Scribd
Upload
31 views55 pages

SUSE Linux Enterprise Server 15 Security Technical Implementation Guide-MAC-3 - Sensitive

Linea Base SUSE Linux Enterprise Server 15 Security

Uploaded by

JUAN CAMILO ARBOLEDA RESTREPO
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
31 views55 pages

SUSE Linux Enterprise Server 15 Security Technical Implementation Guide-MAC-3 - Sensitive

Linea Base SUSE Linux Enterprise Server 15 Security

Uploaded by

JUAN CAMILO ARBOLEDA RESTREPO
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
You are on page 1/ 55

Column1 Column2

id severity
V-234825 medium
V-234826 medium
V-234827 medium
V-234820 high
V-234821 medium
V-234822 medium
V-234823 medium
V-234983 medium
V-234982 medium
V-234981 medium
V-234980 low
V-234828 medium
V-234829 medium
V-234985 high
V-234984 high
V-234988 high
V-235027 medium
V-235026 medium
V-235025 medium
V-235024 medium
V-235023 medium
V-235022 medium
V-235021 medium
V-235020 medium
V-235029 medium
V-235028 medium
V-234910 medium
V-234911 medium
V-234912 medium
V-234913 medium
V-234914 medium
V-234918 medium
V-234837 medium
V-234836 medium
V-234835 medium
V-234834 medium
V-234833 medium
V-234832 medium
V-234831 medium
V-234830 medium
V-234987 low
V-234839 medium
V-234838 medium
V-235018 medium
V-235019 medium
V-235013 medium
V-235010 medium
V-235016 medium
V-235017 medium
V-235014 medium
V-235015 medium
V-255920 medium
V-255921 low
V-255922 medium
V-234899 medium
V-234903 medium
V-234902 medium
V-234901 medium
V-234900 medium
V-234907 low
V-234906 medium
V-234905 low
V-234904 medium
V-234909 low
V-234908 low
V-234986 low
V-234851 medium
V-234898 high
V-234850 low
V-235009 medium
V-235008 medium
V-235005 low
V-235004 low
V-235007 medium
V-235006 medium
V-235001 medium
V-235000 medium
V-235003 medium
V-235002 medium
V-234936 low
V-234937 medium
V-234934 low
V-234935 low
V-234932 medium
V-234933 low
V-234858 medium
V-234938 medium
V-234939 medium
V-256983 medium
V-256982 medium
V-234890 medium
V-234882 medium
V-234883 medium
V-234880 medium
V-234881 medium
V-234886 medium
V-234887 medium
V-234884 medium
V-234885 medium
V-234888 medium
V-234889 medium
V-234924 medium
V-234808 medium
V-234809 medium
V-234802 medium
V-234803 medium
V-234800 high
V-234801 medium
V-234806 medium
V-234807 medium
V-234804 high
V-234805 medium
V-234868 low
V-234869 medium
V-234860 high
V-234861 medium
V-234862 medium
V-234863 medium
V-234864 medium
V-234865 medium
V-234866 medium
V-234867 medium
V-234895 medium
V-234894 medium
V-234897 medium
V-234896 medium
V-234958 medium
V-234959 medium
V-234893 medium
V-234892 medium
V-234954 medium
V-234955 low
V-234956 medium
V-234957 medium
V-234950 medium
V-234951 medium
V-234952 medium
V-234989 high
V-234819 high
V-234818 high
V-234815 medium
V-234814 low
V-234817 medium
V-234816 medium
V-234811 low
V-234810 medium
V-234813 medium
V-234812 medium
V-234879 medium
V-234878 medium
V-234928 medium
V-234873 low
V-234872 medium
V-234871 medium
V-234870 medium
V-234877 medium
V-234876 high
V-234875 medium
V-234874 medium
V-234961 medium
V-234963 low
V-234949 medium
V-234948 medium
V-234947 medium
V-234946 medium
V-234945 medium
V-234944 medium
V-234943 medium
V-234942 medium
V-234941 medium
V-234940 medium
V-234891 medium
V-234848 medium
V-234849 medium
V-234846 medium
V-234847 medium
V-234844 medium
V-234845 medium
V-234842 medium
V-234843 medium
V-234840 medium
V-234841 medium
V-234973 medium
V-234976 medium
V-234977 medium
V-234975 medium
V-234978 medium
V-234979 medium
V-234998 medium
V-234999 medium
V-234853 high
V-234852 high
V-234855 medium
V-234854 medium
V-234857 medium
V-234856 medium
V-234990 high
V-234991 medium
V-234992 medium
V-234993 medium
V-234994 medium
V-234995 medium
V-234996 medium
V-234997 medium
V-234859 high
V-234965 medium
V-234964 medium
V-234967 low
V-234966 medium
V-235030 medium
V-235031 high
V-235032 high
V-234962 medium
V-234969 medium
V-234968 low
V-251723 medium
V-251724 medium
V-251725 high
Column3
title
The SUSE operating system must employ FIPS 140-2 approved cryptographic hashing algorithm for sys
The SUSE operating system SSH daemon must be configured to only use Message Authentication Cod
The SUSE operating system SSH daemon must be configured with a timeout interval.
