prevents unauthorized and unintended information transfer via the shared system resources.\n\nCheck that world-writable directories have the sticky bit set with the following command:\n\n> sudo find / \$ -path /.snapshots -o -path /sys -o -path /proc \$ -prune -o -perm -002 -type d -exec ls -lLd {} \\;\n\n256 0 drwxrwxrwt 1 root root 4096 Jun 14 06:45 /tmp\n\nIf any of the returned directories do not have the sticky bit set, or are not documented as having the write permission for the other class, this is a finding.","fixText":"Configure the SUSE operating system shared system resources to prevent any unauthorized and unintended information transfer by setting the sticky bit for all world-writable directories.\n\nAn example of a world-writable directory is \"/tmp\" directory. Set the sticky bit on all of the world-writable directories (using the \"/tmp\" directory as an example) with the following command:\n\n> sudo chmod 1777 /tmp\n\nFor every world-writable directory, replace \"/tmp\" in the command above with the world-writable directory that does not have the sticky bit set."},{"id":"e3f6acb9-5ccd-4fe0-8519-78b841fbd94d","vulnId":"V-234829","severity":"medium","ruleTitle":"The SUSE operating system must be configured to use TCP syncookies.","description":"Denial of Service (DoS) is a condition in which a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. \n\nManaging excess capacity ensures that sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning.","checkContent":"Verify the SUSE operating system is configured to use IPv4 TCP syncookies.\n\nCheck to see if syncookies are used with the following command:\n\n> sudo sysctl net.ipv4.tcp_syncookies\nnet.ipv4.tcp_syncookies = 1\n\nIf the network parameter \"ipv4.tcp_syncookies\" is not equal to \"1\" or nothing is returned, this is a finding.","fixText":"Configure the SUSE operating system to use IPv4 TCP syncookies by running the following command as an administrator:\n\n> sudo sysctl -w net.ipv4.tcp_syncookies=1\n\nIf \"1\" is not the system's default value, add or update the following line in \"/etc/sysctl.d/99-stig.conf\":\n\n> sudo sh -c 'echo \"net.ipv4.tcp_syncookies=1\" >> /etc/sysctl.d/99-stig.conf'\n\n> sudo sysctl --system"},{"id":"be02b641-2e1a-49c5-83b7-55e0f45ae7bb","vulnId":"V-234830","severity":"medium","ruleTitle":"The SUSE operating system, for all network connections associated with SSH traffic, must immediately terminate at the end of the session or after 10 minutes of inactivity.","description":"$31","checkContent":"Verify all network connections associated with SSH traffic are automatically terminated at the end of the session or after 10 minutes of inactivity.\n\nCheck that the \"ClientAliveCountMax\" variable is set to a value of \"1\" by performing the following command:\n\n> sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*clientalivecountmax'\n\nClientAliveCountMax 1\n\nIf \"ClientAliveCountMax\" does not exist or \"ClientAliveCountMax\" is not set to a value of \"1\" in \"/etc/ssh/sshd_config\", or the line is commented out, this is a finding.","fixText":"Configure the SUSE operating system to automatically terminate all network connections associated with SSH traffic at the end of a session or after a 10-minute period of inactivity.\n\nModify or append the following lines in the \"/etc/ssh/sshd_config\" file:\n\nClientAliveCountMax 1\n\nFor the changes to take effect, the SSH daemon must be restarted.\n\n> sudo systemctl restart sshd.service"},{"id":"d73d3f5f-eb04-48a2-8d00-00e645bafca1","vulnId":"V-234831","severity":"high","ruleTitle":"All SUSE operating system persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at-rest protection.","description":"SUSE operating systems handling data requiring data-at-rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields).\n\nSatisfies: SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184","checkContent":"Verify the SUSE operating system prevents unauthorized disclosure or modification of all information requiring at rest protection by using disk encryption. \n\nDetermine the partition layout for the system with the following command:\n\n> sudo fdisk -l\n\nDevice Boot Start End Sectors Size Id Type\n/dev/sda1 2048 4208639 4206592 2G 82 Linux swap\n/dev/sda2 * 4208640 53479423 49270784 23.5G 83 Linux\n/dev/sda3 53479424 125829119 72349696 34.5G 83 Linux\n\nVerify the system partitions are all encrypted with the following command: \n\n> sudo more /etc/crypttab\n\ncr_root UUID=26d4a101-7f48-4394-b730-56dc00e65f64\ncr_home UUID=f5b8a790-14cb-4b82-882d-707d52f27765\ncr_swap UUID=f2d86128-f975-478d-a5b0-25806c900eac\n\n\nEvery persistent disk partition present on the system must have an entry in the file. \n\nIf any partitions other than pseudo file systems (such as /proc or /sys) are not listed or \"/etc/crypttab\" does not exist, this is a finding.","fixText":"Configure the SUSE operating system to prevent unauthorized modification of all information at rest by using disk encryption. \n\nEncrypting a partition in an already-installed system is more difficult because of the need to resize and change existing partitions. To encrypt an entire partition, dedicate a partition for encryption in the partition layout. The standard partitioning proposal as suggested by YaST (installation and configuration tool for Linux) does not include an encrypted partition by default. Add it manually in the partitioning dialog.\n\nRefer to the document \"SUSE Linux Enterprise Server 15 SP1 - Security Guide\", Section 12.1.2, for a detailed disk encryption guide:\n\nhttps://documentation.suse.com/sles/15-SP1/html/SLES-all/cha-security-cryptofs.html#sec-security-cryptofs-y2-part-run"},{"id":"534740ff-3bad-4216-a184-d097bcc96fe0","vulnId":"V-234832","severity":"medium","ruleTitle":"The SUSE operating system must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.","description":"$32","checkContent":"Verify the SUSE operating system has all system log files under the /var/log directory with a permission set to \"640\", by using the following command:\n\nNote: The btmp, wtmp, and lastlog files are excluded. Refer to the Discussion for details.\n\n> sudo find /var/log -perm /137 ! -name '*[bw]tmp' ! -name '*lastlog' -type f -exec stat -c \"%n %a\" {} \\; \n\nIf command displays any output, this is a finding.","fixText":"Configure the SUSE operating system to set permissions of all log files under /var/log directory to \"640\" or more restricted, by using the following command:\n\nNote: The btmp, wtmp, and lastlog files are excluded. Refer to the Discussion for details.\n\n> sudo find /var/log -perm /137 ! -name '*[bw]tmp' ! -name '*lastlog' -type f -exec chmod 640 '{}' \\;"},{"id":"0c6186b1-a82c-4360-ab8f-a8c040254bb2","vulnId":"V-234833","severity":"medium","ruleTitle":"The SUSE operating system must prevent unauthorized users from accessing system error messages.","description":"Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SUSE operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.","checkContent":"Verify the SUSE operating system prevents unauthorized users from accessing system error messages.\n\nCheck the \"/var/log/messages\" file permissions with the following command:\n\n> sudo stat -c \"%n %U:%G %a\" /var/log/messages\n\n/var/log/messages root:root 640\n\nCheck that \"permissions.local\" file contains the correct permissions rules with the following command:\n\n> grep -i messages /etc/permissions.local\n\n/var/log/messages root:root 640\n\nIf the effective permissions do not match the \"permissions.local\" file, the command does not return any output, or is commented out, this is a finding.","fixText":"Configure the SUSE operating system to prevent unauthorized users from accessing system error messages.\n\nAdd or update the following rules in \"/etc/permissions.local\":\n\n/var/log/messages root:root 640\n\nSet the correct permissions with the following command:\n\n> sudo chkstat --set --system"},{"id":"ce167825-e1ab-4b7c-974c-0644aae0436f","vulnId":"V-234834","severity":"medium","ruleTitle":"The SUSE operating system library files must have mode 0755 or less permissive.","description":"If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nThis requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.","checkContent":"Verify the systemwide shared library files contained in the directories \"/lib\", \"/lib64\", \"/usr/lib\", and \"/usr/lib64\" have mode 0755 or less permissive.\n\nCheck that the systemwide shared library files have mode 0755 or less permissive with the following command:\n\n> sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' -perm /022 -exec stat -c \"%n %a\" {} +\n\nIf any output is returned, this is a finding.","fixText":"Configure the systemwide shared library files contained in the directories \"/lib\", \"/lib64\", \"/usr/lib\", and \"/usr/lib64\" to have mode 0755 or less permissive with the following command:\n\n> sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' -perm /022 -exec chmod go-w {} +"},{"id":"3e1ee0d5-98ce-4040-a084-d638cbaa88fd","vulnId":"V-234835","severity":"medium","ruleTitle":"The SUSE operating system library directories must have mode 0755 or less permissive.","description":"If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nThis requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.","checkContent":"Verify the system-wide shared library directories \"/lib\", \"/lib64\", \"/usr/lib\" and \"/usr/lib64\" have mode \"0755\" or less permissive.\n\nCheck that the system-wide shared library directories have mode \"0755\" or less permissive with the following command:\n\n> sudo find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type d -exec stat -c \"%n %a\" '{}' \\;\n\nIf any of the aforementioned directories are found to be group-writable or world-writable, this is a finding.","fixText":"Configure the shared library directories to be protected from unauthorized access. Run the following command:\n\n> sudo find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type d -exec chmod 755 '{}' \\;"},{"id":"b9f5dd1e-f1b0-4f48-aed8-1fcf97f570d1","vulnId":"V-234836","severity":"medium","ruleTitle":"The SUSE operating system library files must be owned by root.","description":"If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nThis requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.","checkContent":"Verify the systemwide shared library files contained in the directories \"/lib\", \"/lib64\", \"/usr/lib\", and \"/usr/lib64\" are owned by root with the following command:\n\n> sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' ! -user root -exec stat -c \"%n %U\" {} +\n\nIf any output is returned, this is a finding.","fixText":"Configure the systemwide shared library files contained in the directories \"/lib\", \"/lib64\", \"/usr/lib\", and \"/usr/lib64\" are owned by root with the following command:\n\n> sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' ! -user root -exec chown root {} +"},{"id":"8d27e593-5434-431e-a946-24b1b57bb5f0","vulnId":"V-234837","severity":"medium","ruleTitle":"The SUSE operating system library directories must be owned by root.","description":"If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nThis requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.","checkContent":"Verify the system-wide shared library directories \"/lib\", \"/lib64\", \"/usr/lib/\" and \"/usr/lib64\" are owned by root.\n\nCheck that the system-wide shared library directories are owned by root with the following command:\n\n> sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d -exec stat -c \"%n %U\" '{}' \\;\n\nIf any system wide library directory is returned, this is a finding.","fixText":"Configure the library files and their respective parent directories to be protected from unauthorized access. Run the following command:\n\n> sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d -exec chown root '{}' \\;"},{"id":"98b17da0-4ff7-47c0-8347-81a945d56501","vulnId":"V-234838","severity":"medium","ruleTitle":"The SUSE operating system library files must be group-owned by root.","description":"If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nThis requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.","checkContent":"Verify the systemwide shared library files contained in the directories \"/lib\", \"/lib64\", \"/usr/lib\", and \"/usr/lib64\" are group owned by root with the following command:\n\n> sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' ! -group root -exec stat -c \"%n %G\" {} +\n\nIf any output is returned, this is a finding.","fixText":"Configure the systemwide shared library files contained in the directories \"/lib\", \"/lib64\", \"/usr/lib\", and \"/usr/lib64\" to be group owned by root with the following command:\n\n> sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' ! -group root -exec chown :root {} +"},{"id":"367d70a4-8c14-4605-a19f-25888cfa7a00","vulnId":"V-234839","severity":"medium","ruleTitle":"The SUSE operating system library directories must be group-owned by root.","description":"If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nThis requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.","checkContent":"Verify the system-wide library directories \"/lib\", \"/lib64\", \"/usr/lib\" and \"/usr/lib64\" are group-owned by root.\n\nCheck that the system-wide library directories are group-owned by root with the following command:\n\n> sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec stat -c \"%n %G\" '{}' \\;\n\nIf any system wide shared library directory is returned, this is a finding.","fixText":"Configure the system library directories to be protected from unauthorized access. Run the following command:\n\n> sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec chgrp root '{}' \\;"},{"id":"2179ea6a-11c6-4227-a0f6-5dd041be6522","vulnId":"V-234840","severity":"medium","ruleTitle":"The SUSE operating system must have system commands set to a mode of 0755 or less permissive.","description":"If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nThis requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.","checkContent":"Verify the system commands contained in the following directories have mode \"0755\" or less permissive:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nCheck that the system command files have mode \"0755\" or less permissive with the following command:\n\n> find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f -exec stat -c \"%n %a\" '{}' \\;\n\nIf any files are found to be group-writable or world-writable, this is a finding.","fixText":"Configure the system commands to be protected from unauthorized access. Run the following command:\n\n> sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f -exec chmod 755 '{}' \\;"},{"id":"e3d92e33-a19e-4deb-b4c0-aa3f91cb1ad8","vulnId":"V-234841","severity":"medium","ruleTitle":"The SUSE operating system must have directories that contain system commands set to a mode of 0755 or less permissive.","description":"If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nThis requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.","checkContent":"Verify the system commands directories have mode \"0755\" or less permissive:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nCheck that the system command directories have mode \"0755\" or less permissive with the following command:\n\n> find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c \"%n %a\" '{}' \\;\n\nIf any directories are found to be group-writable or world-writable, this is a finding.","fixText":"Configure the system commands directories to be protected from unauthorized access. Run the following command:\n\n> sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \\;"},{"id":"c7e0a85d-ec81-45cc-b6c1-26588cb96ab0","vulnId":"V-234842","severity":"medium","ruleTitle":"The SUSE operating system must have system commands owned by root.","description":"If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nThis requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.","checkContent":"Verify the system commands contained in the following directories are owned by root:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nUse the following command for the check:\n\n> sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec stat -c \"%n %U\" '{}' \\;\n\nIf any system commands are returned, this is a finding.","fixText":"Configure the system commands - and their respective parent directories - to be protected from unauthorized access. Run the following command:\n\n> sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec chown root '{}' \\;"},{"id":"26d96217-cdb4-446c-beca-051d1e8558af","vulnId":"V-234843","severity":"medium","ruleTitle":"The SUSE operating system must have directories that contain system commands owned by root.","description":"If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nThis requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.","checkContent":"Verify the system commands directories are owned by root:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nUse the following command for the check:\n\n> sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d -exec stat -c \"%n %U\" '{}' \\;\n\nIf any system commands directories are returned, this is a finding.","fixText":"Configure the system commands directories to be protected from unauthorized access. Run the following command:\n\n> sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d -exec chown root '{}' \\;"},{"id":"5204b3b0-0482-4a82-bf42-26c2191d71e4","vulnId":"V-234844","severity":"medium","ruleTitle":"The SUSE operating system must have system commands group-owned by root or a system account.","description":"If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nThis requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.","checkContent":"Verify the system commands contained in the following directories are group-owned by root or a system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nRun the check with the following command:\n\n> sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type f -exec stat -c \"%n %G\" '{}' \\;\n\nIf any system commands are returned that are not Set Group ID upon execution (SGID) files and group-owned by a required system account, this is a finding.","fixText":"Configure the system commands to be protected from unauthorized access. Run the following command, replacing \"[FILE]\" with any system command file not group-owned by \"root\" or a required system account.\n\n> sudo chgrp root [FILE]"},{"id":"ba624e5e-5ca6-40db-8026-4e57d6774e6c","vulnId":"V-234845","severity":"medium","ruleTitle":"The SUSE operating system must have directories that contain system commands group-owned by root.","description":"If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nThis requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.","checkContent":"Verify the system commands directories are group-owned by root:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nRun the check with the following command:\n\n> sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d -exec stat -c \"%n %G\" '{}' \\;\n\nIf any system commands directories are returned that are not Set Group ID up on execution (SGID) files and owned by a privileged account, this is a finding.","fixText":"Configure the system commands directories to be protected from unauthorized access. Run the following command:\n\n> sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d -exec chgrp root '{}' \\;"},{"id":"b8070d67-47bb-47d0-867a-741a90ada5a2","vulnId":"V-234846","severity":"medium","ruleTitle":"The SUSE operating system must have a firewall system installed to immediately disconnect or disable remote access to the whole operating system.","description":"Operating system remote access functionality must have the capability to immediately disconnect current users remotely accessing the information system and/or disable further remote access. The speed of disconnect or disablement varies based on the criticality of mission functions and the need to eliminate immediate or future remote access to organizational information systems.\n\nSUSE operating systems are capable to immediately stop remote connections and services by a local system administrator.\n\nTo immediately disconnect or disable remote access, the firewall needs to be set into panic mode.\n\n> sudo firewall-cmd --panic-on\n\nTo enable remote connection again, panic mode needs to be disabled.\n\n> sudo firewall-cmd --panic-off","checkContent":"Verify \"firewalld\" is configured to protect the SUSE operating system. \n\nRun the following command:\n\n> systemctl status firewalld.service\n firewalld.service - firewalld - dynamic firewall daemon\n Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)\n Active: active (running) since Wed 2019-11-06 10:58:11 CET; 24h ago\n Docs: man:firewalld(1)\n Main PID: 1105 (firewalld)\n Tasks: 2 (limit: 4915)\n CGroup: /system.slice/firewalld.service\n ??1105 /usr/bin/python3 -Es /usr/sbin/firewalld --nofork --nopid\n\nIf the service is not enabled, this is a finding.\n\nIf the service is not active, this is a finding.","fixText":"Configure the SUSE operating system to enable the firewall service. This is needed to be able to immediately disconnect or disable remote access to the whole system.\n\nEnable the \"firewalld.service\" by running the following command:\n\n> sudo systemctl enable firewalld.service\n\nStart the \"firewalld.service\" by running the following command:\n\n> sudo systemctl start firewalld.service\n\nTo immediately disconnect or disable remote access the firewall needs to be set into panic mode.\n\n> sudo firewall-cmd --panic-on\n\nTo enable remote connection again, panic mode needs to be disabled.\n\n> sudo firewall-cmd --panic-off"},{"id":"809a27d7-4621-46b4-bda1-fc8d2c3465b6","vulnId":"V-234847","severity":"medium","ruleTitle":"The SUSE operating system wireless network adapters must be disabled unless approved and documented.","description":"$33","checkContent":"$34","fixText":"Configure the SUSE operating system to disable all wireless network interfaces with the following command:\n\nFor each interface of type wireless, bring the interface into \"down\" state:\n\n> sudo wicked ifdown wlan0\n\nFor each interface of type wireless with a configuration type of \"compat:suse:\", remove the associated file:\n\n> sudo rm /etc/sysconfig/network/ifcfg-wlan0\n\nFor each interface of type wireless, for each configuration of type \"wicked:xml:\", remove the associated file or remove the interface configuration from the file.\n\n> sudo rm /etc/wicked/ifconfig/wlan0.xml"},{"id":"1bcfdafa-04d7-4435-aae9-e5b5678f8599","vulnId":"V-234848","severity":"medium","ruleTitle":"SUSE operating system AppArmor tool must be configured to control whitelisted applications and user home directory access control.","description":"$35","checkContent":"Verify that the SUSE operating system AppArmor tool is configured to control whitelisted applications and user home directory access control.\n\nCheck that \"pam_apparmor\" is installed on the system with the following command:\n\n> zypper info pam_apparmor | grep \"Installed\"\n\nIf the package \"pam_apparmor\" is not installed on the system, this is a finding.\n\nCheck that the \"apparmor\" daemon is running with the following command:\n\n> systemctl status apparmor.service | grep -i active\n\nActive: active (exited) since Fri 2017-01-13 01:01:01 GMT; 1day 1h ago\n\nIf something other than \"Active: active\" is returned, this is a finding.\n\nNote: \"pam_apparmor\" must have properly configured profiles. All configurations will be based on the actual system setup and organization. See the \"pam_apparmor\" documentation for more information on configuring profiles.","fixText":"Configure the SUSE operating system to blacklist all applications by default and permit by whitelist.\n\nInstall \"pam_apparmor\" (if it is not installed) with the following command:\n\n> sudo zypper in pam_apparmor\n\nEnable/activate \"Apparmor\" (if it is not already active) with the following command:\n\n> sudo systemctl enable apparmor.service\n\nStart \"Apparmor\" with the following command:\n\n> sudo systemctl start apparmor.service\n\nNote: \"pam_apparmor\" must have properly configured profiles. All configurations will be based on the actual system setup and organization. See the \"pam_apparmor\" documentation for more information on configuring profiles."},{"id":"220f9041-9f11-4a2c-a169-c8d6d38f8b83","vulnId":"V-234849","severity":"medium","ruleTitle":"The SUSE operating system clock must, for networked systems, be synchronized to an authoritative DOD time source at least every 24 hours.","description":"Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.\n\nOrganizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints).\n\nSatisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144","checkContent":"The SUSE operating system clock must be configured to synchronize to an authoritative DOD time source when the time difference is greater than one second. \n\nCheck that the SUSE operating system clock must be configured to synchronize to an authoritative DOD time source when the time difference is greater than one second with the following command:\n\n> sudo grep maxpoll /etc/chrony.conf\n\nserver 0.us.pool.ntp.mil maxpoll 16\n\nIf nothing is returned, \"maxpoll\" is greater than \"16\", or is commented out, this is a finding.\n\nVerify the \"chrony.conf\" file is configured to an authoritative DOD time source by running the following command:\n\n> sudo grep -i server /etc/chrony.conf\nserver 0.us.pool.ntp.mil \n\nIf the parameter \"server\" is not set, is not set to an authoritative DOD time source, or is commented out, this is a finding.","fixText":"The SUSE operating system clock must be configured to synchronize to an authoritative DOD time source when the time difference is greater than one second. \n\nTo configure the system clock to synchronize to an authoritative DOD time source at least every 24 hours, edit the file \"/etc/chrony.conf\". Add or correct the following lines by replacing \"[time_source]\" with an authoritative DOD time source:\n\nserver [time_source] maxpoll 16"},{"id":"9e8dc6bf-17bd-4808-9b4d-0ec45ab4d143","vulnId":"V-234850","severity":"low","ruleTitle":"The SUSE operating system must be configured to use Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).","description":"If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.\n\nTime stamps generated by the SUSE operating system include date and time. Time is commonly expressed in UTC, a modern continuation of GMT, or local time with an offset from UTC.","checkContent":"Verify the SUSE operating system is configured to use UTC or GMT.\n\nCheck that the SUSE operating system is configured to use UTC or GMT with the following command:\n\n> timedatectl status | grep -i \"time zone\"\nTime zone: UTC (UTC, +0000)\n\nIf \"Time zone\" is not set to \"UTC\" or \"GMT\", this is a finding.","fixText":"Configure the SUSE operating system is configured to use UTC or GMT.