SUSE operating systems with Unified Extensible Firmware Interface (UEFI) implemented must requir
The SUSE operating system must be configured to prohibit or restrict the use of functions, ports, pr
The SUSE operating system must not have duplicate User IDs (UIDs) for interactive users.
The SUSE operating system must disable the file system automounter unless required.
The SUSE operating system must enforce a delay of at least four seconds between logon prompts foll
The SUSE operating system must enforce a delay of at least four seconds between logon prompts foll
The SUSE operating system must not disable syscall auditing.
The SUSE operating system must use a separate file system for the system audit data path.
The sticky bit must be set on all SUSE operating system world-writable directories.
The SUSE operating system must be configured to use TCP syncookies.
There must be no shosts.equiv files on the SUSE operating system.
There must be no .shosts files on the SUSE operating system.
The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence.
The SUSE operating system must not have network interfaces in promiscuous mode unless approve
The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwardin
The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwardi
The SUSE operating system must not be performing Internet Protocol version 4 (IPv4) packet forwardi
The SUSE operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message
The SUSE operating system must not allow interfaces to send Internet Protocol version 4 (IPv4) Inte
The SUSE operating system must not allow interfaces to accept Internet Protocol version 6 (IPv6) In
The SUSE operating system must prevent Internet Protocol version 6 (IPv6) Internet Control Message
All SUSE operating system files and directories must have a valid group owner.
All SUSE operating system files and directories must have a valid owner.
The SUSE operating system must generate audit records for all uses of the unix_chkpwd or unix2_
The SUSE operating system must generate audit records for all uses of the chage command.
The SUSE operating system must generate audit records for all uses of the crontab command.
The SUSE operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ d
The SUSE operating system must generate audit records for all uses of the creat, open, openat, open
The SUSE operating system must generate audit records for all uses of the setxattr, fsetxattr, lsetxat
The SUSE operating system library directories must be owned by root.
The SUSE operating system library files must be owned by root.
The SUSE operating system library directories must have mode 0755 or less permissive.
The SUSE operating system library files must have mode 0755 or less permissive.
The SUSE operating system must prevent unauthorized users from accessing system error messages.
The SUSE operating system must generate error messages that provide information necessary for corre
All SUSE operating system persistent disk partitions must implement cryptographic mechanisms to prev
The SUSE operating system for all network connections associated with SSH traffic must immediately te
The SUSE operating system file integrity tool must be configured to verify extended attributes.
The SUSE operating system library directories must be group-owned by root.
The SUSE operating system library files must be group-owned by root.
The SUSE operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message
The SUSE operating system must not allow interfaces to accept Internet Protocol version 4 (IPv4) In
The SUSE operating system SSH daemon must disable forwarded remote X connections for interactive
The SUSE operating system SSH daemon must perform strict mode checking of home directory configu
The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets
The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets
The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packet
The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packet
The SUSE operating system SSH server must be configured to use only FIPS-validated key exchange a
The SUSE operating system must restrict access to the kernel message buffer.
The SUSE operating system must use a file integrity tool to verify correct operation of all security fun
The SUSE operating system must generate audit records for all account creations, modifications, disa
The SUSE operating system must generate audit records for all account creations, modifications, disa
The SUSE operating system must generate audit records for all account creations, modifications, disa
The SUSE operating system must generate audit records for all account creations, modifications, disa
The SUSE operating system must generate audit records for all account creations, modifications, disab
The SUSE operating system must generate audit records for all uses of the gpasswd command.
The SUSE operating system must generate audit records for all uses of the passwd command.
The SUSE operating system must generate audit records for all uses of the ssh-keysign command.
SUSE operating system audit records must contain information to establish what type of events occu
The SUSE operating system must generate audit records for a uses of the chsh command.
The SUSE operating system must generate audit records for all uses of the newgrp command.