\n\nTo configure the system time zone to use UTC or GMT, run the following command, replacing [ZONE] with \"UTC\" or \"GMT\".\n\n> sudo timedatectl set-timezone [ZONE]"},{"id":"bf864171-19b1-4223-86c3-046ccc8a6d49","vulnId":"V-234851","severity":"medium","ruleTitle":"Advanced Intrusion Detection Environment (AIDE) must verify the baseline SUSE operating system configuration at least weekly.","description":"Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the SUSE operating system. Changes to SUSE operating system configurations can have unintended side effects, some of which may be relevant to security.\n\nDetecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the SUSE operating system. The SUSE operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrator (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.\n\nSatisfies: SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SRG-OS-000446-GPOS-00200","checkContent":"Verify the SUSE operating system checks the baseline configuration for unauthorized changes at least once weekly.\n\nNote: A file integrity tool other than AIDE may be used, but the tool must be executed at least once per week.\n\nCheck for the presence of a cron job running daily or weekly on the system that executes AIDE to scan for changes to the system baseline. The command used in the following example looks at the daily cron job:\n\nCheck the \"/etc/cron\" subdirectories for a \"crontab\" file controlling the execution of the file integrity application. For example, if AIDE is installed on the system, use the following command:\n\n > sudo grep -R aide /etc/crontab /etc/cron.*\n /etc/crontab: 30 04 * * * /etc/aide\n\nIf the file integrity application does not exist, or a \"crontab\" file does not exist in \"/etc/crontab\", the \"/etc/cron.daily\" subdirectory, or \"/etc/cron.weekly\" subdirectory, this is a finding.","fixText":"Configure the SUSE operating system to check the baseline configuration for unauthorized changes at least once weekly.\n\nIf the \"aide\" package is not installed, install it with the following command:\n\n > sudo zypper in aide\n\nConfigure the file integrity tool to automatically run on the system at least weekly. The following example output is generic. It will set cron to run AIDE weekly, but other file integrity tools may be used:\n\n > cat /etc/cron.weekly/aide \n 0 0 * * * /usr/bin/aide --check | /bin/mail -s \"$HOSTNAME - Daily AIDE integrity check run\" root@example_server_name.mil\n\nNote: Per requirement SLES-15-010418, the \"mailx\" package must be installed on the system to enable email functionality."},{"id":"e89d67b9-2354-49c2-8f47-882f0c212ad1","vulnId":"V-234852","severity":"high","ruleTitle":"The SUSE operating system tool zypper must have gpgcheck enabled.","description":"$36","checkContent":"Verify the SLES 12 zypper tool has gpgcheck enabled with the following command: \n\n > grep -i '^gpgcheck' /etc/zypp/zypp.conf\n\nIf \"gpgcheck\" is set to \"off\", this is a finding.","fixText":"Configure the SLES 12 zypper tool to enable gpgcheck.\n\nAdd or modify the following line in the \"/etc/zypp/zypp.conf\" file or remove the line completely ensuring that the default zypper setting is enabled:\n\ngpgcheck = on"},{"id":"49a7c258-6d0d-4816-9c86-20661d3c1602","vulnId":"V-234853","severity":"high","ruleTitle":"The SUSE operating system must reauthenticate users when changing authenticators, roles, or escalating privileges.","description":"Without reauthentication, users may access resources or perform tasks for which they do not have authorization. \n\nWhen the SUSE operating system provides the capability to change user authenticators, change security roles, or escalate a functional capability, it is critical the user reauthenticate.\n\nSatisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158","checkContent":"Verify that the SUSE operating system requires reauthentication when changing authenticators, roles, or escalating privileges.\n\nCheck that \"/etc/sudoers\" has no occurrences of \"NOPASSWD\" or \"!authenticate\" with the following command:\n\n> sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers\n\nIf any uncommented lines containing \"!authenticate\", or \"NOPASSWD\" are returned and active accounts on the system have valid passwords, this is a finding.","fixText":"Configure the SUSE operating system to remove any occurrence of \"NOPASSWD\" or \"!authenticate\" found in the \"/etc/sudoers\" file. If the system does not use passwords for authentication, the \"NOPASSWD\" tag may exist in the file."},{"id":"72f88875-cc73-4f7a-a465-c134027ad5f0","vulnId":"V-234854","severity":"medium","ruleTitle":"The SUSE operating system must have the packages required for multifactor authentication to be installed.","description":"$37","checkContent":"Verify the SUSE operating system has the packages required for multifactor authentication installed.\n\nCheck for the presence of the packages required to support multifactor authentication with the following commands:\n\n> zypper info pam_pkcs11 | grep -i installed\n\n> zypper info mozilla-nss | grep -i installed\n\n> zypper info mozilla-nss-tools | grep -i installed\n\n> zypper info pcsc-ccid | grep -i installed\n\n> zypper info pcsc-lite | grep -i installed\n\n> zypper info pcsc-tools | grep -i installed\n\n> zypper info opensc | grep -i installed\n\n> zypper info coolkey | grep -i installed\n\nIf any of the packages required for multifactor authentication are not installed, this is a finding.","fixText":"Configure the SUSE operating system to implement multifactor authentication by installing the required packages.\n\nInstall the packages required to support multifactor authentication with the following commands:\n\n> zypper install pam_pkcs11\n\n> zypper install mozilla-nss\n\n> zypper install mozilla-nss-tools\n\n> zypper install pcsc-ccid\n\n> zypper install pcsc-lite\n\n> zypper install pcsc-tools\n\n> zypper install opensc\n\n> zypper install coolkey\n\nAdditional information on the configuration of multifactor authentication on the SUSE operating system can be found at https://www.suse.com/communities/blog/configuring-smart-card-authentication-suse-linux-enterprise/."},{"id":"f6abfc6e-907e-4bf1-bb47-c2bf8a37b7b1","vulnId":"V-234855","severity":"medium","ruleTitle":"The SUSE operating system must implement certificate status checking for multifactor authentication.","description":"$38","checkContent":"Verify the SUSE operating system implements certificate status checking for multifactor authentication.\n\nCheck that certificate status checking for multifactor authentication is implemented with the following command:\n\n> grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module coolkey {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy\n\ncert_policy = ca,ocsp_on,signature,crl_auto;\n\nIf \"cert_policy\" is not set to include \"ocsp_on\", this is a finding.","fixText":"Configure the SUSE operating system to certificate status checking for PKI authentication.\n\nModify all of the cert_policy lines in \"/etc/pam_pkcs11/pam_pkcs11.conf\" to include \"ocsp_on\".\n\nNote: OCSP allows sending request for certificate status information. Additional certificate validation polices are permitted.\n\nAdditional information on the configuration of multifactor authentication on the SUSE operating system can be found at https://www.suse.com/communities/blog/configuring-smart-card-authentication-suse-linux-enterprise/."},{"id":"d15e546b-690a-4ae5-8cd7-8e4ea5710d5f","vulnId":"V-234856","severity":"medium","ruleTitle":"The SUSE operating system must disable the USB mass storage kernel module.","description":"Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.\n\nPeripherals include but are not limited to such devices as flash drives, external storage, and printers.","checkContent":"Verify the SUSE operating system does not automount USB mass storage devices when connected to the host.\n\nCheck that \"usb-storage\" is blacklisted in the \"/etc/modprobe.d/50-blacklist.conf\" file with the following command:\n\n> grep usb-storage /etc/modprobe.d/50-blacklist.conf\nblacklist usb-storage\n\nIf nothing is output from the command, this is a finding.","fixText":"Configure the SUSE operating system to prevent USB mass storage devices from automounting when connected to the host.\n\nAdd or update the following line to the \"/etc/modprobe.d/50-blacklist.conf\" file:\n\nblacklist usb-storage"},{"id":"ca7a3eed-69a0-4f1f-a249-8179cd947a9c","vulnId":"V-234857","severity":"medium","ruleTitle":"If Network Security Services (NSS) is being used by the SUSE operating system it must prohibit the use of cached authentications after one day.","description":"If cached authentication information is out of date, the validity of the authentication information may be questionable.","checkContent":"If NSS is not used on the operating system, this is Not Applicable.\n\nIf NSS is used by the SUSE operating system, verify it prohibits the use of cached authentications after one day.\n\nCheck that cached authentications cannot be used after one day with the following command:\n\n> sudo grep -i \"memcache_timeout\" /etc/sssd/sssd.conf\n\nmemcache_timeout = 86400\n\nIf \"memcache_timeout\" has a value greater than \"86400\", or is missing, this is a finding.","fixText":"Configure NSS, if used by the SUSE operating system, to prohibit the use of cached authentications after one day. \n\nAdd or change the following line in \"/etc/sssd/sssd.conf\" just below the line \"[nss]\":\n\nmemcache_timeout = 86400"},{"id":"2e2b3a84-3e8f-4fbb-bed0-dd886233b17b","vulnId":"V-234858","severity":"medium","ruleTitle":"The SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to prohibit the use of cached offline authentications after one day.","description":"If cached authentication information is out of date, the validity of the authentication information may be questionable.","checkContent":"If SSSD is not being used on the operating system, this is Not Applicable.\n\nVerify that the SUSE operating system PAM prohibits the use of cached off line authentications after one day.\n\nCheck that cached off line authentications cannot be used after one day with the following command:\n\n> sudo grep \"offline_credentials_expiration\" /etc/sssd/sssd.conf\n\noffline_credentials_expiration = 1\n\nIf \"offline_credentials_expiration\" is not set to a value of \"1\", this is a finding.","fixText":"Configure the SUSE operating system PAM to prohibit the use of cached authentications after one day. \n\nAdd or change the following line in \"/etc/sssd/sssd.conf\" just below the line \"[pam]\":\n\noffline_credentials_expiration = 1"},{"id":"c832adff-f455-4c93-b048-eb96d1c9412b","vulnId":"V-234859","severity":"high","ruleTitle":"FIPS 140-2 mode must be enabled on the SUSE operating system.","description":"Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The SUSE operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n\nSatisfies: SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223","checkContent":"Verify the SUSE operating system is running in FIPS mode by running the following command.\n\n> cat /proc/sys/crypto/fips_enabled \n\n1\n\nIf nothing is returned, the file does not exist, or the value returned is \"0\", this is a finding.","fixText":"To configure the SUSE operating system to run in FIPS mode, add \"fips=1\" to the kernel parameter during the SUSE operating system install.\n\nEnabling FIPS mode on a preexisting system involves a number of modifications to the SUSE operating system. Refer to section 9.1, \"Crypto Officer Guidance\", of the following document for installation guidance:\n\nhttp://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2435.pdf"},{"id":"8a34f6c8-ecb5-4c92-9c20-1989a82f574e","vulnId":"V-234860","severity":"high","ruleTitle":"All networked SUSE operating systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.","description":"$39","checkContent":"Note: If the system is not networked, this requirement is Not Applicable.\n\nVerify that the SUSE operating system implements SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.\n\nCheck that the OpenSSH package is installed on the SUSE operating system with the following command:\n\n> zypper info openssh | grep -i installed\n\nIf the OpenSSH package is not installed, this is a finding.\n\nCheck that the OpenSSH service active on the SUSE operating system with the following command:\n\n> systemctl status sshd.service | grep -i \"active:\"\n\nActive: active (running) since Thu 2017-01-12 15:03:38 UTC; 1 months 4 days ago\n\nIf OpenSSH service is not active, this is a finding.","fixText":"Note: If the system is not networked, this requirement is Not Applicable.\n\nConfigure the SUSE operating system to implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.\n\nInstall the OpenSSH package on the SUSE operating system with the following command:\n\n> sudo zypper in openssh\n\nEnable the OpenSSH service to start automatically on reboot with the following command:\n\n> sudo systemctl enable sshd.service\n\nFor the changes to take effect immediately, start the service with the following command:\n\n> sudo systemctl restart sshd.service"},{"id":"ebcd3937-3d4d-40e8-a685-dfd5c3c2fbc6","vulnId":"V-234861","severity":"medium","ruleTitle":"The SUSE operating system must implement kptr-restrict to prevent the leaking of internal kernel addresses.","description":"Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced, with hardware providing the greater strength of mechanism.\n\nExamples of attacks are buffer overflow attacks.","checkContent":"Verify the SUSE operating system prevents leaking of internal kernel addresses.\n\nCheck that the SUSE operating system prevents leaking of internal kernel addresses by running the following command:\n\n> sudo sysctl kernel.kptr_restrict\nkernel.kptr_restrict = 1\n\nIf the kernel parameter \"kptr_restrict\" is not equal to \"1\" or nothing is returned, this is a finding.","fixText":"Configure the SUSE operating system to prevent leaking of internal kernel addresses by running the following command: \n\n> sudo sysctl -w kernel.kptr_restrict=1\n\nIf \"1\" is not the system's default value, add or update the following line in \"/etc/sysctl.d/99-stig.conf\":\n\n> sudo sh -c 'echo \"kernel.kptr_restrict=1\" >> /etc/sysctl.d/99-stig.conf'\n\n> sudo sysctl --system"},{"id":"5876a0c7-c434-4e1f-b5ab-a1dda7cde8ad","vulnId":"V-234862","severity":"medium","ruleTitle":"Address space layout randomization (ASLR) must be implemented by the SUSE operating system to protect memory from unauthorized code execution.","description":"Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced, with hardware providing the greater strength of mechanism.\n\nExamples of attacks are buffer overflow attacks.","checkContent":"Verify the SUSE operating system implements ASLR.\n\nCheck that the SUSE operating system implements ASLR by running the following command:\n\n> sudo sysctl kernel.randomize_va_space\nKernel.randomize_va_space = 2\n\nIf the kernel parameter \"randomize_va_space\" is not equal to \"2\" or nothing is returned, this is a finding.","fixText":"Configure the SUSE operating system to implement ASLR by running the following command as an administrator:\n\n> sudo sysctl -w kernel.randomize_va_space=2\n\nIf \"2\" is not the system's default value, add or update the following line in \"/etc/sysctl.d/99-stig.conf\":\n\n> sudo sh -c 'echo \"kernel.randomize_va_space=2\" >> /etc/sysctl.d/99-stig.conf'\n\n> sudo sysctl --system"},{"id":"0fd0ecb8-5730-4ba8-8a85-2fca18db918a","vulnId":"V-234863","severity":"medium","ruleTitle":"The SUSE operating system must remove all outdated software components after updated versions have been installed.","description":"Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.","checkContent":"Verify the SUSE operating system removes all outdated software components after updated version have been installed by running the following command:\n\n> grep -i upgraderemovedroppedpackages /etc/zypp/zypp.conf \n\nsolver.upgradeRemoveDroppedPackages = true\n\nIf \"solver.upgradeRemoveDroppedPackages\" is commented out, is set to \"false\", or is missing completely, this is a finding.","fixText":"Configure the SUSE operating system to remove all outdated software components after an update by editing the following line in \"/etc/zypp/zypp.conf\" to match the one provided below:\n\nsolver.upgradeRemoveDroppedPackages = true"},{"id":"0c427fd4-c9f5-45d6-aeef-cd38b7a2a6f8","vulnId":"V-234864","severity":"medium","ruleTitle":"The SUSE operating system must notify the System Administrator (SA) when Advanced Intrusion Detection Environment (AIDE) discovers anomalies in the operation of any security functions.","description":"If anomalies are not acted on, security functions may fail to secure the system. \n\nSecurity function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.\n\nNotifications provided by information systems include messages to local computer consoles and/or hardware indications, such as lights.\n\nThis capability must take into account operational requirements for availability for selecting an appropriate response. The organization may choose to shut down or restart the information system upon security function anomaly detection.","checkContent":"Verify the SUSE operating system notifies the SA when AIDE discovers anomalies in the operation of any security functions.\n\nVerify the aide cron job sends an email when executed with the following command:\n\n > grep -i \"aide\" /etc/cron.*/aide \n 0 0 * * * /usr/bin/aide --check | /bin/mail -s \"$HOSTNAME - Daily AIDE integrity check run\" root@example_server_name.mil\n\nIf the \"aide\" file does not exist under the \"/etc/cron\" directory structure or the cron job is not configured to execute a binary to send an email (such as \"/bin/mail\"), this is a finding.","fixText":"Configure the SUSE operating system to notify the SA when AIDE discovers anomalies in the operation of any security functions.\n\nCreate the aide crontab file in \"/etc/cron.daily\" and add following command replacing the \"[E-MAIL]\" parameter with a proper email address for the SA:\n\n 0 0 * * * /usr/bin/aide --check | /bin/mail -s \"$HOSTNAME - Daily AIDE integrity check run\" root@example_server_name.mil\n\nNote: Per requirement SLES-15-010418, the \"mailx\" package must be installed on the system to enable email functionality."},{"id":"be63b504-3399-4841-b943-1d79ae242883","vulnId":"V-234865","severity":"medium","ruleTitle":"The SUSE operating system must off-load rsyslog messages for networked systems in real time and off-load standalone systems at least weekly.","description":"Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.","checkContent":"Verify that the SUSE operating system must off-load rsyslog messages for networked systems in real time and off-load standalone systems at least weekly.\n\nFor stand-alone hosts, verify with the system administrator that the log files are off-loaded at least weekly.\n\nFor networked systems, check that rsyslog is sending log messages to a remote server with the following command:\n\n> sudo grep \"\\*.\\*\" /etc/rsyslog.conf | grep \"@\" | grep -v \"^#\"\n\n*.*;mail.none;news.none @192.168.1.101:514\n\nIf any active message labels in the file do not have a line to send log messages to a remote server, this is a finding.","fixText":"Configure the SUSE operating system to off-load rsyslog messages for networked systems in real time.\n\nFor stand-alone systems establish a procedure to off-load log messages at least once a week.\n\nFor networked systems add a \"@[Log_Server_IP_Address]\" option to every active message label in \"/etc/rsyslog.conf\" or in a file in \"/etc/rsyslog.d/ that does not have one. Some examples are listed below:\n\n*.*;mail.none;news.none -/var/log/messages\n*.*;mail.none;news.none @192.168.1.101:514\n\nAn additional option is to capture all of the log messages and send them to a remote log host:\n\n*.* @@loghost:514"},{"id":"8e21534d-1b7b-404d-8cb4-94712ff07966","vulnId":"V-234866","severity":"medium","ruleTitle":"The SUSE operating system must provision temporary accounts with an expiration date for 72 hours.","description":"If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation.\n\nTemporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation.\n\nIf temporary accounts are used, the SUSE operating system must be configured to automatically terminate these types of accounts after a DoD-defined time period of 72 hours.\n\nTo address access requirements, many SUSE operating systems may be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.","checkContent":"Verify that the SUSE operating system provisions temporary accounts with an expiration date for \"72\" hours.\n\nAsk the System Administrator if any temporary accounts have been added to the system. For every existing temporary account, run the following command to obtain its account expiration information:\n\n> sudo chage -l system_account_name\n\nVerify each of these accounts has an expiration date that is within \"72\" hours of its creation.\n\nIf any temporary accounts have no expiration date set or do not expire within \"72\" hours of their creation, this is a finding.","fixText":"In the event temporary accounts are required, configure the SUSE operating system to terminate them after \"72\" hours. \n\nFor every temporary account, run the following command to set an expiration date on it, substituting \"system_account_name\" with the appropriate value:\n\n> sudo chage -E `date -d \"+3 days\" +%Y-%m-%d` system_account_name\n\n`date -d \"+3 days\" +%Y-%m-%d` sets the 72-hour expiration date for the account at the time the command is run."},{"id":"2d645a9c-e6fc-488f-8b81-a3e23624c6f6","vulnId":"V-234867","severity":"medium","ruleTitle":"The SUSE operating system must lock an account after three consecutive invalid access attempts.","description":"By limiting the number of failed access attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.\n\nThe pam_tally2.so module maintains a count of attempted accesses. This includes user name entry into a logon field as well as password entry. With counting access attempts, it is possible to lock an account without presenting a password into the password field. This should be taken into consideration as it poses as an avenue for denial of service.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128","checkContent":"Verify the SUSE operating system locks a user account after three consecutive failed access attempts until the locked account is released by an administrator. \n\nCheck that the system locks a user account after three consecutive failed login attempts using the following command: \n\n> grep pam_tally2.so /etc/pam.d/common-auth \nauth required pam_tally2.so onerr=fail deny=3 \n\nIf no line is returned or the line is commented out, this is a finding.\nIf the line is missing \"onerr=fail\", this is a finding.\nIf the line has \"deny\" set to a value other than 1, 2, or 3, this is a finding.\n\nCheck that the system resets the failed login attempts counter after a successful login using the following command: \n\n> grep pam_tally2.so /etc/pam.d/common-account \naccount required pam_tally2.so\n\nIf the account option is missing, or commented out, this is a finding.","fixText":"Configure the operating system to lock an account when three unsuccessful access attempts occur.\n\nModify the first line of the auth section \"/etc/pam.d/common-auth\" file to match the following lines:\n\nauth required pam_tally2.so onerr=fail silent audit deny=3\n\nAdd or modify the following line in the /etc/pam.d/common-account file:\naccount required pam_tally2.so \n\nNote: Manual changes to the listed files may be overwritten by the \"pam-config\" program. The \"pam-config\" program should not be used to update the configurations listed in this requirement."},{"id":"7e81672d-b73c-43ff-9415-0b67cbdbcbf2","vulnId":"V-234868","severity":"low","ruleTitle":"The SUSE operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.","description":"SUSE operating system management includes the ability to control the number of users and user sessions that utilize a SUSE operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to Denial-of-Service (DoS) attacks.\n\nThis requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system.","checkContent":"Verify the SUSE operating system limits the number of concurrent sessions to 10 for all accounts and/or account types by running the following command:\n\n> grep \"maxlogins\" /etc/security/limits.conf\n\nThe result must contain the following line:\n\n* hard maxlogins 10\n\nIf the \"maxlogins\" item is missing, the line does not begin with a star symbol, or the value is not set to \"10\" or less, this is a finding.","fixText":"Configure the SUSE operating system to limit the number of concurrent sessions to \"10\" or less for all accounts and/or account types.\n\nAdd the following line to the file \"/etc/security/limits.conf\":\n\n* hard maxlogins 10"},{"id":"3169207c-433e-4e56-bd17-fd5e4367ebb9","vulnId":"V-234869","severity":"medium","ruleTitle":"The SUSE operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).","description":"$3a","checkContent":"Verify the SUSE operating system implements multifactor authentication for remote access to privileged accounts via PAM.\n\nCheck that the \"pam_pkcs11.so\" option is configured in the \"/etc/pam.d/common-auth\" file with the following command:\n\n> grep pam_pkcs11.so /etc/pam.d/common-auth\n\nauth sufficient pam_pkcs11.so\n\nIf \"pam_pkcs11.so\" is not set in \"/etc/pam.d/common-auth\", this is a finding.","fixText":"Configure the SUSE operating system to implement multifactor authentication for remote access to privileged accounts via PAM.\n\nAdd or update \"pam_pkcs11.so\" in \"/etc/pam.d/common-auth\" to match the following line:\n\nauth sufficient pam_pkcs11.so"},{"id":"94fe02dc-08e1-4c4a-9096-b630ecab71df","vulnId":"V-234870","severity":"medium","ruleTitle":"The SUSE operating system must deny direct logons to the root account using remote access via SSH.","description":"$3b","checkContent":"Verify the SUSE operating system denies direct logons to the root account using remote access via SSH.\n\nCheck that SSH denies any user trying to log on directly as root with the following command:\n\n> sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*permitrootlogin'\n\nPermitRootLogin no\n\nIf the \"PermitRootLogin\" keyword is set to \"yes\", is missing, or is commented out, this is a finding.","fixText":"Configure the SUSE operating system to deny direct logons to the root account using remote access via SSH.\n\nEdit the appropriate \"/etc/ssh/sshd_config\" file, add or uncomment the line for \"PermitRootLogin\" and set its value to \"no\" (this file may be named differently or be in a different location):\n\nPermitRootLogin no"},{"id":"5ad5d924-f6e4-40fa-a7f8-665885e12776","vulnId":"V-234871","severity":"medium","ruleTitle":"The SUSE operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity after password expiration.","description":"Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.