The SUSE operating system file integrity tool must be configured to verify Access Control Lists (ACLs).
Advanced Intrusion Detection Environment (AIDE) must verify the baseline SUSE operating system con
The SUSE operating system must not be configured to allow blank or null passwords.
The SUSE operating system must be configured to use Coordinated Universal Time (UTC) or Greenw
The SUSE operating system SSH daemon private host key files must have mode 0640 or less permissi
The SUSE operating system SSH daemon public host key files must have mode 0644 or less permissiv
The SUSE operating system must use a separate file system for /var.
A separate file system must be used for SUSE operating system user home directories (such as /home
The SUSE operating system SSH daemon must be configured to not allow authentication using known
The SUSE operating system must be configured to not overwrite Pluggable Authentication Modules
SUSE operating system file systems that are being imported via Network File System (NFS) must be m
SUSE operating system file systems that are being imported via Network File System (NFS) must be mo
SUSE operating system kernel core dumps must be disabled unless needed.
All SUSE operating system world-writable directories must be group-owned by root, sys, bin, or an ap
The SUSE operating system must generate audit records for all uses of the ssh-agent command.
The SUSE operating system must generate audit records for all uses of the insmod command.
The SUSE operating system must generate audit records for all uses of the mount system call.
The SUSE operating system must generate audit records for all uses of the umount system call.
The SUSE operating system must generate audit records for all uses of the sudoedit command.
The SUSE operating system must generate audit records for all uses of the chfn command.
The SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to prohi
The SUSE operating system must generate audit records for all uses of the rmmod command.
The SUSE operating system must generate audit records for all uses of the modprobe command.
The SUSE operating system must be configured to allow sending email notifications of unauthorized
The SUSE operating system must automatically expire temporary accounts within 72 hours.
The SUSE operating system must employ user passwords with a minimum lifetime of 24 hours (one d
The SUSE operating system must enforce passwords that contain at least one uppercase character.
The SUSE operating system must enforce passwords that contain at least one lowercase character.
All SUSE operating system local interactive user accounts, upon creation, must be assigned a home di
The SUSE operating system must display the date and time of the last successful account logon upon
The SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to onl
The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for a
The SUSE operating system must enforce passwords that contain at least one numeric character.
The SUSE operating system must require the change of at least eight of the total number of charact
The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for a
The SUSE operating system must be configured to create or update passwords with a minimum lifetim
The SUSE operating system must generate audit records for all uses of the chown, fchown, fchownat,
The SUSE operating system must display a banner before granting local or remote access to the system
The SUSE operating system must display the approved Standard Mandatory DoD Notice before granting
Vendor-packaged SUSE operating system security patches and updates must be installed and up to d
The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner befo
The SUSE operating system must be a vendor-supported release.
The SUSE operating system must implement the Endpoint Security for Linux Threat Prevention tool.
The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner until u
The SUSE operating system file /etc/gdm/banner must contain the Standard Mandatory DoD Notice
The SUSE operating system must not have the vsftpd package installed if not required for operational
The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner bef
The SUSE operating system must limit the number of concurrent sessions to 10 for all accounts and/o
The SUSE operating system must implement multifactor authentication for access to privileged acco
All networked SUSE operating systems must have and implement SSH to protect the confidentiality and
The SUSE operating system must implement kptr-restrict to prevent the leaking of internal kernel ad
Address space layout randomization (ASLR) must be implemented by the SUSE operating system to
The SUSE operating system must remove all outdated software components after updated versions ha
The SUSE operating system must notify the System Administrator (SA) when Advanced Intrusion Detect
The SUSE operating system must off-load rsyslog messages for networked systems in real time and of
The SUSE operating system must provision temporary accounts with an expiration date for 72 hours.
The SUSE operating system must lock an account after three consecutive invalid access attempts.
The SUSE operating system must employ passwords with a minimum of 15 characters.
The SUSE operating system must not allow passwords to be reused for a minimum of five generation
The SUSE operating system must prevent the use of dictionary words for passwords.
The SUSE operating system must enforce passwords that contain at least one special character.
The SUSE operating system audit system must take appropriate action when the audit storage volume
The SUSE operating system must protect audit rules from unauthorized modification.
The SUSE operating system must employ a password history file.
The SUSE operating system must employ user passwords with a maximum lifetime of 60 days.
The SUSE operating system must generate audit records for all uses of the su command.
The SUSE operating system must generate audit records for all uses of the sudo command.
The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must be
The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must hav
The SUSE operating system must generate audit records for all uses of the pam_timestamp_check
The SUSE operating system must generate audit records for all uses of the delete_module system call
The SUSE operating system must generate audit records for all uses of the init_module and finit_mod
The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence for Graphical User Inte
SUSE operating systems with a basic input/output system (BIOS) must require authentication upon b
The SUSE operating system must not have the telnet-server package installed.
The SUSE operating system must log SSH connection attempts and failures to the server.
The SUSE operating system must conceal, via the session lock, information previously visible on the di
The SUSE operating system, for PKI-based authentication, must validate certificates by constructing a
The SUSE operating system must implement DoD-approved encryption to protect the confidentiality
The SUSE operating system must utilize vlock to allow for session locking.
The SUSE operating system must be able to lock the graphical user interface (GUI).
The SUSE operating system must initiate a session lock after a 15-minute period of inactivity.
The SUSE operating system must initiate a session lock after a 15-minute period of inactivity for the g
The SUSE operating system must use the invoking user's password for privilege escalation when usin
The SUSE operating system must require re-authentication when using the "sudo" command.
The SUSE operating system must generate audit records for all uses of the chmod, fchmod, and fchmo
The SUSE operating system must display the date and time of the last successful account logon upon
The SUSE operating system must never automatically remove or disable emergency administrator ac
The SUSE operating system must disable account identifiers (individuals, groups, roles, and devices) af
The SUSE operating system must deny direct logons to the root account using remote access via SSH.
The SUSE operating system must restrict privilege elevation to authorized personnel.
The SUSE operating system root account must be the only account with unrestricted access to the sy
The SUSE operating system must not have unnecessary account capabilities.
The SUSE operating system must not have unnecessary accounts.
The SUSE operating system audit tools must have the proper permissions configured to protect again
The SUSE operating system must generate audit records for all uses of the privileged functions.
The SUSE operating system must generate audit records for all uses of the usermod command.
The SUSE operating system must generate audit records for all uses of the passmass command.
The SUSE operating system must generate audit records for all modifications to the lastlog file.
The SUSE operating system must generate audit records for all modifications to the tallylog file must
The SUSE operating system must generate audit records for all uses of the rm command.
The SUSE operating system must generate audit records for all uses of the chcon command.
The SUSE operating system must generate audit records for all uses of the chacl command.
The SUSE operating system must generate audit records for all uses of the setfacl command.
The SUSE operating system must generate audit records for all uses of the chmod command.
The SUSE operating system must generate audit records for all uses of the kmod command.
The SUSE operating system must be configured to create or update passwords with a maximum lifeti
SUSE operating system AppArmor tool must be configured to control whitelisted applications and use
The SUSE operating system clock must, for networked systems, be synchronized to an authoritative D
The SUSE operating system must have a firewall system installed to immediately disconnect or disab
The SUSE operating system wireless network adapters must be disabled unless approved and docum
The SUSE operating system must have system commands group-owned by root or a system account.
The SUSE operating system must have directories that contain system commands group-owned by ro
The SUSE operating system must have system commands owned by root.
The SUSE operating system must have directories that contain system commands owned by root.
The SUSE operating system must have system commands set to a mode of 0755 or less permissive.
The SUSE operating system must have directories that contain system commands set to a mode of 075
The SUSE operating system must generate audit records for all uses of the unlink, unlinkat, rename,
The SUSE operating system must generate audit records for the /var/log/wtmp file.
The SUSE operating system must generate audit records for the /var/log/btmp file.
The SUSE operating system must generate audit records for the /run/utmp file.
The SUSE operating system must off-load audit records onto a different system or media from the sy
Audispd must take appropriate action when the SUSE operating system audit storage is full.
SUSE operating system file systems that contain user home directories must be mounted to prevent fil
SUSE operating system file systems that are used with removable media must be mounted to prevent f
The SUSE operating system must reauthenticate users when changing authenticators, roles, or escalat
The SUSE operating system tool zypper must have gpgcheck enabled.
The SUSE operating system must implement certificate status checking for multifactor authentication
The SUSE operating system must have the packages required for multifactor authentication to be inst
If Network Security Services (NSS) is being used by the SUSE operating system it must prohibit the us
The SUSE operating system must disable the USB mass storage kernel module.
The SUSE operating system must disable the systemd Ctrl-Alt-Delete burst key sequence.
All SUSE operating system local interactive users must have a home directory assigned in the /etc/pas
All SUSE operating system local interactive user home directories defined in the /etc/passwd file must
All SUSE operating system local interactive user home directories must have mode 0750 or less permi
All SUSE operating system local interactive user home directories must be group-owned by the home
All SUSE operating system local initialization files must have mode 0740 or less permissive.