\n\nThe SUSE operating system needs to track periods of inactivity and disable application identifiers after 35 days of inactivity.","checkContent":"Verify the SUSE operating system disables account identifiers after 35 days of inactivity since the password expiration.\n\nCheck the account inactivity value by performing the following command:\n\n> sudo grep -i '^inactive' /etc/default/useradd\n\nINACTIVE=35\n\nIf no output is produced, or if \"INACTIVE\" is not set to a value greater than \"0\" and less than or equal to \"35\", this is a finding.","fixText":"Configure the SUSE operating system to disable account identifiers after 35 days of inactivity since the password expiration. \n\nRun the following command to change the configuration for \"useradd\" to disable the account identifier after 35 days:\n\n> sudo useradd -D -f 35\n\nDOD recommendation is 35 days, but a lower value greater than \"0\" is acceptable."},{"id":"8f4d8f72-343b-4147-8c8f-3e85df7ef83c","vulnId":"V-234872","severity":"medium","ruleTitle":"The SUSE operating system must never automatically remove or disable emergency administrator accounts.","description":"$3c","checkContent":"Verify the SUSE operating system is configured such that emergency administrator accounts are never automatically removed or disabled. \n\nNote: Root is typically the \"account of last resort\" on a system and is also used as the example emergency administrator account. If another account is being used as the emergency administrator account, the command should be used against that account. \n\nCheck to see if the root account password or account expires with the following command:\n\n> sudo chage -l [Emergency_Administrator]\n\nPassword expires:never\n\nIf \"Password expires\" or \"Account expires\" is set to anything other than \"never\", this is a finding.","fixText":"Configure the SUSE operating system to never automatically remove or disable emergency administrator accounts.\n\nReplace \"[Emergency_Administrator]\" in the following command with the correct emergency administrator account. Run the following command as an administrator:\n\n> sudo chage -I -1 -M 99999 [Emergency_Administrator]"},{"id":"f8e31e74-eb87-4c08-a9cc-7e07ecfaf099","vulnId":"V-234874","severity":"medium","ruleTitle":"The SUSE operating system must not have unnecessary accounts.","description":"Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system.","checkContent":"Verify all SUSE operating system accounts are assigned to an active system, application, or user account.\n\nObtain the list of authorized system accounts from the Information System Security Officer (ISSO).\n\nCheck the system accounts on the system with the following command:\n\n> more /etc/passwd\nroot:x:0:0:root:/root:/bin/bash\n...\ngames:x:12:100:Games account:/var/games:/bin/bash\n\nAccounts such as \"games\" and \"gopher\" are not authorized accounts as they do not support authorized system functions. \n\nIf the accounts on the system do not match the provided documentation, this is a finding.","fixText":"Configure the SUSE operating system so all accounts on the system are assigned to an active system, application, or user account. \n\nRemove accounts that do not support approved system activities or that allow for a normal user to perform administrative-level actions. \n\nDocument all authorized accounts on the system."},{"id":"dcc4b492-3974-4379-8ea0-16ebeff642f8","vulnId":"V-234875","severity":"medium","ruleTitle":"The SUSE operating system must not have unnecessary account capabilities.","description":"Accounts providing no operational purpose provide additional opportunities for system compromise. Therefore all necessary non interactive accounts should not have an interactive shell assigned to them.","checkContent":"Verify all non-interactive SUSE operating system accounts do not have an interactive shell assigned to them.\n\nObtain the list of authorized system accounts from the Information System Security Officer (ISSO).\n\nCheck the system accounts on the system with the following command:\n\n> awk -F: '($7 !~ \"/sbin/nologin\" && $7 !~ \"/bin/false\"){print $1 \":\" $3 \":\" $7}' /etc/passwd\nroot:0:/bin/bash\nnobody:65534:/bin/bash\n\nIf a non-interactive accounts such as \"games\" or \"nobody\" is listed with an interactive shell, this is a finding.","fixText":"Configure the SUSE operating system so that all non-interactive accounts on the system have no interactive shell assigned to them.\n\nRun the following command to disable the interactive shell for a specific non-interactive user account:\n\n> sudo usermod --shell /sbin/nologin nobody"},{"id":"9873d7dc-0715-49d4-a3af-65a7ae1baf16","vulnId":"V-234876","severity":"high","ruleTitle":"The SUSE operating system root account must be the only account with unrestricted access to the system.","description":"If an account other than root also has a User Identifier (UID) of \"0\", it has root authority, giving that account unrestricted access to the entire SUSE operating system. Multiple accounts with a UID of \"0\" afford an opportunity for potential intruders to guess a password for a privileged account.","checkContent":"Verify that the SUSE operating system root account is the only account with unrestricted access to the system.\n\nCheck the system for duplicate UID \"0\" assignments with the following command:\n\n> awk -F: '$3 == 0 {print $1}' /etc/passwd\n\nroot\n\nIf any accounts other than root have a UID of \"0\", this is a finding.","fixText":"Change the UID of any account on the SUSE operating system, other than the root account, that has a UID of \"0\". \n\nIf the account is associated with system commands or applications, the UID should be changed to one greater than \"0\" but less than \"1000\". Otherwise, assign a UID of greater than \"1000\" that has not already been assigned."},{"id":"489afe67-389a-47cf-9f69-217c8731737e","vulnId":"V-234877","severity":"medium","ruleTitle":"The SUSE operating system must restrict privilege elevation to authorized personnel.","description":"The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. If the \"sudoers\" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system.","checkContent":"Verify the \"sudoers\" file restricts sudo access to authorized personnel.\n> sudo grep -iw 'ALL' /etc/sudoers /etc/sudoers.d/*\n\nIf the either of the following entries are returned, this is a finding:\nALL ALL=(ALL) ALL\nALL ALL=(ALL:ALL) ALL","fixText":"Remove the following entries from the sudoers file:\nALL ALL=(ALL) ALL\nALL ALL=(ALL:ALL) ALL"},{"id":"1f32552d-5489-4bc4-85c3-18092714b24e","vulnId":"V-234878","severity":"medium","ruleTitle":"The SUSE operating system must require reauthentication when using the \"sudo\" command.","description":"Without reauthentication, users may access resources or perform tasks for which they do not have authorization. \n\nWhen operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to re-authenticate when using the \"sudo\" command.\n\nIf the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to reauthenticate for privileged actions until the user's session is terminated.","checkContent":"Verify the operating system requires re-authentication when using the \"sudo\" command to elevate privileges.\n\n> sudo grep -ir 'timestamp_timeout' /etc/sudoers /etc/sudoers.d\n/etc/sudoers:Defaults timestamp_timeout=0\n\nIf conflicting results are returned, this is a finding.\n\nIf \"timestamp_timeout\" is set to a negative number, is commented out, or no results are returned, this is a finding.","fixText":"Configure the \"sudo\" command to require reauthentication.\nEdit the /etc/sudoers file:\n\n> sudo visudo\n\nAdd or modify the following line:\n\nDefaults timestamp_timeout=[value]\n\nNote: The \"[value]\" must be a number that is greater than or equal to \"0\"."},{"id":"6d574f8c-ad54-44f3-a109-3629dc8163f7","vulnId":"V-234879","severity":"medium","ruleTitle":"The SUSE operating system must use the invoking user's password for privilege escalation when using \"sudo\".","description":"The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the \"root\" user password. \nFor more information on each of the listed configurations, reference the sudoers(5) manual page.","checkContent":"Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation.\n\n> sudo egrep -ir '(rootpw|targetpw|runaspw)' /etc/sudoers /etc/sudoers.d* | grep -v '#'\n\n/etc/sudoers:Defaults !targetpw\n/etc/sudoers:Defaults !rootpw\n/etc/sudoers:Defaults !runaspw\n\nIf conflicting results are returned, this is a finding.\nIf \"Defaults !targetpw\" is not defined, this is a finding.\nIf \"Defaults !rootpw\" is not defined, this is a finding.\nIf \"Defaults !runaspw\" is not defined, this is a finding.","fixText":"Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory:\n\nDefaults !targetpw\nDefaults !rootpw\nDefaults !runaspw"},{"id":"e90a0362-cdc5-45b9-b3b0-bc3507876c72","vulnId":"V-234880","severity":"medium","ruleTitle":"All SUSE operating system local interactive user accounts, upon creation, must be assigned a home directory.","description":"If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.","checkContent":"Verify all SUSE operating system local interactive users on the system are assigned a home directory upon creation.\n\nCheck to see if the system is configured to create home directories for local interactive users with the following command:\n\n> grep -i create_home /etc/login.defs\nCREATE_HOME yes\n\nIf the value for \"CREATE_HOME\" parameter is not set to \"yes\", the line is missing, or the line is commented out, this is a finding.","fixText":"Configure the SUSE operating system to assign home directories to all new local interactive users by setting the \"CREATE_HOME\" parameter in \"/etc/login.defs\" to \"yes\" as follows.\n\nCREATE_HOME yes"},{"id":"0e491c27-55c3-4ab8-82b6-ba0c6c4e0989","vulnId":"V-234881","severity":"medium","ruleTitle":"The SUSE operating system must display the date and time of the last successful account logon upon an SSH logon.","description":"Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use.","checkContent":"Verify all remote connections via SSH to the SUSE operating system display feedback on when account accesses last occurred.\n\nCheck that \"PrintLastLog\" keyword in the sshd daemon configuration file is used and set to \"yes\" with the following command:\n\n> sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*printlastlog'\n\nPrintLastLog yes\n\nIf the \"PrintLastLog\" keyword is set to \"no\", is missing, or is commented out, this is a finding.","fixText":"Configure the SUSE operating system to provide users with feedback on when account accesses last occurred.\n\nAdd or edit the following lines in the \"/etc/ssh/sshd_config\" file:\n\nPrintLastLog yes"},{"id":"b25a35bf-fd5c-4feb-a4a9-e0ef3e38f8c4","vulnId":"V-234882","severity":"medium","ruleTitle":"The SUSE operating system must enforce passwords that contain at least one uppercase character.","description":"Use of a complex password helps increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.","checkContent":"Verify the SUSE operating system enforces password complexity by requiring at least one uppercase character.\n\nCheck that the operating system enforces password complexity by requiring that at least one uppercase character be used by using the following command:\n\n> grep pam_cracklib.so /etc/pam.d/common-password\npassword requisite pam_cracklib.so ucredit=-1\n\nIf the command does not return anything, the returned line is commented out, or has a second column value different from \"requisite\", or does not contain \"ucredit=-1\", this is a finding.","fixText":"Configure the SUSE operating system to enforce password complexity by requiring at least one uppercase character.\n\nEdit \"/etc/pam.d/common-password\" and edit the line containing \"pam_cracklib.so\" to contain the option \"ucredit=-1\" after the third column."},{"id":"04bc67c4-4d55-4545-a4fe-59d46e080d4c","vulnId":"V-234883","severity":"medium","ruleTitle":"The SUSE operating system must enforce passwords that contain at least one lowercase character.","description":"Use of a complex password helps increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.","checkContent":"Verify the SUSE operating system enforces password complexity by requiring that at least one lowercase character.\n\nCheck that the operating system enforces password complexity by requiring that at least one lowercase character be used by using the following command:\n\n> grep pam_cracklib.so /etc/pam.d/common-password\npassword requisite pam_cracklib.so lcredit=-1\n\nIf the command does not return anything, the returned line is commented out, or has a second column value different from \"requisite\", or does not contain \"lcredit=-1\", this is a finding.","fixText":"Configure the SUSE operating system to enforce password complexity by requiring at least one lowercase character.\n\nEdit \"/etc/pam.d/common-password\" and edit the line containing \"pam_cracklib.so\" to contain the option \"lcredit=-1\" after the third column."},{"id":"8c71b9a7-83d7-43bd-9fa7-7ab184eda917","vulnId":"V-234884","severity":"medium","ruleTitle":"The SUSE operating system must enforce passwords that contain at least one numeric character.","description":"Use of a complex password helps increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.","checkContent":"Verify the SUSE operating system enforces password complexity by requiring that at least one numeric character.\n\nCheck that the operating system enforces password complexity by requiring that at least one numeric character be used by using the following command:\n\n> grep pam_cracklib.so /etc/pam.d/common-password\npassword requisite pam_cracklib.so dcredit=-1\n\nIf the command does not return anything, the returned line is commented out, or has a second column value different from \"requisite\", or does not contain \"dcredit=-1\", this is a finding.","fixText":"Configure the SUSE operating system to enforce password complexity by requiring at least one numeric character.\n\nEdit \"/etc/pam.d/common-password\" and edit the line containing \"pam_cracklib.so\" to contain the option \"dcredit=-1\" after the third column."},{"id":"e5f02d86-f83f-4061-8a92-42e72eba8cdc","vulnId":"V-234885","severity":"medium","ruleTitle":"The SUSE operating system must require the change of at least eight of the total number of characters when passwords are changed.","description":"If the SUSE operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks.","checkContent":"Verify the SUSE operating system requires at least eight characters be changed between the old and new passwords during a password change.\n\nCheck that the operating system requires at least eight characters be changed between the old and new passwords during a password change by running the following command:\n\n> grep pam_cracklib.so /etc/pam.d/common-password\npassword requisite pam_cracklib.so difok=8\n\nIf the command does not return anything, the returned line is commented out, or has a second column value different from \"requisite\", or does not contain \"difok\", or the value is less than \"8\", this is a finding.","fixText":"Configure the SUSE operating system to require at least eight characters be changed between the old and new passwords during a password change with the following command:\n\nEdit \"/etc/pam.d/common-password\" and edit the line containing \"pam_cracklib.so\" to contain the option \"difok=8\" after the third column."},{"id":"1f4e5e9b-d46d-4a97-b9af-1e746b276b97","vulnId":"V-234886","severity":"medium","ruleTitle":"The SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to only store encrypted representations of passwords.","description":"Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.","checkContent":"Verify the SUSE operating system configures the Linux PAM to only store encrypted representations of passwords. All account passwords must be hashed with SHA512 encryption strength.\n\nCheck that PAM is configured to create SHA512 hashed passwords by running the following command:\n\n> grep pam_unix.so /etc/pam.d/common-password\npassword required pam_unix.so sha512\n\nIf the command does not return anything or the returned line is commented out, has a second column value different from \"required\", or does not contain \"sha512\", this is a finding.","fixText":"Configure the SUSE operating system Linux PAM to only store encrypted representations of passwords. All account passwords must be hashed with SHA512 encryption strength.\n\nEdit \"/etc/pam.d/common-password\" and edit the line containing \"pam_unix.so\" to contain the SHA512 keyword after third column. Remove the \"nullok\" option."},{"id":"c8b57166-090f-4398-9e98-9fbc5bd1dc4a","vulnId":"V-234887","severity":"medium","ruleTitle":"The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords.","description":"The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy.\n\nPasswords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.\n\nSatisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061","checkContent":"Verify the SUSE operating system requires the shadow password suite configuration be set to encrypt interactive user passwords using a strong cryptographic hash.\n\nCheck that the interactive user account passwords are using a strong password hash with the following command:\n\n> sudo cut -d: -f2 /etc/shadow\n\n$6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/\n\nPassword hashes \"!\" or \"*\" indicate inactive accounts not available for logon and are not evaluated. \n\nIf any interactive user password hash does not begin with \"$6\", this is a finding.","fixText":"Configure the SUSE operating system to encrypt all stored passwords with a strong cryptographic hash.\n\nEdit/modify the following line in the \"/etc/login.defs\" file and set \"ENCRYPT_METHOD\" to have a value of \"SHA512\".\n\nENCRYPT_METHOD SHA512\n\nLock all interactive user accounts not using SHA512 hashing until the passwords can be regenerated."},{"id":"0f8684eb-b4dc-4a0e-b674-f8d96c2921b1","vulnId":"V-234888","severity":"medium","ruleTitle":"The SUSE operating system must employ FIPS 140-3 approved cryptographic hashing algorithms for all stored passwords.","description":"The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy.\n\nPasswords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.\n\nSatisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061","checkContent":"Verify the SUSE operating system configures the shadow password suite configuration to encrypt passwords using a strong cryptographic hash.\n\nCheck that a minimum number of hash rounds is configured by running the following command:\n\n> egrep \"^SHA_CRYPT_\" /etc/login.defs\n\nIf only one of \"SHA_CRYPT_MIN_ROUNDS\" or \"SHA_CRYPT_MAX_ROUNDS\" is set, and this value is below \"100000\", this is a finding.\n\nIf both \"SHA_CRYPT_MIN_ROUNDS\" and \"SHA_CRYPT_MAX_ROUNDS\" are set, and the highest value for either is below \"100000\", this is a finding.","fixText":"Configure the SUSE operating system to encrypt all stored passwords with a strong cryptographic hash.\n\nEdit/modify the following line in the \"/etc/login.defs\" file and set \"SHA_CRYPT_MIN_ROUNDS\" to a value no lower than \"100000\":\n\nSHA_CRYPT_MIN_ROUNDS 100000"},{"id":"b720d2c1-dc6f-40a5-a376-2a5882f412ea","vulnId":"V-234889","severity":"medium","ruleTitle":"The SUSE operating system must be configured to create or update passwords with a minimum lifetime of 24 hours (one day).","description":"Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.","checkContent":"Verify the SUSE operating system creates or updates passwords with minimum password age of one day or greater.\n\nTo check that the SUSE operating system enforces 24 hours/one day as the minimum password age, run the following command:\n\n> grep '^PASS_MIN_DAYS' /etc/login.defs\n\nPASS_MIN_DAYS 1\n\nIf no output is produced, or if \"PASS_MIN_DAYS\" does not have a value of \"1\" or greater, this is a finding.","fixText":"Configure the SUSE operating system to enforce 24 hours/one day or greater as the minimum password age.\n\nEdit the file \"/etc/login.defs\" and add or correct the following line. Replace [DAYS] with the appropriate amount of days:\n\nPASS_MIN_DAYS [DAYS]\n\nThe DOD requirement is \"1\" but a greater value is acceptable."},{"id":"fed3e41f-94c5-43fa-bcb2-3a693ed20da0","vulnId":"V-234890","severity":"medium","ruleTitle":"The SUSE operating system must employ user passwords with a minimum lifetime of 24 hours (one day).","description":"Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.","checkContent":"Verify the SUSE operating system enforces a minimum time period between password changes for each user account of one day or greater.\n\nCheck the minimum time period between password changes for each user account with the following command:\n\n> sudo awk -F: '$4 < 1 {print $1 \":\" $4}' /etc/shadow\n\ndoduser:1\n\nIf any results are returned that are not associated with a system account, this is a finding.","fixText":"Configure the SUSE operating system to enforce 24 hours/one day or greater as the minimum password age for user accounts.\n\nChange the minimum time period between password changes for each [USER] account to \"1\" day with the command, replacing [USER] with the user account that must be changed:\n\n> sudo passwd -n 1 [USER]"},{"id":"30fc275e-624c-4300-a393-d511151a7caf","vulnId":"V-234891","severity":"medium","ruleTitle":"The SUSE operating system must be configured to create or update passwords with a maximum lifetime of 60 days.","description":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the SUSE operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the SUSE operating system passwords could be compromised.","checkContent":"Verify that the SUSE operating system is configured to create or update passwords with a maximum password age of 60 days or less.\n\nCheck that the SUSE operating system enforces 60 days or less as the maximum password age with the following command:\n\n> grep '^PASS_MAX_DAYS' /etc/login.defs\n\nThe DOD requirement is \"60\" days or less (greater than zero, as zero days will lock the account immediately).\n\nIf no output is produced, or if \"PASS_MAX_DAYS\" is not set to \"60\" days or less, this is a finding.","fixText":"Configure the SUSE operating system to enforce a maximum password age of 60 days or less.\n\nEdit the file \"/etc/login.defs\" and add or correct the following line. Replace [DAYS] with the appropriate amount of days:\n\nPASS_MAX_DAYS [DAYS]\n\nThe DOD requirement is 60 days or less (greater than zero, as zero days will lock the account immediately)."},{"id":"f987c943-6610-4adb-b20f-ae1c4c79bc69","vulnId":"V-234892","severity":"medium","ruleTitle":"The SUSE operating system must employ user passwords with a maximum lifetime of 60 days.","description":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the SUSE operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the SUSE operating system passwords could be compromised.","checkContent":"Verify that the SUSE operating system enforces a maximum user password age of 60 days or less.\n\nCheck that the SUSE operating system enforces 60 days or less as the maximum user password age with the following command:\n\n> sudo awk -F: '$5 > 60 || $5 == \"\" {print $1 \":\" $5}' /etc/shadow\n\nIf any results are returned that are not associated with a system account, this is a finding.","fixText":"Configure the SUSE operating system to enforce a maximum password age of each [USER] account to 60 days. The command in the check text will give a list of users that need to be updated to be in compliance:\n\n> sudo passwd -x 60 [USER]\n\nThe DOD requirement is 60 days."},{"id":"06e3f3ab-0f27-4529-b906-debf0c07df2f","vulnId":"V-234895","severity":"medium","ruleTitle":"The SUSE operating system must employ passwords with a minimum of 15 characters.","description":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.\n\nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps determine strength and how long it takes to crack a password. Use of more characters in a password helps exponentially increase the time and/or resources required to compromise the password.","checkContent":"Verify the SUSE operating system enforces a minimum 15-character password length.\n\nCheck that the operating system enforces a minimum 15-character password length with the following command:\n\n> grep pam_cracklib.so /etc/pam.d/common-password\npassword requisite pam_cracklib.so minlen=15\n\nIf the command does not return anything, the returned line is commented out, or has a second column value different from \"requisite\", or does not contain \"minlen\" value, or the value is less than \"15\", this is a finding.","fixText":"Configure the SUSE operating system to enforce a minimum 15-character password length.\n\nEdit \"/etc/pam.d/common-password\" and edit the line containing \"pam_cracklib.so\" to contain the option \"minlen=15\" after the third column.\n\nThe DOD standard requires a minimum 15-character password length."},{"id":"9508ecec-ae5d-4bc2-849e-0120af1af5c1","vulnId":"V-234896","severity":"medium","ruleTitle":"The SUSE operating system must enforce passwords that contain at least one special character.","description":"Use of a complex password helps increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor in determining how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nSpecial characters are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.","checkContent":"Verify the SUSE operating system enforces password complexity by requiring at least one special character.\n\nCheck that the operating system enforces password complexity by requiring at least one special character using the following command:\n\n> grep pam_cracklib.so /etc/pam.d/common-password\npassword requisite pam_cracklib.so ocredit=-1\n\nIf the command does not return anything, the returned line is commented out, or has a second column value different from \"requisite\", or does not contain \"ocredit=-1\", this is a finding.","fixText":"Configure the SUSE operating system to enforce password complexity by requiring at least one special character.\n\nEdit \"/etc/pam.d/common-password\" and edit the line containing \"pam_cracklib.so\" to contain the option \"ocredit=-1\" after the third column."},{"id":"5ddd40c0-15d5-4bb7-924f-28604643f5f3","vulnId":"V-234897","severity":"medium","ruleTitle":"The SUSE operating system must prevent the use of dictionary words for passwords.","description":"If the SUSE operating system allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks.","checkContent":"Verify the SUSE operating system prevents the use of dictionary words for passwords.\n\nCheck that the SUSE operating system prevents the use of dictionary words for passwords with the following command:\n\n> grep pam_cracklib.so /etc/pam.d/common-password\npassword requisite pam_cracklib.so\n\nIf the command does not return anything, or the returned line is commented out, this is a finding.","fixText":"Configure the SUSE operating system to prevent the use of dictionary words for passwords.