All SUSE operating system local interactive user initialization files executable search paths must cont
All SUSE operating system local initialization files must not execute world-writable programs.
FIPS 140-2 mode must be enabled on the SUSE operating system.
The SUSE operating system must allocate audit record storage capacity to store at least one week of a
The SUSE operating system must have the auditing package installed.
The SUSE operating system audit event multiplexor must be configured to use Kerberos.
The audit-audispd-plugins must be installed on the SUSE operating system.
The SUSE operating system default permissions must be defined in such a way that all authenticated u
The SUSE operating system must not allow unattended or automatic logon via the graphical user inter
The SUSE operating system must not allow unattended or automatic logon via SSH.
The SUSE operating system file integrity tool must be configured to protect the integrity of the audit
The SUSE operating system auditd service must notify the System Administrator (SA) and Information
Audispd must off-load audit records onto a different system or media from the SUSE operating syste
The SUSE operating system must specify the default "include" directory for the /etc/sudoers file.
The SUSE operating system must not be configured to bypass password requirements for privilege esc
The SUSE operating system must not have accounts configured with blank or null passwords.
Column4
description
FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules use authentication th
Satisfies: SRG-OS-000125-GPOS-00065, SRG-OS-000394-GPOS-00174
Satisfies: SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109
If the system allows a user to boot into single-user or maintenance mode without authentication, any
Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000480-GPOS-00232
Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000121-GPOS-00062
Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163
The SUSE operating system must enforce a delay of at least four seconds between logon prompts foll
Limiting the number of logon attempts over a certain time interval reduces the chances that an unau
By default, the SUSE operating system includes the "-a task,never" audit rule as a default. This rule su
The use of separate file systems for different paths can protect the system from failures resulting from
There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific informati
Managing excess capacity ensures that sufficient capacity is available to counter flooding attacks. Employing increased capacit
The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-ba
The .shosts files are used to configure host-based authentication for individual users or the system vi
A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If a
If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with th
Routing protocol daemons are typically used on routers to exchange network topology information wi
Routing protocol daemons are typically used on routers to exchange network topology information wi
Routing protocol daemons are typically used on routers to exchange network topology information wi
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a part
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a part
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a part
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a part
Files without a valid group owner may be unintentionally inherited if a group is assigned the same Gro
Unowned files and directories may be unintentionally inherited if a user is assigned the same User Ide
Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00
Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00
Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00
Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00
Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00
Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00
This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case
This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case
This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case
This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case
The structure and content of error messages must be carefully considered by the organization and development team. The ex
The /var/log/btmp, /var/log/wtmp, and /var/log/lastlog files have group write and global read permissions to allow for the las
Satisfies: SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184
This capability is typically reserved for specific SUSE operating system functionality where the system owner, data owner, or o
Extended attributes in file systems are used to contain arbitrary data and file metadata with security
This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case
This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a part
ICMP redirect messages
X11 forwarding should beare used bywith
enabled routers to inform
caution. Users hosts thatability
with the a more to direct
bypassroute exists for a on
file permissions partthe remote host (for the u
If X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the
If other users have access to modify user-specific SSH configuration files, they may be able to log on
Source-routed packets allow the source of the packet to suggest that routers forward the packet alon
Source-routed packets allow the source of the packet to suggest that routers forward the packet alon
Source-routed packets allow the source of the packet to suggest that routers forward the packet alon
Source-routed packets allow the source of the packet to suggest that routers forward the packet alon
The system will attempt to use the first algorithm presented by the client that matches the server list. Listing the values "stron
Restricting access to the kernel message buffer limits access only to root. This prevents attackers fr
This requirement applies to the SUSE operating system performing security function verification/testing and/or systems and e
Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00
Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00
Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00
Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00
Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00
Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00
Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00
Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00
Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00
Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00
Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00
ACLs can provide permissions beyond those permitted through the file mode and must be verified by fi
Satisfies: SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SRG-OS-000446-GPOS-00200
Passwords need to be protected at all times, and encryption is the standard method for protecting pas
Time stamps generated by the SUSE operating system include date and time. Time is commonly expressed in UTC, a modern c
If an unauthorized user obtains the private SSH host key file, the host could be impersonated.
If a public host key file is modified by an unauthorized user, the SSH service may be compromised.