\n\nEdit \"/etc/pam.d/common-password\" and add the following line:\n\npassword requisite pam_cracklib.so"},{"id":"72a49253-b5bf-48ee-80f9-6709635d884e","vulnId":"V-234898","severity":"high","ruleTitle":"The SUSE operating system must not be configured to allow blank or null passwords.","description":"Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.","checkContent":"Verify the SUSE operating system is not configured to allow blank or null passwords.\n\nCheck that blank or null passwords cannot be used by running the following command:\n\n> grep pam_unix.so /etc/pam.d/* | grep nullok\n\nIf this produces any output, it may be possible to log on with accounts with empty passwords.\n\nIf null passwords can be used, this is a finding.","fixText":"Configure the SUSE operating system to not allow blank or null passwords.\n\nRemove any instances of the \"nullok\" option in \"/etc/pam.d/common-auth\" and \"/etc/pam.d/common-password\" to prevent logons with empty passwords."},{"id":"b045f395-b2c0-4663-9b3c-435a913523c4","vulnId":"V-234899","severity":"medium","ruleTitle":"The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.","description":"Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk.\n\nTo address access requirements, many SUSE operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.\n\nSatisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000274-GPOS-00104, SRG-OS-000275-GPOS-00105, SRG-OS-000276-GPOS-00106, SRG-OS-000277-GPOS-00107, SRG-OS-000303-GPOS-00120, SRG-OS-000463-GPOS-00207, SRG-OS-000304-GPOS-00121, SRG-OS-000470-GPOS-00214, SRG-OS-000476-GPOS-00221","checkContent":"Verify the SUSE operating system generates an audit record when all modifications occur to the \"/etc/passwd\" file.\n\nCheck that the file is being audited by performing the following command:\n\n> sudo auditctl -l | grep -w '/etc/passwd'\n\n-w /etc/passwd -p wa -k account_mod\n\nIf the command does not return a line, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to generate an audit record when all modifications to the \"/etc/passwd\" file occur.\n\nAdd or update the following rule to \"/etc/audit/rules.d/audit.rules\":\n\n-w /etc/passwd -p wa -k account_mod\n\nTo reload the rules file, restart the audit daemon:\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"1c2214fd-3455-4b91-8c8c-7d5a2951e0bd","vulnId":"V-234900","severity":"medium","ruleTitle":"The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.","description":"Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk.\n\nTo address access requirements, many SUSE operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.\n\nSatisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000463-GPOS-00207, SRG-OS-000476-GPOS-00221","checkContent":"Verify the SUSE operating system generates an audit record when modifications occur to the \"/etc/group\" file.\n\nCheck that the file is being audited by performing the following command:\n\n> sudo auditctl -l | grep -w '/etc/group'\n\n-w /etc/group -p wa -k account_mod\n\nIf the command does not return a line, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to generate an audit record when all modifications to the \"/etc/group\" file occur.\n\nAdd or update the following rule to \"/etc/audit/rules.d/audit.rules\":\n\n-w /etc/group -p wa -k account_mod\n\nTo reload the rules file, restart the audit daemon:\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"3becbbd8-966b-4018-bafe-c5c789cd0755","vulnId":"V-234901","severity":"medium","ruleTitle":"The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.","description":"Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk.\n\nTo address access requirements, many SUSE operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.\n\nSatisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000463-GPOS-00207, SRG-OS-000476-GPOS-00221","checkContent":"Verify the SUSE operating system generates an audit record when modifications occur to the \"/etc/shadow\" file.\n\nCheck that the file is being audited by performing the following command:\n\n> sudo auditctl -l | grep -w '/etc/shadow'\n\n-w /etc/shadow -p wa -k account_mod\n\nIf the command does not return a line, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to generate an audit record when all modifications to the \"/etc/shadow\" file occur.\n\nAdd or update the following rule to \"/etc/audit/rules.d/audit.rules\":\n\n-w /etc/shadow -p wa -k account_mod\n\nTo reload the rules file, restart the audit daemon:\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"2d850761-834e-4441-86b6-1c1c37516020","vulnId":"V-234902","severity":"medium","ruleTitle":"The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.","description":"Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk.\n\nTo address access requirements, many SUSE operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.\n\nSatisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000463-GPOS-00207, SRG-OS-000476-GPOS-00221","checkContent":"Verify the SUSE operating system generates an audit record when modifications occur to the \"/etc/security/opasswd\" file.\n\nCheck that the file is being audited by performing the following command:\n\n> sudo auditctl -l | grep -w '/etc/security/opasswd'\n\n-w /etc/security/opasswd -p wa -k account_mod\n\nIf the command does not return a line, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to generate an audit record when all modifications to the \"/etc/security/opasswd\" file occur.\n\nAdd or update the following rule to \"/etc/audit/rules.d/audit.rules\":\n\n-w /etc/security/opasswd -p wa -k account_mod\n\nTo reload the rules file, restart the audit daemon:\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"8f05f464-bd1a-4e88-93ff-ebe0f2b7b44a","vulnId":"V-234903","severity":"medium","ruleTitle":"The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.","description":"Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk.\n\nTo address access requirements, many SUSE operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.\n\nSatisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000463-GPOS-00207, SRG-OS-000476-GPOS-00221","checkContent":"Verify the SUSE operating system generates an audit record when all modifications occur to the \"/etc/gshadow\" file.\n\nCheck that the file is being audited by performing the following command:\n\n> sudo auditctl -l | grep -w '/etc/gshadow'\n\n-w /etc/gshadow -p wa -k account_mod\n\nIf the command does not return a line, this is a finding.\n\nNotes:\nThe \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to generate an audit record when all modifications to the \"/etc/gshadow\" file occur.\n\nAdd or update the following rule to \"/etc/audit/rules.d/audit.rules\":\n\n-w /etc/gshadow -p wa -k account_mod\n\nTo reload the rules file, restart the audit daemon\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"95607fb4-98f5-4f45-95b6-e10c1fed50ce","vulnId":"V-234904","severity":"medium","ruleTitle":"SUSE operating system audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.","description":"$3d","checkContent":"Verify the SUSE operating system produces audit records.\n\nCheck that the SUSE operating system produces audit records by running the following command to determine the current status of the auditd service:\n\n> systemctl is-active auditd.service\nactive\n\n> systemctl is-enabled auditd.service\nenabled\n\nIf the service is not active or not enabled, this is a finding.","fixText":"Enable the SUSE operating system auditd service by performing the following commands:\n\n> sudo systemctl enable auditd.service\n> sudo systemctl start auditd.service"},{"id":"eb09da4d-fa2e-4d70-9279-0a811cbd8edd","vulnId":"V-234905","severity":"low","ruleTitle":"The SUSE operating system must generate audit records for all uses of the ssh-keysign command.","description":"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215","checkContent":"Verify the SUSE operating system generates an audit record for all uses of the \"ssh-keysign\" command.\n\nCheck that the command is being audited by performing the following command:\n\n> sudo auditctl -l | grep -w '/usr/lib/ssh/ssh-keysign'\n\n-a always,exit -S all -F path=/usr/lib/ssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh-keysign\n\nIf the command does not return any output, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to generate an audit record for all uses of the \"ssh-keysign\" command.\n\nAdd or update the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n-a always,exit -F path=/usr/lib/ssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh-keysign\n\nTo reload the rules file, restart the audit daemon\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"40dcc31e-fdc1-4d89-9989-3b1ae89e094c","vulnId":"V-234906","severity":"medium","ruleTitle":"The SUSE operating system must generate audit records for all uses of the passwd command.","description":"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215","checkContent":"Verify the SUSE operating system generates an audit record for all uses of the \"passwd\" command.\n\nCheck that the command is being audited by performing the following command:\n\n> sudo auditctl -l | grep -w '/usr/bin/passwd'\n\n-a always,exit -S all -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-passwd\n\nIf the command does not return any output, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to generate an audit record for all uses of the \"passwd\" command.\n\nAdd or update the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nTo reload the rules file, restart the audit daemon\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"5e6d1c18-31b1-4e26-8d4c-7cd0293cbf87","vulnId":"V-234907","severity":"low","ruleTitle":"The SUSE operating system must generate audit records for all uses of the gpasswd command.","description":"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215","checkContent":"Verify the SUSE operating system generates an audit record for all uses of the \"gpasswd\" command.\n\nCheck that the command is being audited by performing the following command:\n\n> sudo auditctl -l | grep -w '/usr/bin/gpasswd'\n\n-a always,exit -S all -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-gpasswd\n\nIf the command does not return any output, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to generate an audit record for all uses of the \"gpasswd\" command.\n\nAdd or update the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd\n\nTo reload the rules file, restart the audit daemon\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"1a4cc064-34fc-4eb4-98c5-d8b9c07f865a","vulnId":"V-234908","severity":"low","ruleTitle":"The SUSE operating system must generate audit records for all uses of the newgrp command.","description":"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215","checkContent":"Verify the SUSE operating system generates an audit record for all uses of the \"newgrp\" command.\n\nCheck that the command is being audited by performing the following command:\n\n> sudo auditctl -l | grep -w '/usr/bin/newgrp'\n\n-a always,exit -S all -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-newgrp\n\nIf the command does not return any output, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to generate an audit record for all uses of the \"newgrp\" command.\n\nAdd or update the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-newgrp\n\nTo reload the rules file, restart the audit daemon\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"d78f838b-2f19-485a-98f2-2728c03404a1","vulnId":"V-234909","severity":"low","ruleTitle":"The SUSE operating system must generate audit records for a uses of the chsh command.","description":"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215","checkContent":"Verify the SUSE operating system generates an audit record for all uses of the \"chsh\" command.\n\nCheck that the command is being audited by performing the following command:\n\n> sudo auditctl -l | grep -w '/usr/bin/chsh'\n\n-a always,exit -S all -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chsh\n\nIf the command does not return any output, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to generate an audit record for all uses of the \"chsh\" command.\n\nAdd or update the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chsh\n\nTo reload the rules file, restart the audit daemon\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"7dc562d4-1bc9-4ed0-81e4-6141f95dae70","vulnId":"V-234910","severity":"medium","ruleTitle":"The SUSE operating system must generate audit records for all uses of the unix_chkpwd or unix2_chkpwd commands.","description":"Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215","checkContent":"Verify the SUSE operating system generates an audit record for any use of the \"unix_chkpwd\" or \"unix2_chkpwd\" commands.\n\nCheck that the commands are being audited by performing the following command:\n\n> sudo auditctl -l | egrep -w \"(unix_chkpwd|unix2_chkpwd)\"\n\n-a always,exit -S all -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-chkpwd\n-a always,exit -S all -F path=/sbin/unix2_chkpwd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix2-chkpwd\n\nIf the command does not return any output, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to generate an audit record for all uses of the \"unix_chkpwd\" and \"unix2_chkpwd\" commands. \n\nAdd or update the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-chkpwd\n-a always,exit -F path=/sbin/unix2_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix2-chkpwd\n\nTo reload the rules file, restart the audit daemon\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"bfe22c60-daa2-4126-9523-27a5c083d39e","vulnId":"V-234911","severity":"medium","ruleTitle":"The SUSE operating system must generate audit records for all uses of the chage command.","description":"Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215","checkContent":"Verify the SUSE operating system generates an audit record for any use of the \"chage\" command.\n\nCheck that the command is being audited by performing the following command:\n\n> sudo auditctl -l | grep -w '/usr/bin/chage'\n\n-a always,exit -S all -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chage\n\nIf the command does not return any output, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to generate an audit record for all uses of the \"chage\" command. \n\nAdd or update the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage\n\nTo reload the rules file, restart the audit daemon\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"2832dad6-faba-4fcc-bc19-6cdcb1926bf9","vulnId":"V-234912","severity":"medium","ruleTitle":"The SUSE operating system must generate audit records for all uses of the crontab command.","description":"Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215","checkContent":"Verify the SUSE operating system generates an audit record for any use of the \"crontab\" command.\n\nCheck that the command is being audited by performing the following command:\n\n> sudo auditctl -l | grep -w '/usr/bin/crontab'\n\n-a always,exit -S all -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-crontab\n\nIf the command does not return any output, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to generate an audit record for all uses of the \"crontab\" command.\n\nAdd or update the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab\n\nTo reload the rules file, restart the audit daemon\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"78a7a697-af71-46d1-b06b-6ed88b5340cf","vulnId":"V-234913","severity":"medium","ruleTitle":"The SUSE operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory.","description":"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215","checkContent":"Verify the operating system generates audit records when successful/unsuccessful attempts to access the \"/etc/sudoers\" file and files in the \"/etc/sudoers.d/\" directory.\n\nCheck that the file and directory is being audited by performing the following command:\n\n> sudo auditctl -l | grep -w '/etc/sudoers'\n\n-w /etc/sudoers -p wa -k privileged-actions\n-w /etc/sudoers.d -p wa -k privileged-actions\n\nIf the commands do not return output that match the examples, this is a finding.\n\nNotes:\nThe \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to generate audit records when successful/unsuccessful attempts to access the \"/etc/sudoers\" file and files in the \"/etc/sudoers.d/\" directory.\n\nAdd or update the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-w /etc/sudoers -p wa -k privileged-actions\n\n-w /etc/sudoers.d -p wa -k privileged-actions\n\nTo reload the rules file, restart the audit daemon\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"d55c40e2-b955-4202-afcd-ac2fe4a2188b","vulnId":"V-234914","severity":"medium","ruleTitle":"The SUSE operating system must generate audit records for all uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls.","description":"Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary, since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000461-GPOS-00205, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215","checkContent":"$3e","fixText":"Configure the SUSE operating system to generate an audit record for all uses of the \"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" system calls. \n\nAdd or update the following rules to \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n\n-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access\n\nTo reload the rules file, restart the audit daemon:\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"5c864524-c1a6-49d2-9605-c95d617d013e","vulnId":"V-234918","severity":"medium","ruleTitle":"The SUSE operating system must generate audit records for all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.","description":"Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary, since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000471-GPOS-00215","checkContent":"Verify the SUSE operating system generates an audit record for all uses of the \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", \"fremovexattr\", and \"lremovexattr\" system calls.\n\nCheck that the system calls are being audited by performing the following command:\n\n> sudo auditctl -l | grep xattr\n\n-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", \"fremovexattr\", and \"lremovexattr\" syscalls, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to generate an audit record for all uses of the \"setxattr\", \"fsetxattr\", \"lsetxattr\",\"removexattr\", \"fremovexattr\", and \"lremovexattr\" system calls. \n\nAdd or update the following rules to \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nTo reload the rules file, restart the audit daemon:\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"164352b4-c655-4017-9b71-ffcd93b89944","vulnId":"V-234924","severity":"medium","ruleTitle":"The SUSE operating system must generate audit records for all uses of the chown, fchown, fchownat, and lchown system calls.","description":"Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary, since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215","checkContent":"Verify the SUSE operating system generates an audit record for all uses of the \"chown\", \"fchown\", \"fchownat\", and \"lchown\" system calls.\n\nCheck that the system calls are being audited by performing the following command:\n\n> sudo auditctl -l | grep chown\n\n-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k perm_mod\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"chown\", \"fchown\", \"fchownat\", and \"lchown\" syscalls, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to generate an audit record for all uses of the \"chown\", \"fchown\", \"fchownat\", and \"lchown\" system calls. \n\nAdd or update the following rules to \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nTo reload the rules file, restart the audit daemon:\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"1771e0dc-a9dc-424a-8cf9-649757478928","vulnId":"V-234928","severity":"medium","ruleTitle":"The SUSE operating system must generate audit records for all uses of the chmod, fchmod, and fchmodat system calls.","description":"Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary, since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215","checkContent":"Verify the SUSE operating system generates an audit record for all uses of the \"chmod\", \"fchmod\" a,nd \"fchmodat\" system calls.\n\nCheck that the system calls are being audited by performing the following command:\n\n> sudo auditctl -l | grep chmod\n\n-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_mod\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"chmod\", \"fchmod\", and \"fchmodat\" syscalls, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to generate an audit record for all uses of the \"chmod\", \"fchmod\", and \"fchmodat\" system calls. \n\nAdd or update the following rules to \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nTo reload the rules file, restart the audit daemon:\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"a14dddc6-7553-4fa4-8232-160b9ce4c311","vulnId":"V-234932","severity":"medium","ruleTitle":"The SUSE operating system must generate audit records for all uses of the sudoedit command.","description":"Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215","checkContent":"Verify an audit record is generated for all uses of the \"sudoedit\" command. \n\nCheck that the command is being audited by performing the following command:\n\n> sudo auditctl -l | grep -w '/usr/bin/sudoedit'\n\n-a always,exit -S all -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-sudoedit\n\nIf the command does not return any output or the returned line is commented out, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to generate an audit record for all uses of the \"sudoedit\" command. \n\nAdd or update the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-sudoedit\n\nTo reload the rules file, restart the audit daemon\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"9ff142fc-0b34-465f-a29b-864d120dcdd8","vulnId":"V-234933","severity":"low","ruleTitle":"The SUSE operating system must generate audit records for all uses of the chfn command.","description":"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215","checkContent":"Verify the SUSE operating system generates an audit record for all uses of the \"chfn\" command.\n\nCheck that the command is being audited by performing the following command:\n\n> sudo auditctl -l | grep -w '/usr/bin/chfn'\n\n-a always,exit -S all -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn\n\nIf the command does not return any output or the returned line is commented out, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to generate an audit record for all uses of the \"chfn\" command.\n\nAdd or update the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chfn\n\nTo reload the rules file, restart the audit daemon\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"a8cf111a-5251-47a2-94aa-f33d52010d17","vulnId":"V-234934","severity":"low","ruleTitle":"The SUSE operating system must generate audit records for all uses of the mount system call.","description":"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215","checkContent":"Verify the SUSE operating system generates an audit record for all uses of the \"mount\" system call.\n\nCheck that the system call is being audited by performing the following command:\n\n> sudo auditctl -l | grep -w 'mount'\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=-1 -k privileged-mount\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=-1 -k privileged-mount\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"mount\" syscall, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to generate an audit record for all uses of the \"mount\" system call.\n\nAdd or update the following rules to \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\nTo reload the rules file, restart the audit daemon\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"590377af-f59f-4b7d-9430-a4d9e2832a96","vulnId":"V-234935","severity":"low","ruleTitle":"The SUSE operating system must generate audit records for all uses of the umount system call.","description":"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215","checkContent":"Verify the SUSE operating system generates an audit record for all uses of the \"umount\" and \"umount2\" system calls.\n\nCheck that the system calls are being audited by performing the following command:\n\n> sudo auditctl -l | grep 'umount'\n\n-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=-1 -k privileged-umount\n-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=-1 -k privileged-umount\n-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=-1 -k privileged-umount\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"umount\" syscall, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to generate an audit record for all uses of the \"umount\" and \"umount2\" system calls.\n\nAdd or update the following rules to \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=4294967295 -k privileged-umount\n-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=4294967295 -k privileged-umount\n-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=4294967295 -k privileged-umount\n\nTo reload the rules file, restart the audit daemon\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"1e2b2082-6d4a-4417-af9f-fc8c8569d4cb","vulnId":"V-234936","severity":"low","ruleTitle":"The SUSE operating system must generate audit records for all uses of the ssh-agent command.","description":"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215","checkContent":"Verify the SUSE operating system generates an audit record for all uses of the \"ssh-agent\" command.\n\nCheck that the command is being audited by performing the following command:\n\n> sudo auditctl -l | grep -w '/usr/bin/ssh-agent'\n\n-a always,exit -S all -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh-agent\n\nIf the command does not return any output or the returned line is commented out, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to generate an audit record for all uses of the \"ssh-agent\" command.\n\nAdd or update the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh-agent\n\nTo reload the rules file, restart the audit daemon\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"5c278254-62f0-45bc-a776-98f83a299d19","vulnId":"V-234937","severity":"medium","ruleTitle":"The SUSE operating system must generate audit records for all uses of the insmod command.","description":"$3f","checkContent":"Verify the SUSE operating system is generates an audit record for all uses of the \"insmod\" command.\n\nCheck that the command is being audited by performing the following command:\n\n> sudo auditctl -l | grep -w '/sbin/insmod'\n\n-w /sbin/insmod -p x -k modules\n\nIf the system is configured to audit the execution of the module management program \"insmod\", the command will return a line.