The use of separate file systems for different paths can protect the system from failures resulting from
The use of separate file systems for different paths can protect the system from failures resulting from
Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH
The "pam-config" command line utility automatically generates a system PAM configuration as packa
The "noexec" mount option causes the system to not execute binary files. This option must be used fo
The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner pri
Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel c
The only authorized public directories are those temporary directories supplied with the system or those designed to be temp
Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00
Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00
Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00
Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00
Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00
Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00
If cached authentication information is out of date, the validity of the authentication information m
Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00
Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00
Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could u
The automatic expiration of temporary accounts may be extended as needed by the circumstances but it must not be extende
Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the passwo
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the pa
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the pa
If local interactive users are not assigned a valid home directory, there is no place for the storage an
Providing users with feedback on when account accesses via SSH last occurred facilitates user recogn
Passwords need to be protected at all times, and encryption is the standard method for protecting pas
Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the pa
If the SUSE operating system allows the user to consecutively reuse extensive portions of passwords
Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061
Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the passwo
Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of
Timely patching is critical for maintaining the operational availability, confidentiality, and integ
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of
A SUSE operating system release is considered "supported" if the vendor continues to provide security
Adding endpoint security tools can provide the capability to automatically take actions in response
Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007
To establish acceptance of the application usage policy, a click-through banner at system logon is required. The system must p
Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000095-GPOS-00049
Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088
This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by
Satisfies: SRG-OS-000068-GPOS-00036, SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00
Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00
Examples of attacks are buffer overflow attacks.
Examples of attacks are buffer overflow attacks.
Previous versions of software components that are not removed from the information system after u
This capability must take into account operational requirements for availability for selecting an appropriate response. The org
Off-loading is a common process in information systems with limited audit storage capacity.
To address access requirements, many SUSE operating systems may be integrated with enterprise-level authentication/access
Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attemp
If the SUSE operating system allows the user to select passwords based on dictionary words, this in
Special characters are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.
2) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, the S
Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attemp
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be ch
Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00
Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00
This requirement applies to each audit data storage repository (i.e., distinct information system component where audit recor
This requirement applies to each audit data storage repository (i.e., distinct information system component where audit recor
Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00
Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00
Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00
A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If a
Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement m
Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000095-GPOS-00049
Automated monitoring of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compli
Publicly viewable images can include static or dynamic images, such as patterns used with screen savers, photographic images
Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000384-GPOS-00167
Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00
Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, SRG-OS-000031-GPOS-00012
Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011
The session lock is implemented at the point where session activity can be determined and/or controlled.
The
The session
sudoerslock is implemented
security at the
policy requires point
that where
users session activity
authenticate can be
themselves determined
before they canand/or controlled.
use sudo. When sudoers requires aut
For more information on each of the listed configurations, reference the sudoers(5) manual page.
If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate f
Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00
Providing users with feedback on when account accesses last occurred facilitates user recognition a
To address access requirements the SUSE operating system can be integrated with enterprise-level authentication/access mec
The SUSE operating system needs to track periods of inactivity and disable application identifiers after 35 days of inactivity.
Requiring individuals to be authenticated with an individual authenticator prior to using a group authenticator allows for trace
The sudo command allows a user to execute programs with elevated (administrator) privileges. It promp
If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving th
Accounts providing no operational purpose provide additional opportunities for system compromise. T
Accounts providing no operational purpose provide additional opportunities for system compromise. U
Satisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099
Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00
Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00
Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00
Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00
Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00
Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00
Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00
Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00
Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00
Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00
Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be ch
Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPOS-00124, SRG-OS-000324-GPOS-00
Satisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144
> sudo firewall-cmd --panic-off
Satisfies: SRG-OS-000299-GPOS-00117, SRG-OS-000300-GPOS-00118, SRG-OS-000481-GPOS-000481
This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case
This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case
This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case
This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case
This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case
This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case
Audit records can be generated from various components within the information system (e.g., module or policy filter). The sys
Audit records can be generated from various components within the information system (e.g., module or policy filter).
Audit records can be generated from various components within the information system (e.g., module or policy filter).
Audit records can be generated from various components within the information system (e.g., module or policy filter).
Off-loading is a common process in information systems with limited audit storage capacity.
Off-loading is a common process in information systems with limited audit storage capacity.
The "nosuid" mount option causes the system to not execute setuid and setgid files with owner privile
The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner pri
Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158
Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a v
Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161, SRG-OS-000377-GPOS-00162
Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161, SRG-OS-000377-GPOS-00162
If cached authentication information is out of date, the validity of the authentication information m
Peripherals include but are not limited to such devices as flash drives, external storage, and printers.
A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If a
If local interactive users are not assigned a valid home directory, there is no place for the storage an
If a local interactive user has a home directory defined that does not exist, the user may be given acc
Excessive permissions on local interactive user home directories may allow unauthorized access to use
If the Group Identifier (GID) of a local interactive user’s home directory is not the same as the pr
Local initialization files are used to configure the user's shell environment upon logon. Malicious mo
The executable search path (typically the PATH environment variable) contains a list of directories fo
If user start-up files execute world-writable programs, especially in unprotected directories, they co
Satisfies: SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223
The task of allocating audit record storage capacity is usually performed during initial installation of the SUSE operating system
Satisfies: SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00
Allowing devices and users to connect to or from the system without first authenticating them allows untrusted access and ca
The audit-audispd-plugins must be installed on the SUSE operating system.
Setting the most restrictive default permissions ensures that when new accounts are created, they d
Failure to restrict system access to authenticated users negatively impacts SUSE operating system sec
Failure to restrict system access via SSH to authenticated users negatively impacts SUSE operating sy
To address this risk, audit tools must be cryptographically signed to provide the capability to identify when the audit tools hav
If security personnel are not notified immediately when storage volume reaches 75 percent utilization
Off-loading is a common process in information systems with limited audit storage capacity.
It is possible to include other sudoers files from within the sudoers file currently being parsed using the @include and @includ
Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158
If an account has an empty password, anyone could log on and run commands with the privileges of
Column5 Column6 Column7
iacontrols ruleID fixid
None SV-234825r622137_rule F-37976r618745_fix
None SV-234826r877395_rule F-37977r618748_fix
None SV-234827r854189_rule F-37978r618751_fix
None SV-234820r622137_rule F-37971r618730_fix
None SV-234821r854186_rule F-37972r618733_fix
None SV-234822r622137_rule F-37973r618736_fix
None SV-234823r854187_rule F-37974r618739_fix
None SV-234983r622137_rule F-38134r619219_fix
None SV-234982r622137_rule F-38133r619216_fix
None SV-234981r622137_rule F-38132r619213_fix
None SV-234980r622137_rule F-38131r619210_fix
None SV-234828r622137_rule F-37979r618754_fix
None SV-234829r622137_rule F-37980r618757_fix
None SV-234985r622137_rule F-38136r619225_fix
None SV-234984r622137_rule F-38135r619222_fix
None SV-234988r622137_rule F-38139r619234_fix
None SV-235027r622137_rule F-38178r619351_fix
None SV-235026r622137_rule F-38177r619348_fix
None SV-235025r622137_rule F-38176r619345_fix
None SV-235024r622137_rule F-38175r619342_fix
None SV-235023r622137_rule F-38174r619339_fix
None SV-235022r622137_rule F-38173r619336_fix
None SV-235021r622137_rule F-38172r619333_fix
None SV-235020r622137_rule F-38171r619330_fix
None SV-235029r622137_rule F-38180r619357_fix
None SV-235028r622137_rule F-38179r619354_fix
None SV-234910r854227_rule F-38061r619000_fix
None SV-234911r854228_rule F-38062r619003_fix
None SV-234912r854229_rule F-38063r619006_fix
None SV-234913r854230_rule F-38064r619009_fix
None SV-234914r854232_rule F-38065r854231_fix
None SV-234918r854234_rule F-38069r854233_fix
None SV-234837r622137_rule F-37988r618781_fix
None SV-234836r622137_rule F-37987r618778_fix
None SV-234835r622137_rule F-37986r618775_fix
None SV-234834r622137_rule F-37985r618772_fix
None SV-234833r622137_rule F-37984r618769_fix
None SV-234832r880884_rule F-37983r880883_fix
None SV-234831r854191_rule F-37982r618763_fix
None SV-234830r854190_rule F-37981r618760_fix
None SV-234987r880969_rule F-38138r619231_fix
None SV-234839r622137_rule F-37990r618787_fix