\n\nIf the command does not return a line, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to audit the execution of the module management program \"insmod\" by adding the following line to \"/etc/audit/rules.d/audit.rules\":\n\n-w /sbin/insmod -p x -k modules \n\nTo reload the rules file, restart the audit daemon\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"38765682-d1a9-49af-80da-78bd57f43d2c","vulnId":"V-234938","severity":"medium","ruleTitle":"The SUSE operating system must generate audit records for all uses of the rmmod command.","description":"$40","checkContent":"Verify the SUSE operating system generates an audit record for all uses of the \"rmmod\" command.\n\nCheck that the command is being audited by performing the following command:\n\n> sudo auditctl -l | grep -w '/sbin/rmmod'\n\n-w /sbin/rmmod -p x -k modules\n\nIf the system is configured to audit the execution of the module management program \"rmmod\", the command will return a line. \n\nIf the command does not return a line, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to audit the execution of the module management program \"rmmod\" by adding the following line to \"/etc/audit/rules.d/audit.rules\":\n\n-w /sbin/rmmod -p x -k modules\n\nTo reload the rules file, restart the audit daemon\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"0b146791-e36c-42b0-8196-f110551acca7","vulnId":"V-234939","severity":"medium","ruleTitle":"The SUSE operating system must generate audit records for all uses of the modprobe command.","description":"$41","checkContent":"Verify the SUSE operating system generates an audit record for all uses of the \"modprobe\" command.\n\nCheck that the command is being audited by performing the following command:\n\n> sudo auditctl -l | grep -w '/sbin/modprobe'\n\n-w /sbin/modprobe -p x -k modules\n\nIf the system is configured to audit the execution of the module management program \"modprobe\", the command will return a line. \n\nIf the command does not return a line, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to audit the execution of the module management program \"modprobe\" by adding the following line to \"/etc/audit/rules.d/audit.rules\":\n\n-w /sbin/modprobe -p x -k modules \n\nTo reload the rules file, restart the audit daemon\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"a49a2498-f926-4e96-a1a2-21c5aef7f204","vulnId":"V-234940","severity":"medium","ruleTitle":"The SUSE operating system must generate audit records for all uses of the kmod command.","description":"$42","checkContent":"Verify the SUSE operating system generates an audit record for all uses of the \"kmod\" command.\n\nCheck that the command is being audited by performing the following command:\n\n> sudo auditctl -l | grep -w '/usr/bin/kmod'\n\n-w /usr/bin/kmod -p x -k modules\n\nIf the system is configured to audit the execution of the module management program \"kmod\", the command will return a line. \n\nIf the command does not return a line, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to audit the execution of the module management program \"kmod\" by adding the following line to \"/etc/audit/rules.d/audit.rules\":\n\n-w /usr/bin/kmod -p x -k modules\n\nTo reload the rules file, restart the audit daemon\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"7dacc1be-c00a-464f-b312-f8cdb64eccbe","vulnId":"V-234941","severity":"medium","ruleTitle":"The SUSE operating system must generate audit records for all uses of the chmod command.","description":"Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215","checkContent":"Verify the SUSE operating system generates an audit record for all uses of the \"chmod\" command.\n\nCheck that the command is being audited by performing the following command:\n\n> sudo auditctl -l | grep -w '/usr/bin/chmod'\n\n-a always,exit -S all -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=-1 -k prim_mod\n\nIf the command does not return any output, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to generate an audit record for all uses of the \"chmod\" command. \n\nAdd or update the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n-a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=4294967295 -k prim_mod\n\nTo reload the rules file, restart the audit daemon\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"18590944-8a72-4887-afc1-61553991c8d1","vulnId":"V-234942","severity":"medium","ruleTitle":"The SUSE operating system must generate audit records for all uses of the setfacl command.","description":"Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215","checkContent":"Verify the SUSE operating system generates an audit record for all uses of the \"setfacl\" command.\n\nCheck that the command is being audited by performing the following command:\n\n> sudo auditctl -l | grep -w '/usr/bin/setfacl'\n\n-a always,exit -S all -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k prim_mod\n\nIf the command does not return any output, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to generate an audit record for all uses of the \"setfacl\" command. \n\nAdd or update the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k prim_mod\n\nTo reload the rules file, restart the audit daemon\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"13814ff4-15d8-461e-8416-1daaddb73129","vulnId":"V-234943","severity":"medium","ruleTitle":"The SUSE operating system must generate audit records for all uses of the chacl command.","description":"Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215","checkContent":"Verify the SUSE operating system generates an audit record for all uses of the \"chacl\" command.\n\nCheck that the command is being audited by performing the following command:\n\n> sudo auditctl -l | grep -w '/usr/bin/chacl'\n\n-a always,exit -S all -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=-1 -k prim_mod\n\nIf the command does not return any output, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to generate an audit record for all uses of the \"chacl\" command. \n\nAdd or update the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k prim_mod\n\nTo reload the rules file, restart the audit daemon\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"d560b35d-d5b4-4b8c-9e5d-6820e6bedf5a","vulnId":"V-234944","severity":"medium","ruleTitle":"The SUSE operating system must generate audit records for all uses of the chcon command.","description":"Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215","checkContent":"Verify the SUSE operating system generates an audit record for all uses of the \"chcon\" command.\n\nCheck that the command is being audited by performing the following command:\n\n> sudo auditctl -l | grep -w '/usr/bin/chcon'\n\n-a always,exit -S all -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k prim_mod\n\nIf the command does not return any output, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to generate an audit record for all uses of the \"chcon\" command.\n\nAdd or update the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k prim_mod\n\nTo reload the rules file, restart the audit daemon\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"5ff9741c-0ed0-405a-bb6e-6052b60ebe59","vulnId":"V-234945","severity":"medium","ruleTitle":"The SUSE operating system must generate audit records for all uses of the rm command.","description":"Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215","checkContent":"Verify the SUSE operating system generates an audit record for all uses of the \"rm\" command.\n\nCheck that the command is being audited by performing the following command:\n\n> sudo auditctl -l | grep -w '/usr/bin/rm'\n\n-a always,exit -S all -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=-1 -k prim_mod\n\nIf the command does not return any output, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to generate an audit record for all uses of the \"rm\" command. \n\nAdd or update the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n-a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=4294967295 -k prim_mod\n\nTo reload the rules file, restart the audit daemon\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"ac2a11f4-46d7-4863-a499-5bddb00798c0","vulnId":"V-234946","severity":"medium","ruleTitle":"The SUSE operating system must generate audit records for all modifications to the tallylog file must generate an audit record.","description":"Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218","checkContent":"Verify the SUSE operating system generates an audit record when all modifications to the \"tallylog\" file occur.\n\nCheck that the file is being audited by performing the following command:\n\n> sudo auditctl -l | grep -w '/var/log/tallylog'\n\n-w /var/log/tallylog -p wa -k logins\n\nIf the command does not return a line, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to generate an audit record for any all modifications to the \"tallylog\" file occur. \n\nAdd or update the following rule to \"/etc/audit/rules.d/audit.rules\":\n\n-w /var/log/tallylog -p wa -k logins\n\nTo reload the rules file, restart the audit daemon\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"468c831e-b1f6-4bd6-98d3-5ac5ae4c8e58","vulnId":"V-234947","severity":"medium","ruleTitle":"The SUSE operating system must generate audit records for all modifications to the lastlog file.","description":"Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218","checkContent":"Verify the SUSE operating system generates an audit record when all modifications to the \"lastlog\" file occur.\n\nCheck that the file is being audited by performing the following command:\n\n> sudo auditctl -l | grep -w '/var/log/lastlog'\n\n-w /var/log/lastlog -p wa -k logins\n\nIf the command does not return a line, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to generate an audit record for any all modifications to the \"lastlog\" file occur. \n\nAdd or update the following rule to \"/etc/audit/rules.d/audit.rules\":\n\n-w /var/log/lastlog -p wa -k logins\n\nTo reload the rules file, restart the audit daemon\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"5ae0e337-3524-4985-b3c0-9645f6cc9ff5","vulnId":"V-234948","severity":"medium","ruleTitle":"The SUSE operating system must generate audit records for all uses of the passmass command.","description":"Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215","checkContent":"Verify the SUSE operating system generates an audit record for all uses of the \"passmass\" command.\n\nCheck that the command is being audited by performing the following command:\n\n> sudo auditctl -l | grep -w '/usr/bin/passmass'\n\n-a always,exit -S all -F path=/usr/bin/passmass -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-passmass\n\nIf the command does not return any output, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to generate an audit record for all uses of the \"passmass\" command. \n\nAdd or update the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n-a always,exit -F path=/usr/bin/passmass -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passmass\n\nTo reload the rules file, restart the audit daemon\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"e9769910-fc81-481e-bf3f-2e27b682730e","vulnId":"V-234949","severity":"medium","ruleTitle":"The SUSE operating system must generate audit records for all uses of the usermod command.","description":"Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215","checkContent":"Verify the SUSE operating system generates an audit record for any use of the \"usermod\" command.\n\nCheck that the command is being audited by performing the following command:\n\n> sudo auditctl -l | grep -w '/usr/sbin/usermod'\n\n-a always,exit -S all -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-usermod\n\nIf the command does not return any output, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to generate an audit record for all uses of the \"usermod\" command. \n\nAdd or update the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod\n\nTo reload the rules file, restart the audit daemon\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"4d5a7c23-9a2b-444c-b3a2-233c26548fd4","vulnId":"V-234950","severity":"medium","ruleTitle":"The SUSE operating system must generate audit records for all uses of the pam_timestamp_check command.","description":"Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215","checkContent":"Verify the SUSE operating system generates an audit record for any use of the \"pam_timestamp_check\" command.\n\nCheck that the command is being audited by performing the following command:\n\n> sudo auditctl -l | grep -w '/sbin/pam_timestamp_check'\n\n-a always,exit -S all -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-pam_timestamp_check\n\nIf the command does not return any output, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to generate an audit record for all uses of the \"pam_timestamp_check\" command. \n\nAdd or update the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam_timestamp_check\n\nTo reload the rules file, restart the audit daemon\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"43af43b4-3639-42d7-815b-36cf2c481e1e","vulnId":"V-234951","severity":"medium","ruleTitle":"The SUSE operating system must generate audit records for all uses of the delete_module system call.","description":"Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222","checkContent":"Verify the SUSE operating system generates an audit record for all uses of the \"delete_module\" system call.\n\nCheck that the system call is being audited by performing the following command:\n\n> sudo auditctl -l | grep -w 'delete_module'\n\n-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=-1 -k unload_module\n-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=-1 -k unload_module\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"unload_module\" syscall, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to generate an audit record for all uses of the \"delete_module\" system call. \n\nAdd or update the following rules to \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=4294967295 -k unload_module\n-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=4294967295 -k unload_module\n\nTo reload the rules file, restart the audit daemon\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"ea25948b-0f86-4095-bd82-4bc9f99514df","vulnId":"V-234952","severity":"medium","ruleTitle":"The SUSE operating system must generate audit records for all uses of the init_module and finit_module system calls.","description":"Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary, since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222","checkContent":"Verify the SUSE operating system generates an audit record for all uses of the \"init_module\" and \"finit_module\" system calls.\n\nCheck that the system calls are being audited by performing the following command:\n\n> sudo auditctl -l | grep init_module\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=-1 -k moduleload\n-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=-1 -k moduleload\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the init_module\" and \"finit_module\" syscalls, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to generate an audit record for all uses of the \"init_module\" and \"finit_module\" system calls. \n\nAdd or update the following rules to \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=4294967295 -k moduleload\n-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=4294967295 -k moduleload\n\nTo reload the rules file, restart the audit daemon:\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"9de67b84-7b41-479a-b971-1ac1451661d5","vulnId":"V-234954","severity":"medium","ruleTitle":"The SUSE operating system must generate audit records for all uses of the su command.","description":"Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000042-GPOS-00020","checkContent":"Verify the SUSE operating system generates an audit record for any use of the \"su\" command.\n\nCheck that the command is being audited by performing the following command:\n\n> sudo auditctl -l | grep -w '/usr/bin/su'\n\n-a always,exit -S all -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-priv_change\n\nIf the command does not return any output or the returned line is commented out, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to generate an audit record for all uses of the \"su\" command. \n\nAdd or update the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nTo reload the rules file, restart the audit daemon\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"6bcdb9fc-cbaa-47c8-b94a-c168132508c9","vulnId":"V-234955","severity":"low","ruleTitle":"The SUSE operating system must generate audit records for all uses of the sudo command.","description":"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000042-GPOS-00020","checkContent":"Verify the SUSE operating system generates an audit record for any use of the \"sudo\" command.\n\nCheck that the command is being audited by performing the following command:\n\n> sudo auditctl -l | grep -w '/usr/bin/sudo'\n\n-a always,exit -S all -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-sudo\n\nIf the command does not return any output, or the returned line is commented out, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to generate an audit record for all uses of the \"sudo\" command.\n\nAdd or update the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-sudo\n\nTo reload the rules file, restart the audit daemon\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"34f510bb-6b06-46a2-a05e-07a0919c26c7","vulnId":"V-234956","severity":"medium","ruleTitle":"The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must be alerted of a SUSE operating system audit processing failure event.","description":"It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.\n\nAudit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.","checkContent":"Verify the administrators are notified in the event of a SUSE operating system audit processing failure by inspecting \"/etc/audit/auditd.conf\".\n\nCheck if the system is configured to send email to an account when it needs to notify an administrator with the following command: \n\n> sudo grep action_mail /etc/audit/auditd.conf\n\naction_mail_acct = root\n\nIf the value of the \"action_mail_acct\" keyword is not set to \"root\" and/or other accounts for security personnel, the \"action_mail_acct\" keyword is missing, or the returned line is commented out, this is a finding.","fixText":"Configure the auditd service to notify the administrators in the event of a SUSE operating system audit processing failure. \n\nEdit the following line in \"/etc/audit/auditd.conf\" to ensure that administrators are notified via email for those situations:\n\naction_mail_acct = root"},{"id":"215a5249-c81e-49e8-bc06-f29c39d49f6d","vulnId":"V-234957","severity":"medium","ruleTitle":"The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must have mail aliases to be notified of a SUSE operating system audit processing failure.","description":"It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.\n\nAudit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.","checkContent":"Verify the administrators are notified in the event of a SUSE operating system audit processing failure by checking that \"/etc/aliases\" has a defined value for root.\n\n> grep -i \"^postmaster:\" /etc/aliases\n\npostmaster: root\n\nIf the above command does not return a value of \"root\", or the output is commented out, this is a finding\n\nVerify the alias for root forwards to a monitored e-mail account:\n\n> grep -i \"^root:\" /etc/aliases\nroot: person@server.mil\n\nIf the alias for root does not forward to a monitored e-mail account, or the output is commented out, this is a finding.","fixText":"Configure the auditd service to notify the administrators in the event of a SUSE operating system audit processing failure. \n\nConfigure an alias value for the postmaster with the following command:\n\n> sudo sh -c 'echo \"postmaster: root\" >> /etc/aliases' \n\nConfigure an alias for root that forwards to a monitored email address with the following command:\n\n> sudo sh -c 'echo \"root: box@server.mil\" >> /etc/aliases'\n\nThe following command must be run to implement changes to the /etc/aliases file:\n\n> sudo newaliases"},{"id":"557bb722-bb2a-4fa3-9ede-898a938997f2","vulnId":"V-234958","severity":"medium","ruleTitle":"The SUSE operating system audit system must take appropriate action when the audit storage volume is full.","description":"$43","checkContent":"Verify the SUSE operating system takes the appropriate action when the audit storage volume is full. \n\nCheck that the SUSE operating system takes the appropriate action when the audit storage volume is full with the following command:\n\n> sudo grep disk_full_action /etc/audit/auditd.conf\n\ndisk_full_action = SYSLOG\n\nIf the value of the \"disk_full_action\" option is not \"SYSLOG\", \"SINGLE\", or \"HALT\", or the line is commented out, this is a finding.","fixText":"Configure the SUSE operating system to shut down by default upon audit failure (unless availability is an overriding concern).\n\nAdd or update the following line (depending on configuration \"disk_full_action\" can be set to \"SYSLOG\", \"SINGLE\", or \"HALT\" depending on configuration) in \"/etc/audit/auditd.conf\" file:\n\ndisk_full_action = HALT"},{"id":"0af0dd03-8c1c-4763-aa37-72443e5f2daf","vulnId":"V-234959","severity":"medium","ruleTitle":"The SUSE operating system must protect audit rules from unauthorized modification.","description":"Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029","checkContent":"Verify that the SUSE operating system protects audit rules from unauthorized modification.\n\nCheck that \"permissions.local\" file contains the correct permissions rules with the following command:\n\n> grep -i audit /etc/permissions.local\n\n/var/log/audit root:root 600\n/var/log/audit/audit.log root:root 600\n/etc/audit/audit.rules root:root 640\n/etc/audit/rules.d/audit.rules root:root 640\n\nIf the command does not return any output, this is a finding.\n\nCheck that all of the audit information files and folders have the correct permissions with the following command:\n\n> sudo chkstat /etc/permissions.local\n\nIf the command returns any output, this is a finding.","fixText":"Configure the SUSE operating system to protect audit rules from unauthorized modification.\n\nAdd or update the following rules in \"/etc/permissions.local\":\n\n/var/log/audit root:root 600\n/var/log/audit/audit.log root:root 600\n/etc/audit/audit.rules root:root 640\n/etc/audit/rules.d/audit.rules root:root 640\n\nSet the correct permissions with the following command:\n\n> sudo chkstat --set /etc/permissions.local"},{"id":"2f6026bb-6a49-4695-94bc-343bb76dc957","vulnId":"V-234961","severity":"medium","ruleTitle":"The SUSE operating system audit tools must have the proper permissions configured to protect against unauthorized access.","description":"Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.\n\nSUSE operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools.\n\nAudit tools include but are not limited to vendor-provided and open-source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.\n\nSatisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099","checkContent":"Verify that the SUSE operating system audit tools have the proper permissions configured in the permissions profile to protect from unauthorized access.\n\nCheck that \"permissions.local\" file contains the correct permissions rules with the following command:\n\n> grep \"^/usr/sbin/au\" /etc/permissions.local\n\n/usr/sbin/audispd root:root 0750\n/usr/sbin/auditctl root:root 0750\n/usr/sbin/auditd root:root 0750\n/usr/sbin/ausearch root:root 0755\n/usr/sbin/aureport root:root 0755\n/usr/sbin/autrace root:root 0750\n/usr/sbin/augenrules root:root 0750\n\nIf the command does not return any output, this is a finding.\n\nCheck that all of the audit information files and folders have the correct permissions with the following command:\n\n> sudo chkstat /etc/permissions.local\n\nIf the command returns any output, this is a finding.","fixText":"Configure the SUSE operating system audit tools to have proper permissions set in the permissions profile to protect from unauthorized access.\n\nEdit the file \"/etc/permissions.local\" and insert the following text:\n\n/usr/sbin/audispd root:root 0750\n/usr/sbin/auditctl root:root 0750\n/usr/sbin/auditd root:root 0750\n/usr/sbin/ausearch root:root 0755\n/usr/sbin/aureport root:root 0755\n/usr/sbin/autrace root:root 0750\n/usr/sbin/augenrules root:root 0750\n\nSet the correct permissions with the following command:\n\n> sudo chkstat --set /etc/permissions.local"},{"id":"8361e9dd-d9cc-4797-9ef4-5ebd777e9ba8","vulnId":"V-234962","severity":"medium","ruleTitle":"The SUSE operating system file integrity tool must be configured to protect the integrity of the audit tools.","description":"Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.\n\nAudit tools include but are not limited to vendor-provided and open-source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject code into the existing tools to provide the capability to hide or erase system activity from the audit logs.\n\nTo address this risk, audit tools must be cryptographically signed to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files.","checkContent":"Verify that the SUSE operating system file integrity tool is configured to protect the integrity of the audit tools.\n\nCheck that AIDE is properly configured to protect the integrity of the audit tools by running the following command:\n\n> sudo grep /usr/sbin/au /etc/aide.conf\n\n/usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512\n/usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512\n/usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512\n/usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512\n/usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512\n/usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512\n/usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512\n\nIf AIDE is properly configured to protect the integrity of the audit tools, all lines listed above will be returned from the command. \n\nIf one or more lines are missing, or is commented out, this is a finding.","fixText":"Configure the SUSE operating system file integrity tool to protect the integrity of the audit tools.\n\nAdd or update the following lines to \"/etc/aide.conf\" to protect the integrity of the audit tools:\n\n# audit tools\n/usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512\n/usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512\n/usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512\n/usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512\n/usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512\n/usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512\n/usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512"},{"id":"5da8c7d8-4f3f-4d51-9e5d-8456a291d73b","vulnId":"V-234963","severity":"low","ruleTitle":"The SUSE operating system must generate audit records for all uses of the privileged functions.","description":"Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.\n\nSatisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000359-GPOS-00146, SRG-OS-000365-GPOS-00152","checkContent":"Verify the SUSE operating system generates an audit record for any privileged use of the \"execve\" system call.\n\n> sudo auditctl -l | grep -w 'execve'\n\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid\n-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid\n-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid\n\nIf both the \"b32\" and \"b64\" audit rules for \"SUID\" files are not defined, this is a finding.\n\nIf both the \"b32\" and \"b64\" audit rules for \"SGID\" files are not defined, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to generate an audit record for any privileged use of the \"execve\" system call.\n\nAdd or update the following rules in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid\n-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid\n-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid\n\nTo reload the rules file, restart the audit daemon:\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"064e7885-5a20-49b0-9f01-89676d7a11c6","vulnId":"V-234964","severity":"medium","ruleTitle":"The SUSE operating system must have the auditing package installed.","description":"$44","checkContent":"Verify the SUSE operating system auditing package is installed.\n\nCheck that the \"audit\" package is installed by performing the following command:\n\n> zypper info audit | grep Installed \n\ni | audit | User Space Tools for 2.6 Kernel Auditing \n\nIf the package \"audit\" is not installed on the system, then this is a finding.","fixText":"The SUSE operating system auditd package must be installed on the system. If it is not installed, use the following command to install it:\n\n> sudo zypper in audit"},{"id":"82a1c108-c8c6-40e4-9325-145633d1e2e1","vulnId":"V-234965","severity":"medium","ruleTitle":"The SUSE operating system must allocate audit record storage capacity to store at least one week of audit records when audit records are not immediately sent to a central audit record storage facility.","description":"To ensure SUSE operating systems have a sufficient storage capacity in which to write the audit logs, SUSE operating systems need to be able to allocate audit record storage capacity.\n\nThe task of allocating audit record storage capacity is usually performed during initial installation of the SUSE operating system.","checkContent":"$45","fixText":"Allocate enough storage capacity for at least one week of SUSE operating system audit records when audit records are not immediately sent to a central audit record storage facility.\n\nIf audit records are stored on a partition made specifically for audit records, use the \"YaST2 - Partitioner\" program (installation and configuration tool for Linux) to resize the partition with sufficient space to contain one week of audit records.\n\nIf audit records are not stored on a partition made specifically for audit records, a new partition with sufficient amount of space will need be to be created. The new partition can be created using the \"YaST2 - Partitioner\" program on the system."},{"id":"5137e311-f7dc-4749-9225-25f7b2aa0998","vulnId":"V-234966","severity":"medium","ruleTitle":"The audit-audispd-plugins must be installed on the SUSE operating system.","description":"The audit-audispd-plugins must be installed on the SUSE operating system.","checkContent":"Verify that the \"audit-audispd-plugins\" package is installed on the SUSE operating system. \n\nCheck that the \"audit-audispd-plugins\" package is installed on the SUSE operating system with the following command:\n\n> zypper info audit-audispd-plugins | grep Installed\n\nIf the \"audit-audispd-plugins\" package is not installed, this is a finding.","fixText":"Install the \"audit-audispd-plugins\" package on the SUSE operating system by running the following command:\n\n> sudo zypper install audit-audispd-plugins"},{"id":"ff9a8c37-fe45-4359-9348-b2a0bbc8c65c","vulnId":"V-234967","severity":"low","ruleTitle":"The SUSE operating system audit event multiplexor must be configured to use Kerberos.","description":"Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nAllowing devices and users to connect to or from the system without first authenticating them allows untrusted access and can lead to a compromise or attack. Audit events that may include sensitive data must be encrypted prior to transmission. Kerberos provides a mechanism to provide both authentication and encryption for audit event records.","checkContent":"Determine if the SUSE operating system audit event multiplexor is configured to use Kerberos by running the following command:\n\n> sudo grep transport /etc/audit/audisp-remote.conf\ntransport = krb5\n\nIf \"transport\" is not set to \"krb5\", or is commented out, this is a finding.","fixText":"Configure the SUSE operating system audit event multiplexor to use Kerberos by editing the \"/etc/audit/audisp-remote.conf\" file. \n\nEdit or add the following line to match the text below:\n\ntransport = krb5"},{"id":"6f2803ea-cfec-4b85-a9f0-7269cb36eb11","vulnId":"V-234968","severity":"low","ruleTitle":"Audispd must off-load audit records onto a different system or media from the SUSE operating system being audited.","description":"Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.","checkContent":"Verify \"audispd\" off-loads audit records onto a different system or media from the SUSE operating system being audited.\n\nCheck if \"audispd\" is configured to off-load audit records onto a different system or media from the SUSE operating system by running the following command:\n\n> sudo grep remote_server /etc/audit/audisp-remote.conf\nremote_server = 192.168.1.101\n\nIf \"remote_server\" is not set to an external server or media, or is commented out, this is a finding.","fixText":"Configure the SUSE operating system \"/etc/audit/audisp-remote.conf\" file to off-load audit records onto a different system or media by adding or editing the following line with the correct IP address:\n\nremote_server = [IP ADDRESS]"},{"id":"3bef8a2c-32ee-4d9e-99f3-9f9ef311cb5a","vulnId":"V-234969","severity":"medium","ruleTitle":"The SUSE operating system auditd service must notify the System Administrator (SA) and Information System Security Officer (ISSO) immediately when audit storage capacity is 75 percent full.","description":"If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.","checkContent":"$46","fixText":"Check the system configuration to determine the partition to which the audit records are written: \n\n> sudo grep -iw log_file /etc/audit/auditd.conf\n\nDetermine the size of the partition to which audit records are written (e.g., \"/var/log/audit/\"):\n\n> df -h /var/log/audit/\n\nSet the value of the \"space_left\" keyword in \"/etc/audit/auditd.conf\" to 25 percent of the partition size."},{"id":"6a041eb5-ad3e-4ee9-aebc-5b7d9d76343e","vulnId":"V-234973","severity":"medium","ruleTitle":"The SUSE operating system must generate audit records for all uses of the unlink, unlinkat, rename, renameat, and rmdir system calls.","description":"Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary, since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.","checkContent":"Verify the SUSE operating system generates an audit record for all uses of the \"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" system calls.\n\nCheck that the system calls are being audited by performing the following command:\n\n> sudo auditctl -l | grep 'unlink\\|rename\\|rmdir'\n\n-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -k perm_mod\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" syscalls, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to generate an audit record for all uses of the \"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" system calls. \n\nAdd or update the following rules to \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k perm_mod\n\nTo reload the rules file, restart the audit daemon:\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"f66bb652-088c-413d-aef2-dd2f4731d8a9","vulnId":"V-234975","severity":"medium","ruleTitle":"The SUSE operating system must generate audit records for the /run/utmp file.","description":"Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Verify the SUSE operating system generates an audit record for the \"/run/utmp\" file.\n\nCheck that the file is being audited by performing the following command:\n\n> sudo auditctl -l | grep -w '/run/utmp'\n\n-w /run/utmp -p wa -k login_mod\n\nIf the command does not return a line that match the example, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to generate an audit record for the \"/run/utmp\" file. \n\nAdd or update the following rules to \"/etc/audit/rules.d/audit.rules\":\n\n-w /run/utmp -p wa -k login_mod\n\nTo reload the rules file, restart the audit daemon\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"c4dee39e-ece1-4c73-8a87-47899c34e38f","vulnId":"V-234976","severity":"medium","ruleTitle":"The SUSE operating system must generate audit records for the /var/log/wtmp file.","description":"Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Verify the SUSE operating system generates an audit record for the \"/var/log/wtmp\" file.\n\nCheck that the file is being audited by performing the following command:\n\n> sudo auditctl -l | grep -w '/var/log/wtmp'\n\n-w /var/log/wtmp -p wa -k login_mod\n\nIf the command does not return a line that matches the example, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to generate an audit record for the \"/var/log/wtmp\" file. \n\nAdd or update the following rules to \"/etc/audit/rules.d/audit.rules\":\n\n-w /var/log/wtmp -p wa -k login_mod\n\nTo reload the rules file, restart the audit daemon\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"12a1e6cb-ccf3-4282-8661-cb3820e31a3c","vulnId":"V-234977","severity":"medium","ruleTitle":"The SUSE operating system must generate audit records for the /var/log/btmp file.","description":"Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Verify the SUSE operating system generates an audit record for the \"/var/log/btmp\" file.\n\nCheck that the file is being audited by performing the following command:\n\n> sudo auditctl -l | grep -w '/var/log/btmp'\n\n-w /var/log/btmp -p wa -k login_mod\n\nIf the command does not return a line that matches the example, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure the SUSE operating system to generate an audit record for the \"/var/log/btmp\" file. \n\nAdd or update the following rules to \"/etc/audit/rules.d/audit.rules\":\n\n-w /var/log/btmp -p wa -k login_mod\n\nTo reload the rules file, restart the audit daemon\n\n> sudo systemctl restart auditd.service\n\nor issue the following command:\n\n> sudo augenrules --load"},{"id":"1c9fbfa1-c9e4-432e-abab-bab9d3cfa1c5","vulnId":"V-234978","severity":"medium","ruleTitle":"The SUSE operating system must off-load audit records onto a different system or media from the system being audited.","description":"Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.","checkContent":"Verify what action the audit system takes if it cannot off-load audit records to a different system or storage media from the SUSE operating system being audited.\n\nCheck the action that the audit system takes in the event of a network failure with the following command:\n\n> sudo grep -i \"network_failure_action\" /etc/audit/audisp-remote.conf\n\nnetwork_failure_action = syslog\n\nIf the \"network_failure_action\" option is not set to \"syslog\", \"single\", or \"halt\" or the line is commented out, this is a finding.","fixText":"Configure the SUSE operating system to take the appropriate action if it cannot off-load audit records to a different system or storage media from the system being audited due to a network failure.\n\nUncomment the \"network_failure_action\" option in \"/etc/audit/audisp-remote.conf\" and set it to \"syslog\", \"single\", or \"halt\". See the example below:\n\nnetwork_failure_action = syslog"},{"id":"f17a8568-acf2-4e78-89b2-19e196d8c990","vulnId":"V-234979","severity":"medium","ruleTitle":"Audispd must take appropriate action when the SUSE operating system audit storage is full.","description":"Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.","checkContent":"Verify the audit system off-loads audit records if the SUSE operating system storage volume becomes full.\n\nCheck that the records are properly off-loaded to a remote server with the following command:\n\n> sudo grep -i \"disk_full_action\" /etc/audit/audisp-remote.conf\ndisk_full_action = syslog\n\nIf \"disk_full_action\" is not set to \"syslog\", \"single\", or \"halt\" or the line is commented out, this is a finding.","fixText":"Configure the SUSE operating system to take the appropriate action if the audit storage is full.\n\nAdd, edit, or uncomment the \"disk_full_action\" option in \"/etc/audit/audisp-remote.conf\". Set it to \"syslog\", \"single\" or \"halt\" as in the example below:\n\ndisk_full_action = syslog"},{"id":"8769ef52-5cb1-4ddc-96c1-d44d76242040","vulnId":"V-234980","severity":"low","ruleTitle":"The SUSE operating system must use a separate file system for the system audit data path.","description":"The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.","checkContent":"Verify that the SUSE operating system has a separate file system/partition for the system audit data path.\n\nCheck that a file system/partition has been created for the system audit data path with the following command:\n\nNote: \"/var/log/audit\" is used as the example as it is a common location.\n\n> grep /var/log/audit /etc/fstab\nUUID=3645951a /var/log/audit ext4 defaults 1 2\n\nIf a separate entry for the system audit data path (in this example the \"/var/log/audit\" path) does not exist, ask the System Administrator if the system audit logs are being written to a different file system/partition on the system and then grep for that file system/partition. \n\nIf a separate file system/partition does not exist for the system audit data path, this is a finding.","fixText":"Migrate the SUSE operating system audit data path onto a separate file system."},{"id":"603ee7a5-c2c9-41f0-a678-bb1828ae3225","vulnId":"V-234981","severity":"medium","ruleTitle":"The SUSE operating system must not disable syscall auditing.","description":"By default, the SUSE operating system includes the \"-a task,never\" audit rule as a default. This rule suppresses syscall auditing for all tasks started with this rule in effect. Because the audit daemon processes the \"audit.rules\" file from the top down, this rule supersedes all other defined syscall rules; therefore no syscall auditing can take place on the operating system.","checkContent":"Verify syscall auditing has not been disabled:\n\n> auditctl -l | grep -i \"a task,never\"\n\nIf any results are returned, this is a finding.\n\nVerify the default rule \"-a task,never\" is not statically defined :\n\n> grep -rv \"^#\" /etc/audit/rules.d/ | grep -i \"a task,never\"\n\nIf any results are returned, this is a finding.","fixText":"Remove the \"-a task,never\" rule from the /etc/audit/rules.d/audit.rules file.\n\nThe audit daemon must be restarted for the changes to take effect.\n\n> sudo systemctl restart auditd.service"},{"id":"62c984ed-7c14-4a28-9cd3-5e8f6b074fdb","vulnId":"V-234982","severity":"medium","ruleTitle":"The SUSE operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.","description":"Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.","checkContent":"Verify the SUSE operating system enforces a delay of at least four seconds between logon prompts following a failed logon attempt.\n\nCheck that the SUSE operating system enforces a delay of at least four seconds between logon prompts following a failed logon attempt with the following command:\n\n> grep FAIL_DELAY /etc/login.defs\nFAIL_DELAY 4\n\nIf the value of \"FAIL_DELAY\" is not set to \"4\", \"FAIL_DELAY\" is commented out, or \"FAIL_DELAY\" is missing, then this is a finding.","fixText":"Configure the SUSE operating system to enforce a delay of at least four seconds between logon prompts following a failed logon attempt.\n\nAdd or update the following variable in \"/etc/login.defs\" to match the line below (\"FAIL_DELAY\" must have a value of \"4\" or higher):\n\nFAIL_DELAY 4"},{"id":"2f835138-f20e-4e70-a61d-d82ff6053702","vulnId":"V-234983","severity":"medium","ruleTitle":"The SUSE operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.","description":"The SUSE operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.","checkContent":"Verify the SUSE operating system enforces a delay of at least four seconds between logon prompts following a failed logon attempt.\n\n> grep pam_faildelay /etc/pam.d/common-auth\nauth required pam_faildelay.so delay=4000000\n\nIf the value of \"delay\" is not set to \"4000000\", \"delay\" is commented out, \"delay\" is missing, or the \"pam_faildelay\" line is missing completely, this is a finding.","fixText":"Configure the SUSE operating system to enforce a delay of at least four seconds between logon prompts following a failed logon attempt.\n\nEdit the file \"/etc/pam.d/common-auth\".\n\nAdd a parameter \"pam_faildelay\" and set it to:\n\n> delay is in micro seconds\nauth required pam_faildelay.so delay=4000000"},{"id":"35ebbcb5-7c46-4552-b464-e300f02c669f","vulnId":"V-234984","severity":"high","ruleTitle":"There must be no .shosts files on the SUSE operating system.","description":"The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.","checkContent":"Text: Verify there are no \".shosts\" files on the SUSE operating system.\n\nCheck the system for the existence of these files with the following command:\n\n> sudo find / \$ -path /.snapshots -o -path /sys -o -path /proc \$ -prune -o -name '.shosts' -print\n\nIf any \".shosts\" files are found on the system, this is a finding.","fixText":"Remove any \".shosts\" files found on the SUSE operating system.\n\n> sudo rm /[path]/[to]/[file]/.shosts"},{"id":"5f4bb1f5-d068-45a8-924f-1003e443e4e3","vulnId":"V-234985","severity":"high","ruleTitle":"There must be no shosts.equiv files on the SUSE operating system.","description":"The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.","checkContent":"Verify there are no \"shosts.equiv\" files on the SUSE operating system.\n\nCheck the system for the existence of these files with the following command:\n\n> sudo find /etc -name shosts.equiv\n\nIf any \"shosts.equiv\" files are found on the system, this is a finding.","fixText":"Remove any \"shosts.equiv\" files found on the SUSE operating system.\n\n> sudo rm /[path]/[to]/[file]/shosts.equiv"},{"id":"eedeb616-3485-432e-9fe8-227e9e4f09fd","vulnId":"V-234986","severity":"low","ruleTitle":"The SUSE operating system file integrity tool must be configured to verify Access Control Lists (ACLs).","description":"ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools.","checkContent":"Verify that the SUSE operating system file integrity tool is configured to verify extended attributes.\n\nIf there is no application installed to perform integrity checks, this is a finding.\n\nCheck the \"/etc/aide.conf\" file to determine if the \"xattrs\" rule has been added to the rule list being applied to the files and directories selection lists.\n\nAn example rule that includes the \"acl\" rule follows:\n\n All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux\n /bin All > apply the custom rule to the files in bin \n /sbin All > apply the same custom rule to the files in sbin \n\nIf the \"acl\" rule is not being used on all selection lines in the \"/etc/aide.conf\" file, or extended attributes are not being checked by another file integrity tool, this is a finding.","fixText":"Configure the SUSE operating system file integrity tool to check file and directory ACLs. \n\nIf AIDE is installed, ensure the \"acl\" rule is present on all file and directory selection lists."},{"id":"3f62e3a3-b42f-485c-b77e-2fab71aeaee8","vulnId":"V-234987","severity":"low","ruleTitle":"The SUSE operating system file integrity tool must be configured to verify extended attributes.","description":"Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.","checkContent":"Verify that the SUSE operating system file integrity tool is configured to verify extended attributes.\n\nIf there is no application installed to perform integrity checks, this is a finding.\n\nCheck the \"/etc/aide.conf\" file to determine if the \"xattrs\" rule has been added to the rule list being applied to the files and directories selection lists.\n\nAn example rule that includes the \"xattrs\" rule follows:\n\n All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux\n /bin All > apply the custom rule to the files in bin \n /sbin All > apply the same custom rule to the files in sbin \n\nIf the \"xattrs\" rule is not being used on all selection lines in the \"/etc/aide.conf\" file, or extended attributes are not being checked by another file integrity tool, this is a finding.","fixText":"Configure the SUSE operating system file integrity tool to check file and directory extended attributes. \n\nIf AIDE is installed, ensure the \"xattrs\" rule is present on all file and directory selection lists."},{"id":"b872a276-bf64-4ad5-bd7d-9627127a1212","vulnId":"V-234988","severity":"high","ruleTitle":"The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence.","description":"A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the graphical user interface environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.","checkContent":"Verify the SUSE operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed.\n\nCheck that the ctrl-alt-del.target is masked with the following command:\n\n> systemctl status ctrl-alt-del.target\nctrl-alt-del.target\nLoaded: masked (/dev/null; maksed)\nActive: inactive (dead)\n\nIf the ctrl-alt-del.target is not masked, this is a finding.","fixText":"Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following commands:\n\n> sudo systemctl disable ctrl-alt-del.target\n\n> sudo systemctl mask ctrl-alt-del.target\n\nAnd reload the daemon to take effect \n\n> sudo systemctl daemon-reload"},{"id":"82b1845c-8d25-425e-941e-a3a6f31aab07","vulnId":"V-234989","severity":"high","ruleTitle":"The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence for Graphical User Interfaces.","description":"A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the graphical user interface environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.","checkContent":"Note: If a graphical user interface is not installed, this requirement is Not Applicable.\n\nVerify the SUSE operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed in the graphical user interface.\n\nCheck that the dconf setting was disabled to allow the Ctrl-Alt-Delete sequence in the graphical user interface with the following command:\n\nCheck the default logout key sequence:\n\n> sudo gsettings get org.gnome.settings-daemon.plugins.media-keys logout\n''\n\nCheck that the value is not writable and cannot be changed by the user:\n\n> sudo gsettings writable org.gnome.settings-daemon.plugins.media-keys logout\nfalse\n\nIf the logout value is not [''] and the writable status is not false, this is a finding.","fixText":"Configure the system to disable the Ctrl-Alt-Delete sequence for the graphical user interface.\n\nCreate a database to contain the systemwide setting (if it does not already exist) with the following steps:\n\n1. Create a user profile and with the listed content:\n\n/etc/dconf/profile/user\nuser-db:user\nsystem-db:local\n\n2. Create the following directories:\n\n> sudo mkdir -p /etc/dconf/db/local.d/\n> sudo mkdir -p /etc/dconf/db/local.d/locks/\n\n3. Add the following files with the listed content:\n\n/etc/dconf/db/local.d/01-fips-settings\n[org/gnome/settings-daemon/plugins/media-keys]\nlogout=''\n\n/etc/dconf/db/local.d/locks/01-fips-locks \n/org/gnome/settings-daemon/plugins/media-keys/logout\n\n4. Update the dconf database: \n\n> sudo dconf update"},{"id":"94e2d663-c48a-40c9-a122-39545a1917a2","vulnId":"V-234990","severity":"high","ruleTitle":"The SUSE operating system must disable the systemd Ctrl-Alt-Delete burst key sequence.","description":"A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the graphical user interface environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.","checkContent":"Verify the SUSE operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed seven times within two seconds with the following command:\n\n> systemd-analyze cat-config systemd/system.conf\n\n# /etc/systemd/system.conf.d/55-CtrlAltDel-BurstAction.conf\nCtrlAltDelBurstAction=none\n\nIf the \"CtrlAltDelBurstAction\" is not set to \"none\", commented out, or is missing, this is a finding.\nIf the setting is not configured in a drop in file, this is a finding.","fixText":"Configure the system to disable the CtrlAltDelBurstAction by adding it to a drop file in a \"/etc/systemd/system.conf.d/\" configuration file:\n\nIf no drop file exists, create one with the following command:\n\n> sudo touch /etc/systemd/system.conf.d/55-CtrlAltDel-BurstAction\n\nEdit the file to contain the setting by adding the following text:\n\nCtrlAltDelBurstAction=none\n\nReload the daemon for this change to take effect:\n\n> sudo systemctl daemon-reexec"},{"id":"a1359609-0786-43ae-82ad-316a1e0218e7","vulnId":"V-234991","severity":"medium","ruleTitle":"All SUSE operating system local interactive users must have a home directory assigned in the /etc/passwd file.","description":"If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.","checkContent":"Verify SUSE operating system local interactive users on the system have a home directory assigned.\n\nCheck for missing local interactive user home directories with the following command:\n\n> sudo pwck -r\nuser 'doduser': directory '/home/doduser' does not exist\n\nAsk the system administrator (SA) if any users found without home directories are local interactive users. If the SA is unable to provide a response, check for users with a User Identifier (UID) of 1000 or greater with the following command:\n\n> awk -F: '($3>=1000)&&($1!=\"nobody\"){print $1 \":\" $3}' /etc/passwd\n\nIf any interactive users do not have a home directory assigned, this is a finding.","fixText":"Assign home directories to all SUSE operating system local interactive users that currently do not have a home directory assigned.\n\nAssign a home directory to users via the usermod command:\n\n> sudo usermod -d /home/doduser doduser"},{"id":"abbfd0da-efe4-4f86-a46a-ae98eace0a54","vulnId":"V-234992","severity":"medium","ruleTitle":"All SUSE operating system local interactive user home directories defined in the /etc/passwd file must exist.","description":"If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access.","checkContent":"Verify the assigned home directory of all SUSE operating system local interactive users on the system exists.\n\nCheck the home directory assignment for all local interactive nonprivileged users on the system with the following command:\n\n> awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $6}' /etc/passwd\n\ndoduser /home/doduser\n\nNote: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information.\n\nCheck that all referenced home directories exist with the following command:\n\n> sudo pwck -r\n\nuser 'doduser': directory '/home/doduser' does not exist\n\nIf any home directories referenced in \"/etc/passwd\" are returned as not defined, this is a finding.","fixText":"Create home directories to all SUSE operating system local interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in \"/etc/ passwd\":\n\nNote: The example will be for the user doduser, who has a home directory of \"/home/doduser\", a UID of \"doduser\", and a Group Identifier (GID) of \"users assigned\" in \"/etc/passwd\".\n\n> sudo mkdir /home/doduser \n> sudo chown doduser /home/doduser\n> sudo chgrp users /home/doduser\n> sudo chmod 0750 /home/doduser"},{"id":"c2e1a762-90cf-4276-9ace-f087a50bba64","vulnId":"V-234993","severity":"medium","ruleTitle":"All SUSE operating system local interactive user home directories must have mode 0750 or less permissive.","description":"Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.","checkContent":"Verify the assigned home directory of all SUSE operating system local interactive users has a mode of \"0750\" or less permissive.\n\nCheck the home directory assignment for all nonprivileged users on the system with the following command:\n\nNote: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information.\n\n> ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)\n-rwxr-x--- 1 doduser users 18 Mar 5 17:06 /home/doduser\n\nIf home directories referenced in \"/etc/passwd\" do not have a mode of \"0750\" or less permissive, this is a finding.","fixText":"Change the mode of SUSE operating system local interactive user's home directories to \"0750\". To change the mode of a local interactive user's home directory, use the following command:\n\nNote: The example will be for the user \"doduser\".\n\n> sudo chmod 0750 /home/doduser"},{"id":"607a370e-6589-48dc-943f-20619e95c5bf","vulnId":"V-234994","severity":"medium","ruleTitle":"All SUSE operating system local interactive user home directories must be group-owned by the home directory owner's primary group.","description":"If the Group Identifier (GID) of a local interactive user’s home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user’s files, and users that share the same group may not be able to access files that they legitimately should.","checkContent":"Verify the assigned home directory of all SUSE operating system local interactive users is group-owned by that user's primary GID.\n\nCheck the home directory assignment for all nonprivileged users on the system with the following command:\n\nNote: This may miss local interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information. The returned directory \"/home/doduser\" is used as an example.\n\n> awk -F: '($3>=1000)&&($7 !~ /nologin/){print $4, $6}' /etc/passwd)\n250:/home/doduser\n\nCheck the user's primary group with the following command:\n\n> grep users /etc/group\nusers:x:250:doduser,doduser,nsauser\n\nIf the user home directory referenced in \"/etc/passwd\" is not group-owned by that user's primary GID, this is a finding.","fixText":"Change the group owner of a SUSE operating system local interactive user's home directory to the group found in \"/etc/passwd\". To change the group owner of a local interactive user's home directory, use the following command:\n\nNote: The example will be for the user \"doduser\", who has a home directory of \"/home/doduser\", and has a primary group of users.\n\n> sudo chgrp users /home/doduser"},{"id":"af1fc866-4f75-44e0-a840-e085a3062768","vulnId":"V-234995","severity":"medium","ruleTitle":"All SUSE operating system local initialization files must have mode 0740 or less permissive.","description":"Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.","checkContent":"Verify that all SUSE operating system local initialization files have a mode of \"0740\" or less permissive.\n\nCheck the mode on all SUSE operating system local initialization files with the following command:\n\nNote: The example will be for the user \"doduser\", who has a home directory of \"/home/doduser\".\n\n> sudo ls -al /home/doduser/.* | more\n-rwxr-xr-x 1 doduser users 896 Mar 10 2011 .profile\n-rwxr-xr-x 1 doduser users 497 Jan 6 2007 .login\n-rwxr-xr-x 1 doduser users 886 Jan 6 2007 .something\n\nIf any local initialization files have a mode more permissive than \"0740\", this is a finding.","fixText":"Set the mode of SUSE operating system local initialization files to \"0740\" with the following command:\n\nNote: The example will be for the doduser user, who has a home directory of \"/home/doduser\".\n\n> sudo chmod 0740 /home/doduser/."},{"id":"228f55b1-ab3e-41e6-b5fa-4123512ac3c6","vulnId":"V-234996","severity":"medium","ruleTitle":"All SUSE operating system local interactive user initialization files executable search paths must contain only paths that resolve to the users home directory.","description":"The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the user's home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the information system security officer (ISSO).","checkContent":"Verify that all SUSE operating system local interactive user initialization files executable search path statements do not contain statements that will reference a working directory other than the user's home directory.\n\nCheck the executable search path statement for all operating system local interactive user initialization files in the user's home directory with the following commands:\n\nNote: The example will be for the user \"doduser\", who has a home directory of \"/home/doduser\".\n\n> sudo grep -i path= /home/doduser/.*\n/home/doduser/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin\n\nIf any local interactive user initialization files have executable search path statements that include directories outside of their home directory, and the additional path statements are not documented with the ISSO as an operational requirement, this is a finding.","fixText":"Edit the SUSE operating system local interactive user initialization files to change any PATH variable statements for executables that reference directories other than their home directory. If a local interactive user requires path variables to reference a directory owned by the application, it must be documented with the ISSO."},{"id":"880e1ef2-aadc-404f-b882-41e09e068bdb","vulnId":"V-234997","severity":"medium","ruleTitle":"All SUSE operating system local initialization files must not execute world-writable programs.","description":"If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level.","checkContent":"Verify that SUSE operating system local initialization files do not execute world-writable programs.\n\nVerify that SUSE operating system local initialization files do not\nexecute world-writable programs.\n\nCheck the system for world-writable files with the following command:\n\n> sudo find / -xdev -perm -002 -type f -exec ls -ld {} \\;\n\nFor all files listed, check for their presence in the local\ninitialization files with the following command:\n\nNote: The example will be for a system that is configured to create\nusers' home directories in the \"/home\" directory.\n\n> sudo find /home/* -maxdepth 1 -type f -name \\.\\* -exec grep -H {} \\;\n\nIf any local initialization files are found to reference world-writable\nfiles, this is a finding.","fixText":"Remove the references to these files in the local initialization scripts or remove the world-writable permission of files referenced by SUSE operating system local initialization scripts with the following command:\n\n> sudo chmod 0755 "},{"id":"f472bbd5-052f-466a-bf4a-1c54ee462ddb","vulnId":"V-234998","severity":"medium","ruleTitle":"SUSE operating system file systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed.","description":"The \"nosuid\" mount option causes the system to not execute setuid and setgid files with owner privileges. This option must be used for mounting any file system not containing approved setuid and setguid files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.","checkContent":"Verify that SUSE operating system file systems that contain user home directories are mounted with the \"nosuid\" option.\n\nPrint the currently active file system mount options of the file system(s) that contain the user home directories with the following command:\n\n> for X in `awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd`; do findmnt -nkT $X; done | sort -r\n/home /dev/mapper/system-home ext4 rw,nosuid,relatime,data=ordered\n\nIf a file system containing user home directories is not mounted with the FSTYPE OPTION nosuid, this is a finding.\n\nNote: If a separate file system has not been created for the user home directories (user home directories are mounted under \"/\"), this is not a finding as the \"nosuid\" option cannot be used on the \"/\" system.","fixText":"Configure the SUSE operating system \"/etc/fstab\" file to use the \"nosuid\" option on file systems that contain user home directories for interactive users.\n\nRe-mount the filesystems.\n\n> sudo mount -o remount /home"},{"id":"eddadc29-34c4-4a9b-a2f4-d6cd3acf18be","vulnId":"V-234999","severity":"medium","ruleTitle":"SUSE operating system file systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed.","description":"The \"nosuid\" mount option causes the system to not execute \"setuid\" and \"setgid\" files with owner privileges. This option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.","checkContent":"Verify SUSE operating system file systems used for removable media are mounted with the \"nosuid\" option.\n\nCheck the file systems that are mounted at boot time with the following command:\n\n> more /etc/fstab\n\nUUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid 0 0\n\nIf a file system found in \"/etc/fstab\" refers to removable media and it does not have the \"nosuid\" option set, this is a finding.","fixText":"Configure the SUSE operating system \"/etc/fstab\" file to use the \"nosuid\" option on file systems that are associated with removable media."},{"id":"ececbe8b-0ce9-49ac-ae92-c5ab2a94d1e5","vulnId":"V-235000","severity":"medium","ruleTitle":"SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed.","description":"The \"nosuid\" mount option causes the system to not execute \"setuid\" and \"setgid\" files with owner privileges. This option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.","checkContent":"Verify SUSE operating system file systems that are being NFS exported are mounted with the \"nosuid\" option.\n\nFind the file system(s) that contain the directories being exported with the following command:\n\n> grep nfs /etc/fstab\n\nUUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid 0 0\n\nIf a file system found in \"/etc/fstab\" refers to NFS and it does not have the \"nosuid\" option set, this is a finding.","fixText":"Configure the SUSE operating system \"/etc/fstab\" file to use the \"nosuid\" option on file systems that are being exported via NFS."},{"id":"83f66786-466e-4552-96bf-ce5d97ad4087","vulnId":"V-235001","severity":"medium","ruleTitle":"SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed.","description":"The \"noexec\" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.","checkContent":"Verify the SUSE operating system file systems that are being NFS exported are mounted with the \"noexec\" option.\n\nFind the file system(s) that contain the directories being exported with the following command:\n\n> grep nfs /etc/fstab\n\nUUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,noexec 0 0\n\nIf a file system found in \"/etc/fstab\" refers to NFS and it does not have the \"noexec\" option set, and use of NFS exported binaries is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.","fixText":"Configure the SUSE operating system \"/etc/fstab\" file to use the \"noexec\" option on file systems that are being exported via NFS."},{"id":"2ee5030f-badc-4078-bcd8-45cda5590f1f","vulnId":"V-235002","severity":"medium","ruleTitle":"All SUSE operating system world-writable directories must be group-owned by root, sys, bin, or an application group.","description":"If a world-writable directory has the sticky bit set and is not group-owned by a privileged Group Identifier (GID), unauthorized users may be able to modify files created by others.\n\nThe only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.","checkContent":"Verify all SUSE operating system world-writable directories are group-owned by root, sys, bin, or an application group.\n\nCheck the system for world-writable directories with the following command:\n\n> sudo find / -perm -002 -type d -exec ls -lLd {} \\;\ndrwxrwxrwt. 2 root root 40 Aug 26 13:07 /dev/mqueue\ndrwxrwxrwt. 2 root root 220 Aug 26 13:23 /dev/shm\ndrwxrwxrwt. 14 root root 4096 Aug 26 13:29 /tmp\n\nIf any world-writable directories are not owned by root, sys, bin, or an application group associated with the directory, this is a finding.","fixText":"Change the group of the SUSE operating system world-writable directories to root with the following command:\n\n> sudo chgrp root "},{"id":"5c0f57e5-e8bb-4b70-8308-3d17a77932c0","vulnId":"V-235003","severity":"medium","ruleTitle":"SUSE operating system kernel core dumps must be disabled unless needed.","description":"Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition.","checkContent":"Verify that SUSE operating system kernel core dumps are disabled unless needed.\n\nCheck the status of the \"kdump\" service with the following command:\n\n> systemctl status kdump.service\nLoaded: not-found (Reason: No such file or directory)\nActive: inactive (dead)\n\nIf the \"kdump\" service is active, ask the System Administrator if the use of the service is required and documented with the Information System Security Officer (ISSO).\n\nIf the service is active and is not documented, this is a finding.","fixText":"If SUSE operating system kernel core dumps are not required, disable the \"kdump\" service with the following command:\n\n> sudo systemctl disable kdump.service\n\nIf kernel core dumps are required, document the need with the ISSO."},{"id":"57d3c1e3-09a3-4c60-967c-8f1d900b5f71","vulnId":"V-235004","severity":"low","ruleTitle":"A separate file system must be used for SUSE operating system user home directories (such as /home or an equivalent).","description":"The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.","checkContent":"$47","fixText":"Create a separate file system/partition for SUSE operating system nonprivileged local interactive user home directories.\n\nMigrate the nonprivileged local interactive user home directories onto the separate file system/partition."},{"id":"c8b42741-e384-493a-a62d-13a72d2e8b85","vulnId":"V-235005","severity":"low","ruleTitle":"The SUSE operating system must use a separate file system for /var.","description":"The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.","checkContent":"Verify that the SUSE operating system has a separate file system/partition for \"/var\".\n\nCheck that a file system/partition has been created for \"/var\" with the following command:\n\n> grep /var /etc/fstab\nUUID=c274f65f /var ext4 noatime,nobarrier 1 2\n\nIf a separate entry for \"/var\" is not in use, this is a finding.","fixText":"Create a separate file system/partition on the SUSE operating system for \"/var\".\n\nMigrate \"/var\" onto the separate file system/partition."},{"id":"ce2e7f88-3276-43a3-b132-95bf6d82f5bd","vulnId":"V-235006","severity":"medium","ruleTitle":"The SUSE operating system must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes.","description":"The \"pam-config\" command line utility automatically generates a system PAM configuration as packages are installed, updated, or removed from the system. \"pam-config\" removes configurations for PAM modules and parameters that it does not know about. It may render ineffective PAM configuration by the system administrator and thus impact system security.","checkContent":"Verify the SUSE operating system is configured to not overwrite PAM configuration on package changes.\n\nCheck that soft links between PAM configuration files are removed with the following command:\n\n> find /etc/pam.d/ -type l -iname \"common-*\"\n\nIf any results are returned, this is a finding.","fixText":"Copy the PAM configuration files to their static locations and remove the SUSE operating system soft links for the PAM configuration files with the following command:\n\n> sudo sh -c 'for X in /etc/pam.d/common-*-pc; do cp -ivp --remove-destination $X ${X:0:-3}; done'\n\nAdditional information on the configuration of multifactor authentication on the SUSE operating system can be found at https://www.suse.com/communities/blog/configuring-smart-card-authentication-suse-linux-enterprise/."},{"id":"3c08721c-e101-4ece-a31c-5aba6363458a","vulnId":"V-235007","severity":"medium","ruleTitle":"The SUSE operating system SSH daemon must be configured to not allow authentication using known hosts authentication.","description":"Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.","checkContent":"Verify the SUSE operating system SSH daemon is configured to not allow authentication using \"known hosts\" authentication.\n\nTo determine how the SSH daemon's \"IgnoreUserKnownHosts\" option is set, run the following command:\n\n> sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*ignoreuserknownhosts'\n\nIgnoreUserKnownHosts yes\n\nIf the value is returned as \"no\", the returned line is commented out, or no output is returned, this is a finding.","fixText":"Configure the SUSE operating system SSH daemon to not allow authentication using \"known hosts\" authentication.\n\nAdd the following line in \"/etc/ssh/sshd_config\", or uncomment the line and set the value to \"yes\":\n\nIgnoreUserKnownHosts yes"},{"id":"c92f9545-3dc1-4629-9718-b033ea86a40a","vulnId":"V-235008","severity":"medium","ruleTitle":"The SUSE operating system SSH daemon public host key files must have mode 0644 or less permissive.","description":"If a public host key file is modified by an unauthorized user, the SSH service may be compromised.","checkContent":"Verify the SUSE operating system SSH daemon public host key files have mode \"0644\" or less permissive.\n\nNote: SSH public key files may be found in other directories on the system depending on the installation.\n\nThe following command will find all SSH public key files on the system:\n\n> find /etc/ssh -name 'ssh_host*key.pub' -exec stat -c \"%a %n\" {} \\;\n\n644 /etc/ssh/ssh_host_rsa_key.pub\n644 /etc/ssh/ssh_host_dsa_key.pub\n644 /etc/ssh/ssh_host_ecdsa_key.pub\n644 /etc/ssh/ssh_host_ed25519_key.pub\n\nIf any file has a mode more permissive than \"0644\", this is a finding.","fixText":"Configure the SUSE operating system SSH daemon public host key files have mode \"0644\" or less permissive.\n\nNote: SSH public key files may be found in other directories on the system depending on the installation. \n\nChange the mode of public host key files under \"/etc/ssh\" to \"0644\" with the following command:\n\n> sudo chmod 0644 /etc/ssh/ssh_host*key.pub"},{"id":"b938f6d6-8eae-4539-986b-c85e8c926c80","vulnId":"V-235009","severity":"medium","ruleTitle":"The SUSE operating system SSH daemon private host key files must have mode 0640 or less permissive.","description":"If an unauthorized user obtains the private SSH host key file, the host could be impersonated.","checkContent":"Verify the SUSE operating system SSH daemon private host key files have mode \"0640\" or less permissive.\n\nThe following command will find all SSH private key files on the system:\n\n > sudo find / -name '*ssh_host*key' -exec ls -lL {} \\;\n\nCheck the mode of the private host key files under \"/etc/ssh\" file with the following command:\n\n > find /etc/ssh -name 'ssh_host*key' -exec stat -c \"%a %n\" {} \\;\n\n 640 /etc/ssh/ssh_host_rsa_key\n 640 /etc/ssh/ssh_host_dsa_key\n 640 /etc/ssh/ssh_host_ecdsa_key\n 640 /etc/ssh/ssh_host_ed25519_key\n\nIf any file has a mode more permissive than \"0640\", this is a finding.","fixText":"Configure the mode of the SUSE operating system SSH daemon private host key files under \"/etc/ssh\" to \"0640\" with the following command:\n\n > sudo chmod 0640 /etc/ssh/ssh_host*key"},{"id":"c480a104-5eee-4d1b-b782-c01e310c9898","vulnId":"V-235010","severity":"medium","ruleTitle":"The SUSE operating system SSH daemon must perform strict mode checking of home directory configuration files.","description":"If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.","checkContent":"Verify the SUSE operating system SSH daemon performs strict mode checking of home directory configuration files.\n\nCheck that the SSH daemon performs strict mode checking of home directory configuration files with the following command:\n\n> sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*strictmodes'\n\nStrictModes yes\n\nIf \"StrictModes\" is set to \"no\", is missing, or the returned line is commented out, this is a finding.","fixText":"Configure the SUSE operating system SSH daemon performs strict mode checking of home directory configuration files.\n\nUncomment the \"StrictModes\" keyword in \"/etc/ssh/sshd_config\" and set the value to \"yes\":\n\nStrictModes yes"},{"id":"9af2172a-67b7-4ece-9558-622c4982b0d6","vulnId":"V-235013","severity":"medium","ruleTitle":"The SUSE operating system SSH daemon must disable forwarded remote X connections for interactive users, unless to fulfill documented and validated mission requirements.","description":"The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a ''no'' setting.\nX11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also enabled.\nIf X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system’s needs.","checkContent":"Determine if X11Forwarding is disabled. \n\nVerify the SUSE operating system SSH daemon remote X forwarded connections for interactive users are disabled.\n\nCheck that SSH remote X forwarded connections are disabled with the following command:\n\n> sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*x11forwarding'\n\nX11Forwarding no\n\nIf the \"X11Forwarding\" keyword is set to \"yes\" and is not documented with the information system security officer (ISSO) as an operational requirement, is missing, or is commented out, this is a finding.","fixText":"Configure the SUSE operating system SSH daemon to disable forwarded X connections for interactive users.\n\nEdit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11Forwarding\" keyword and set its value to \"no\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):\n\nX11Forwarding no"},{"id":"2c2b61df-3799-4513-a446-f0fd12ee7502","vulnId":"V-235014","severity":"medium","ruleTitle":"The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.","description":"Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4/IPv6 forwarding is enabled and the system is functioning as a router.","checkContent":"Verify the SUSE operating system does not accept IPv4 source-routed packets.\n\nCheck the value of the IPv4 accept source route variable with the following command:\n\n> sudo sysctl net.ipv4.conf.all.accept_source_route\nnet.ipv4.conf.all.accept_source_route = 0\n\nIf the network parameter \"ipv4.conf.all.accept_source_route\" is not equal to \"0\" or nothing is returned, this is a finding.","fixText":"Configure the SUSE operating system to disable IPv4 source routing by running the following command as an administrator:\n\n> sudo sysctl -w net.ipv4.conf.all.accept_source_route=0\n\nIf \"0\" is not the system's default value, add or update the following line in \"/etc/sysctl.d/99-stig.conf\":\n\n> sudo sh -c 'echo \"net.ipv4.conf.all.accept_source_route=0\" >> /etc/sysctl.d/99-stig.conf'\n\n> sudo sysctl --system"},{"id":"64f4ec46-0834-4883-9872-34f33e8988cf","vulnId":"V-235015","severity":"medium","ruleTitle":"The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets.","description":"Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.","checkContent":"Verify the SUSE operating system does not accept IPv6 source-routed packets.\n\nCheck the value of the IPv6 accept source route variable with the following command:\n\n> sudo sysctl net.ipv6.conf.all.accept_source_route\nnet.ipv6.conf.all.accept_source_route = 0\n\nIf the network parameter \"ipv6.conf.all.accept_source_route\" is not equal to \"0\" or nothing is returned, this is a finding.","fixText":"Configure the SUSE operating system to disable IPv6 source routing by running the following command as an administrator:\n\n> sudo sysctl -w net.ipv6.conf.all.accept_source_route=0\n\nIf \"0\" is not the system's default value, add or update the following line in \"/etc/sysctl.d/99-stig.conf\":\n\n> sudo sh -c 'echo \"net.ipv6.conf.all.accept_source_route=0\" >> /etc/sysctl.d/99-stig.conf'\n\n> sudo sysctl --system"},{"id":"c7d39477-e6f5-493d-a3c6-06a23761678e","vulnId":"V-235016","severity":"medium","ruleTitle":"The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.","description":"Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.","checkContent":"Verify the SUSE operating system does not accept IPv4 source-routed packets by default.\n\nCheck the value of the default IPv4 accept source route variable with the following command:\n\n> sudo sysctl net.ipv4.conf.default.accept_source_route\nnet.ipv4.conf.default.accept_source_route = 0\n\nIf the network parameter \"ipv4.conf.default.accept_source_route\" is not equal to \"0\" or nothing is returned, this is a finding.","fixText":"Configure the SUSE operating system to disable IPv4 default source routing by running the following command as an administrator:\n\n> sudo sysctl -w net.ipv4.conf.default.accept_source_route=0\n\nIf \"0\" is not the system's default value, add or update the following line in \"/etc/sysctl.d/99-stig.conf\":\n\n> sudo sh -c 'echo \"net.ipv4.conf.default.accept_source_route=0\" >> /etc/sysctl.d/99-stig.conf'\n\n> sudo sysctl --system"},{"id":"5104082b-67bb-4193-abbb-2d1d24edf146","vulnId":"V-235017","severity":"medium","ruleTitle":"The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets by default.","description":"Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.","checkContent":"Verify the SUSE operating system does not accept IPv6 source-routed packets by default.\n\nCheck the value of the default IPv6 accept source route variable with the following command:\n\n> sudo sysctl net.ipv6.conf.default.accept_source_route\nnet.ipv6.conf.default.accept_source_route = 0\n\nIf the network parameter \"ipv6.conf.default.accept_source_route\" is not equal to \"0\" or nothing is returned, this is a finding.","fixText":"Configure the SUSE operating system to disable IPv6 default source routing by running the following command as an administrator:\n\n> sudo sysctl -w net.ipv6.conf.default.accept_source_route=0\n\nIf \"0\" is not the system's default value, add or update the following line in \"/etc/sysctl.d/99-stig.conf\":\n\n> sudo sh -c 'echo \"net.ipv6.conf.default.accept_source_route=0\" >> /etc/sysctl.d/99-stig.conf'\n\n> sudo sysctl --system"},{"id":"c10a356d-3a8c-4c6e-9477-f206f594f5ed","vulnId":"V-235018","severity":"medium","ruleTitle":"The SUSE operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.","description":"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.","checkContent":"Verify the SUSE operating system does not accept IPv4 ICMP redirect messages.\n\nCheck the value of the IPv4 accept_redirects variable with the following command:\n\n> sudo sysctl net.ipv4.conf.all.accept_redirects\nnet.ipv4.conf.all.accept_redirects =0\n\nIf the network parameter \"ipv4.conf.all.accept_redirects\" is not equal to \"0\" or nothing is returned, this is a finding.","fixText":"Configure the SUSE operating system to not accept IPv4 ICMP redirect messages by running the following command as an administrator:\n\n> sudo sysctl -w net.ipv4.conf.all.accept_redirects=0\n\nIf \"0\" is not the system's default value, add or update the following line in \"/etc/sysctl.d/99-stig.conf\":\n\n> sudo sh -c 'echo \"net.ipv4.conf.all.accept_redirects=0\" >> /etc/sysctl.d/99-stig.conf'\n\n> sudo sysctl --system"},{"id":"b1f4f436-023c-465d-b099-1c82a522691b","vulnId":"V-235019","severity":"medium","ruleTitle":"The SUSE operating system must not allow interfaces to accept Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.","description":"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.","checkContent":"Verify the SUSE operating system does not accept IPv4 ICMP redirect messages by default.\n\nCheck the value of the default IPv4 accept_redirects variable with the following command:\n\n> sudo sysctl net.ipv4.conf.default.accept_redirects\nnet.ipv4.conf.default.accept_redirects = 0\n\nIf the network parameter \"ipv4.conf.default.accept_redirects\" is not equal to \"0\" or nothing is returned, this is a finding.","fixText":"Configure the SUSE operating system to not accept IPv4 ICMP redirect messages by default by running the following command as an administrator:\n\n> sudo sysctl -w net.ipv4.conf.default.accept_redirects=0\n\nIf \"0\" is not the system's default value, add or update the following line in \"/etc/sysctl.d/99-stig.conf\":\n\n> sudo sh -c 'echo \"net.ipv4.conf.default.accept_redirects=0\" >> /etc/sysctl.d/99-stig.conf'\n\n> sudo sysctl --system"},{"id":"c0d4bdb5-90ec-49ec-a27a-6c629cab088a","vulnId":"V-235020","severity":"medium","ruleTitle":"The SUSE operating system must prevent Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages from being accepted.","description":"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.","checkContent":"Verify the SUSE operating system does not accept IPv6 ICMP redirect messages.\n\nCheck the value of the IPv6 accept_redirects variable with the following command:\n\n> sudo sysctl net.ipv6.conf.all.accept_redirects\nnet.ipv6.conf.all.accept_redirects =0\n\nIf the network parameter \"ipv6.conf.all.accept_redirects\" is not equal to \"0\" or nothing is returned, this is a finding.","fixText":"Configure the SUSE operating system to not accept IPv6 ICMP redirect messages by running the following command as an administrator:\n\n> sudo sysctl -w net.ipv6.conf.all.accept_redirects=0\n\nIf \"0\" is not the system's default value, add or update the following line in \"/etc/sysctl.d/99-stig.conf\":\n\n> sudo sh -c 'echo \"net.ipv6.conf.all.accept_redirects=0\" >> /etc/sysctl.d/99-stig.conf'\n\n> sudo sysctl --system"},{"id":"c469050e-0eb6-4562-9d67-770b9f58e976","vulnId":"V-235021","severity":"medium","ruleTitle":"The SUSE operating system must not allow interfaces to accept Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by default.","description":"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.","checkContent":"Verify the SUSE operating system does not allow IPv6 ICMP redirect messages by default.\n\nCheck the value of the default IPv6 accept_redirects variable with the following command:\n\n> sudo sysctl net.ipv6.conf.default.accept_redirects\nnet.ipv6.conf.default.accept_redirects = 0\n\nIf the network parameter \"ipv6.conf.default.accept_redirects\" is not equal to \"0\" or nothing is returned, this is a finding.","fixText":"Configure the SUSE operating system to not accept IPv6 ICMP redirect messages by default by running the following command as an administrator:\n\n> sudo sysctl -w net.ipv6.conf.default.accept_redirects=0\n\nIf \"0\" is not the system's default value, add or update the following line in \"/etc/sysctl.d/99-stig.conf\":\n\n> sudo sh -c 'echo \"net.ipv6.conf.default.accept_redirects=0\" >> /etc/sysctl.d/99-stig.conf'\n\n> sudo sysctl --system"},{"id":"794de3a3-634f-4627-a379-b84ba65e70cd","vulnId":"V-235022","severity":"medium","ruleTitle":"The SUSE operating system must not allow interfaces to send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.","description":"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.","checkContent":"Verify the SUSE operating system does not allow interfaces to perform IPv4 ICMP redirects by default.\n\nCheck the value of the default IPv4 send_redirects variable with the following command:\n\n> sudo sysctl net.ipv4.conf.default.send_redirects\nnet.ipv4.conf.default.send_redirects = 0\n\nIf the network parameter \"ipv4.conf.default.send_redirects\" is not equal to \"0\" or nothing is returned, this is a finding.","fixText":"Configure the SUSE operating system to not allow interfaces to perform IPv4 ICMP redirects by default by running the following command as an administrator:\n\n> sudo sysctl -w net.ipv4.conf.default.send_redirects=0\n\nIf \"0\" is not the system's default value, add or update the following line in \"/etc/sysctl.d/99-stig.conf\":\n\n> sudo sh -c 'echo \"net.ipv4.conf.default.send_redirects=0\" >> /etc/sysctl.d/99-stig.conf'\n\n> sudo sysctl --system"},{"id":"e585dde4-0f4f-4c38-9291-c80534330472","vulnId":"V-235023","severity":"medium","ruleTitle":"The SUSE operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.","description":"ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.","checkContent":"Verify the SUSE operating system does not allow interfaces to perform IPv4 ICMP redirects.\n\nCheck the value of the IPv4 send_redirects variable with the following command:\n\n> sudo sysctl net.ipv4.conf.all.send_redirects\nnet.ipv4.conf.all.send_redirects = 0\n\nIf the network parameter \"ipv4.conf.all.send_redirects\" is not equal to \"0\" or nothing is returned, this is a finding.","fixText":"Configure the SUSE operating system to not allow interfaces to perform IPv4 ICMP redirects by running the following command as an administrator:\n\n> sudo sysctl -w net.ipv4.conf.all.send_redirects=0\n\nIf \"0\" is not the system's default value, add or update the following line in \"/etc/sysctl.d/99-stig.conf\":\n\n> sudo sh -c 'echo \"net.ipv4.conf.all.send_redirects=0\" >> /etc/sysctl.d/99-stig.conf'\n\n> sudo sysctl --system"},{"id":"c0d3aaac-b6a7-4d5f-8c07-38cf1cfb62fe","vulnId":"V-235024","severity":"medium","ruleTitle":"The SUSE operating system must not be performing Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router.","description":"Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.","checkContent":"Verify the SUSE operating system is not performing IPv4 packet forwarding, unless the system is a router.\n\nCheck to see if IPv4 forwarding is disabled using the following command:\n\n> sudo sysctl net.ipv4.ip_forward\nnet.ipv4.ip_forward = 0\n\nIf the network parameter \"ipv4.ip_forward\" is not equal to \"0\" or nothing is returned, this is a finding.","fixText":"Configure the SUSE operating system to not performing IPv4 packet forwarding by running the following command as an administrator:\n\n> sudo sysctl -w net.ipv4.ip_forward=0\n\nIf \"0\" is not the system's default value, add or update the following line in \"/etc/sysctl.d/99-stig.conf\":\n\n> sudo sh -c 'echo \"net.ipv4.ip_forward=0\" >> /etc/sysctl.d/99-stig.conf'\n\n> sudo sysctl --system"},{"id":"c4d66646-09f2-41aa-8e3e-81586871767b","vulnId":"V-235025","severity":"medium","ruleTitle":"The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding unless the system is a router.","description":"Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.","checkContent":"Verify the SUSE operating system is not performing IPv6 packet forwarding, unless the system is a router.\n\nCheck to see if IPv6 forwarding is enabled using the following command:\n\n> sudo sysctl net.ipv6.conf.all.forwarding\nnet.ipv6.conf.all.forwarding = 0\n\nIf the network parameter \"ipv6.conf.all.forwarding\" is not equal to \"0\" or nothing is returned, this is a finding.","fixText":"Configure the SUSE operating system to not performing IPv6 packet forwarding by running the following command as an administrator:\n\n> sudo sysctl -w net.ipv6.conf.all.forwarding=0\n\nIf \"0\" is not the system's default value, add or update the following line in \"/etc/sysctl.d/99-stig.conf\":\n\n> sudo sh -c 'echo \"net.ipv6.conf.all.forwarding=0\" >> /etc/sysctl.d/99-stig.conf'\n\n> sudo sysctl --system"},{"id":"584b7dd7-97a7-4919-a28e-ad5d95529804","vulnId":"V-235026","severity":"medium","ruleTitle":"The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding by default unless the system is a router.","description":"Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.","checkContent":"Verify the SUSE operating system is not performing IPv6 packet forwarding by default, unless the system is a router.\n\nCheck to see if IPv6 forwarding is disabled by default using the following command:\n\n> sudo sysctl net.ipv6.conf.default.forwarding\nnet.ipv6.conf.default.forwarding = 0\n\nIf the network parameter \"ipv6.conf.default.forwarding\" is not equal to \"0\" or nothing is returned, this is a finding.","fixText":"Configure the SUSE operating system to not performing IPv6 packet forwarding by default by running the following command as an administrator:\n\n> sudo sysctl -w net.ipv6.conf.default.forwarding=0\n\nIf \"0\" is not the system's default value, add or update the following line in \"/etc/sysctl.d/99-stig.conf\":\n\n> sudo sh -c 'echo \"net.ipv6.conf.default.forwarding=0\" >> /etc/sysctl.d/99-stig.conf'\n\n> sudo sysctl --system"},{"id":"40bb0f3b-2d37-435d-86fa-4522fda7e504","vulnId":"V-235027","severity":"medium","ruleTitle":"The SUSE operating system must not have network interfaces in promiscuous mode unless approved and documented.","description":"Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow then to collect information such as logon IDs, passwords, and key exchanges between systems.\n\nIf the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information System Security Officer (ISSO) and restricted to only authorized personnel.","checkContent":"Verify the SUSE operating system network interfaces are not in promiscuous mode unless approved by the ISSO and documented.\n\nCheck for the status with the following command:\n\n> ip link | grep -i promisc\n\nIf network interfaces are found on the system in promiscuous mode and their use has not been approved by the ISSO and documented, this is a finding.","fixText":"Configure the SUSE operating system network interfaces to turn off promiscuous mode unless approved by the ISSO and documented.\n\nSet the promiscuous mode of an interface to off with the following command:\n\n> sudo ip link set dev promisc off"},{"id":"aad5d6de-8f95-47c6-94ac-3310ea01098b","vulnId":"V-235028","severity":"medium","ruleTitle":"All SUSE operating system files and directories must have a valid owner.","description":"Unowned files and directories may be unintentionally inherited if a user is assigned the same User Identifier (UID) as the UID of the unowned files.","checkContent":"Verify that all SUSE operating system files and directories on the system have a valid owner.\n\nCheck the owner of all files and directories with the following command:\n\nNote: The value after -fstype must be replaced with the filesystem type. XFS is used as an example.\n\n> sudo find / -fstype xfs -nouser\n\nIf any files on the system do not have an assigned owner, this is a finding.","fixText":"Either remove all files and directories from the SUSE operating system that do not have a valid user, or assign a valid user to all unowned files and directories on the system with the \"chown\" command:\n\n> sudo chown "},{"id":"7e6ea1bc-53c0-43d2-a97d-e9856830f844","vulnId":"V-235029","severity":"medium","ruleTitle":"All SUSE operating system files and directories must have a valid group owner.","description":"Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group Identifier (GID) as the GID of the files without a valid group owner.","checkContent":"Verify all SUSE operating system files and directories on the system have a valid group.\n\nCheck the owner of all files and directories with the following command:\n\nNote: The value after -fstype must be replaced with the filesystem type. XFS is used as an example.\n\n> sudo find / -fstype xfs -nogroup\n\nIf any files on the system do not have an assigned group, this is a finding.","fixText":"Either remove all files and directories from the SUSE operating system that do not have a valid group, or assign a valid group to all files and directories on the system with the \"chgrp\" command:\n\n> sudo chgrp "},{"id":"3e015d9a-568f-4e74-824a-29eb29196d47","vulnId":"V-235030","severity":"medium","ruleTitle":"The SUSE operating system default permissions must be defined in such a way that all authenticated users can only read and modify their own files.","description":"Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.","checkContent":"Verify the SUSE operating system defines default permissions for all authenticated users in such a way that the users can only read and modify their own files. \n\nCheck the system default permissions with the following command:\n\n> grep -i \"^umask\" /etc/login.defs\n\nUMASK 077\n\nIf the \"UMASK\" variable is set to \"000\", the severity is raised to a CAT I, and this is a finding.\n\nIf the value of \"UMASK\" is not set to \"077\", or \"UMASK\" is missing, this is a finding.","fixText":"Configure the SUSE operating system to define the default permissions for all authenticated users in such a way that the users can only read and modify their own files.\n\nAdd or edit the \"UMASK\" parameter in the \"/etc/login.defs\" file to match the example below:\n\nUMASK 077"},{"id":"70f52120-618e-4c37-9772-b8fd39062a8b","vulnId":"V-235031","severity":"high","ruleTitle":"The SUSE operating system must not allow unattended or automatic logon via the graphical user interface (GUI).","description":"Failure to restrict system access to authenticated users negatively impacts SUSE operating system security.","checkContent":"Note: If a graphical user interface is not installed, this requirement is Not Applicable.\n\nVerify the SUSE operating system does not allow unattended or automatic logon via the GUI.\n\nCheck that unattended or automatic login is disabled with the following commands:\n\n> grep -i ^DISPLAYMANAGER_AUTOLOGIN /etc/sysconfig/displaymanager\n\nDISPLAYMANAGER_AUTOLOGIN=\"\"\n\n> grep -i ^DISPLAYMANAGER_PASSWORD_LESS_LOGIN /etc/sysconfig/displaymanager\n\nDISPLAYMANAGER_PASSWORD_LESS_LOGIN=\"no\"\n\nIf the \"DISPLAYMANAGER_AUTOLOGIN\" parameter includes a username or the\n\"DISPLAYMANAGER_PASSWORD_LESS_LOGIN\"\nIf parameter is not set to \"no\", this is a finding.","fixText":"Note: If a graphical user interface is not installed, this requirement is Not Applicable.\n\nConfigure the SUSE operating system GUI to not allow unattended or automatic logon to the system.\n\nAdd or edit the following lines in the \"/etc/sysconfig/displaymanager\"\nconfiguration file:\n\nDISPLAYMANAGER_AUTOLOGIN=\"\"\nDISPLAYMANAGER_PASSWORD_LESS_LOGIN=\"no\""},{"id":"758e70f8-07f4-4858-b07c-873acbdfe540","vulnId":"V-235032","severity":"high","ruleTitle":"The SUSE operating system must not allow unattended or automatic logon via SSH.","description":"Failure to restrict system access via SSH to authenticated users negatively impacts SUSE operating system security.","checkContent":"Verify the SUSE operating system disables unattended or automatic logon via SSH.\n\nCheck that unattended or automatic logon via SSH is disabled with the following command:\n\n> sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iEH '^\\s*(permit(.*?)(passwords|environment))'\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\nIf \"PermitEmptyPasswords\" or \"PermitUserEnvironment\" keywords are not set to \"no\", are missing completely, or are commented out, this is a finding.","fixText":"Configure the SUSE operating system disables unattended or automatic logon via SSH.\n\nAdd or edit the following lines in the \"/etc/ssh/sshd_config\" file:\n\nPermitEmptyPasswords no\nPermitUserEnvironment no"},{"id":"c6968d3e-a8bd-4c4f-9491-ab57cbe93987","vulnId":"V-251723","severity":"medium","ruleTitle":"The SUSE operating system must specify the default \"include\" directory for the /etc/sudoers file.","description":"$48","checkContent":"Note: If the \"include\" and \"includedir\" directives are not present in the /etc/sudoers file, this requirement is not applicable.\n\nVerify the operating system specifies only the default \"include\" directory for the /etc/sudoers file with the following command:\n\n> sudo grep include /etc/sudoers\n\n@includedir /etc/sudoers.d\n\nIf the results are not \"/etc/sudoers.d\" or additional files or directories are specified, this is a finding.\n\nVerify the operating system does not have nested \"include\" files or directories within the /etc/sudoers.d directory with the following command:\n\n> sudo grep -r include /etc/sudoers.d\n\nIf results are returned, this is a finding.","fixText":"Configure the /etc/sudoers file to only include the /etc/sudoers.d directory.\n\nEdit the /etc/sudoers file with the following command:\n\n> sudo visudo\n\nAdd or modify the following line:\n@includedir /etc/sudoers.d"},{"id":"a602bb9c-3502-4e23-b78e-d746d299dd8c","vulnId":"V-251724","severity":"medium","ruleTitle":"The SUSE operating system must not be configured to bypass password requirements for privilege escalation.","description":"Without re-authentication, users may access resources or perform tasks for which they do not have authorization. \n\nWhen operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate.\n\nSatisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158","checkContent":"Verify the operating system is not be configured to bypass password requirements for privilege escalation.\n\nCheck the configuration of the \"/etc/pam.d/sudo\" file with the following command:\n\n$ sudo grep pam_succeed_if /etc/pam.d/sudo\n\nIf any occurrences of \"pam_succeed_if\" are returned from the command, this is a finding.","fixText":"Configure the operating system to require users to supply a password for privilege escalation.\n\nCheck the configuration of the \"/etc/ pam.d/sudo\" file with the following command:\n\n$ sudo vi /etc/pam.d/sudo\n\nRemove any occurrences of \"pam_succeed_if\" in the file."},{"id":"62e92ed4-ff4e-40fb-8e03-150a91757e41","vulnId":"V-251725","severity":"high","ruleTitle":"The SUSE operating system must not have accounts configured with blank or null passwords.","description":"If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.","checkContent":"Check the \"/etc/shadow\" file for blank passwords with the following command:\n\n$ sudo awk -F: '!$2 {print $1}' /etc/shadow\n\nIf the command returns any results, this is a finding.","fixText":"Configure all accounts on the system to have a password or lock the account with the following commands:\n\nPerform a password reset:\n$ sudo passwd [username]\nLock an account:\n$ sudo passwd -l [username]"},{"id":"ff1c0777-5e0c-41ac-a42b-fb1966479c2e","vulnId":"V-255920","severity":"medium","ruleTitle":"The SUSE operating system SSH server must be configured to use only FIPS-validated key exchange algorithms.","description":"Without cryptographic integrity protections provided by FIPS-validated cryptographic algorithms, information can be viewed and altered by unauthorized users without detection.\n\nThe system will attempt to use the first algorithm presented by the client that matches the server list. Listing the values \"strongest to weakest\" is a method to ensure the use of the strongest algorithm available to secure the SSH connection.","checkContent":"Verify the SSH server is configured to use only FIPS-validated key exchange algorithms:\n\n> sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*kexalgorithms'\n\nKexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256\n \nIf \"KexAlgorithms\" is not configured, is commented out, or does not contain only the algorithms \"ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256\" in exact order, this is a finding.","fixText":"Configure the SSH server to use only FIPS-validated key exchange algorithms by adding or modifying the following line in \"/etc/ssh/sshd_config\":\n\n KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256\n\nRestart the \"sshd\" service for changes to take effect:\n\n $ sudo systemctl restart sshd"},{"id":"18293408-27de-4226-b5d3-f605b92eb4f5","vulnId":"V-255921","severity":"low","ruleTitle":"The SUSE operating system must restrict access to the kernel message buffer.","description":"Restricting access to the kernel message buffer limits access only to root. This prevents attackers from gaining additional system information as a nonprivileged user.","checkContent":"Verify the operating system is configured to restrict access to the kernel message buffer with the following commands:\n\n $ sudo sysctl kernel.dmesg_restrict\n kernel.dmesg_restrict = 1\n\nIf \"kernel.dmesg_restrict\" is not set to \"1\" or is missing, this is a finding.\n\nCheck that the configuration files are present to enable this kernel parameter:\n\n $ sudo grep -r kernel.dmesg_restrict /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null\n /etc/sysctl.conf:kernel.dmesg_restrict = 1\n /etc/sysctl.d/99-sysctl.conf:kernel.dmesg_restrict = 1\n\nIf \"kernel.dmesg_restrict\" is not set to \"1\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.","fixText":"Configure the operating system to restrict access to the kernel message buffer.\n\nSet the system to the required kernel parameter by adding or modifying the following line in /etc/sysctl.conf or a config file in the /etc/sysctl.d/ directory:\n\n kernel.dmesg_restrict = 1\n\nRemove any configurations that conflict with the above from the following locations: \n /run/sysctl.d/\n /etc/sysctl.d/\n /usr/local/lib/sysctl.d/\n /usr/lib/sysctl.d/\n /lib/sysctl.d/\n /etc/sysctl.conf\n\nReload settings from all system configuration files with the following command:\n\n $ sudo sysctl --system"},{"id":"c1360156-cd07-445f-a9ee-063661dd58e1","vulnId":"V-255922","severity":"medium","ruleTitle":"The SUSE operating system must use a file integrity tool to verify correct operation of all security functions.","description":"Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.\n\nThis requirement applies to the SUSE operating system performing security function verification/testing and/or systems and environments that require this functionality.","checkContent":"Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the correct operation of all security functions.\n\nCheck that the AIDE package is installed with the following command:\n $ sudo zypper if aide | grep \"Installed\"\n Installed: Yes\n\nIf AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. \n\nIf there is no application installed to perform integrity checks, this is a finding.\n\nIf AIDE is installed, check if it has been initialized with the following command:\n $ sudo aide --check\n\nIf the output is \"Couldn't open file /var/lib/aide/aide.db for reading\", this is a finding.","fixText":"Install AIDE, initialize it, and perform a manual check.\n\nInstall AIDE:\n $ sudo zipper in aide\n\nInitialize it (this may take a few minutes):\n $ sudo aide -i\n\nThe new database will need to be renamed to be read by AIDE:\n $ sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db\n\nPerform a manual check:\n $ sudo aide --check\n\nExample output:\n Summary:\n Total number of files: 140621\n Added files: 1\n Removed files: 1\n Changed files: 0\n\nDone."},{"id":"5afee2c4-efd2-4172-afa2-8ff0626eba40","vulnId":"V-256983","severity":"medium","ruleTitle":"The SUSE operating system must be configured to allow sending email notifications of unauthorized configuration changes to designated personnel.","description":"Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.\n\nDetecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's IMO/ISSO and SAs must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.","checkContent":"Verify that the operating system is configured to allow sending email notifications.\n\nNote: The \"mailx\" package provides the \"mail\" command that is used to send email messages.\n\nVerify that the \"mailx\" package is installed on the system:\n\n > sudo zypper se mailx\n\n i | mailx | A MIME-Capable Implementation of the mailx Command | package\n\t \nIf \"mailx\" package is not installed, this is a finding.","fixText":"Install the \"mailx\" package on the system:\n\n > sudo zypper install mailx"},{"id":"fcb047ff-0ee7-4ded-969a-d21b7839bc87","vulnId":"V-274879","severity":"medium","ruleTitle":"The SUSE operating system must audit any script or executable called by cron as root or by any privileged user.","description":"Any script or executable called by cron as root or by any privileged user must be owned by that user, must have the permissions 755 or more restrictive, and have no extended rights that allow any nonprivileged user to modify the script or executable.","checkContent":"Verify the SUSE operating system is configured to audit the execution of any system call made by cron as root or as any privileged user.\n\n> sudo auditctl -l | grep /etc/cron.d\n-w /etc/cron.d -p wa -k cronjobs\n\n$ sudo auditctl -l | grep /var/spool/cron\n-w /var/spool/cron -p wa -k cronjobs\n\nIf either of these commands do not return the expected output, or the lines are commented out, this is a finding.","fixText":"Configure the SUSE operating system to audit the execution of any system call made by cron as root or as any privileged user.\n\nAdd or update the following file system rules to \"/etc/audit/rules.d/audit.rules\":\n\nauditctl -w /etc/cron.d/ -p wa -k cronjobs\nauditctl -w /var/spool/cron/ -p wa -k cronjobs\n\nTo load the rules to the kernel immediately, use the following command:\n\n> sudo augenrules --load"}]}]]}]

SUSE Linux Enterprise Server 15 Security Technical Implementation Guide

Checks (214)