None SV-234838r622137_rule F-37989r618784_fix
None SV-235018r622137_rule F-38169r619324_fix
None SV-235019r622137_rule F-38170r619327_fix
None SV-235013r622137_rule F-38164r619309_fix
None SV-235010r622137_rule F-38161r619300_fix
None SV-235016r622137_rule F-38167r619318_fix
None SV-235017r622137_rule F-38168r619321_fix
None SV-235014r622137_rule F-38165r619312_fix
None SV-235015r622137_rule F-38166r619315_fix
None SV-255920r880961_rule F-59540r880960_fix
None SV-255921r880964_rule F-59541r880963_fix
None SV-255922r880967_rule F-59542r880966_fix
None SV-234899r854216_rule F-38050r618967_fix
None SV-234903r854220_rule F-38054r618979_fix
None SV-234902r854219_rule F-38053r618976_fix
None SV-234901r854218_rule F-38052r618973_fix
None SV-234900r854217_rule F-38051r618970_fix
None SV-234907r854224_rule F-38058r618991_fix
None SV-234906r854223_rule F-38057r618988_fix
None SV-234905r854222_rule F-38056r618985_fix
None SV-234904r854221_rule F-38055r618982_fix
None SV-234909r854226_rule F-38060r618997_fix
None SV-234908r854225_rule F-38059r618994_fix
None SV-234986r880968_rule F-38137r619228_fix
None SV-234851r902851_rule F-38002r902850_fix
None SV-234898r622137_rule F-38049r618964_fix
None SV-234850r877383_rule F-38001r618820_fix
None SV-235009r880958_rule F-38160r880957_fix
None SV-235008r622137_rule F-38159r619294_fix
None SV-235005r622137_rule F-38156r619285_fix
None SV-235004r622137_rule F-38155r619282_fix
None SV-235007r622137_rule F-38158r619291_fix
None SV-235006r622137_rule F-38157r619288_fix
None SV-235001r622137_rule F-38152r619273_fix
None SV-235000r622137_rule F-38151r619270_fix
None SV-235003r622137_rule F-38154r619279_fix
None SV-235002r622137_rule F-38153r619276_fix
None SV-234936r854243_rule F-38087r619078_fix
None SV-234937r854244_rule F-38088r619081_fix
None SV-234934r854241_rule F-38085r619072_fix
None SV-234935r854242_rule F-38086r619075_fix
None SV-234932r854239_rule F-38083r619066_fix
None SV-234933r854240_rule F-38084r619069_fix
None SV-234858r854204_rule F-38009r618844_fix
None SV-234938r854245_rule F-38089r619084_fix
None SV-234939r854246_rule F-38090r619087_fix
None SV-256983r902849_rule F-60603r902848_fix
None SV-256982r903127_rule F-60602r902845_fix
None SV-234890r622137_rule F-38041r618940_fix
None SV-234882r622137_rule F-38033r618916_fix
None SV-234883r622137_rule F-38034r618919_fix
None SV-234880r622137_rule F-38031r618910_fix
None SV-234881r858543_rule F-38032r618913_fix
None SV-234886r877397_rule F-38037r618928_fix
None SV-234887r877397_rule F-38038r618931_fix
None SV-234884r622137_rule F-38035r618922_fix
None SV-234885r622137_rule F-38036r618925_fix
None SV-234888r877397_rule F-38039r618934_fix
None SV-234889r622137_rule F-38040r618937_fix
None SV-234924r854236_rule F-38075r854235_fix
None SV-234808r622137_rule F-37959r618694_fix
None SV-234809r622137_rule F-37960r618697_fix
None SV-234802r622137_rule F-37953r618676_fix
None SV-234803r622137_rule F-37954r618679_fix
None SV-234800r622137_rule F-37951r618670_fix
None SV-234801r942857_rule F-37952r942856_fix
None SV-234806r622137_rule F-37957r618688_fix
None SV-234807r622137_rule F-37958r618691_fix
None SV-234804r877396_rule F-37955r618682_fix
None SV-234805r622137_rule F-37956r618685_fix
None SV-234868r877399_rule F-38019r618874_fix
None SV-234869r854213_rule F-38020r618877_fix
None SV-234860r916422_rule F-38011r618850_fix
None SV-234861r854207_rule F-38012r618853_fix
None SV-234862r854208_rule F-38013r618856_fix
None SV-234863r854209_rule F-38014r618859_fix
None SV-234864r902854_rule F-38015r902853_fix
None SV-234865r854211_rule F-38016r618865_fix
None SV-234866r622137_rule F-38017r618868_fix
None SV-234867r854212_rule F-38018r618871_fix
None SV-234895r622137_rule F-38046r618955_fix
None SV-234894r622137_rule F-38045r618952_fix
None SV-234897r622137_rule F-38048r618961_fix
None SV-234896r622137_rule F-38047r618958_fix
None SV-234958r622137_rule F-38109r619144_fix
None SV-234959r622137_rule F-38110r619147_fix
None SV-234893r622137_rule F-38044r618949_fix
None SV-234892r622137_rule F-38043r618946_fix
None SV-234954r854261_rule F-38105r619132_fix
None SV-234955r854262_rule F-38106r619135_fix
None SV-234956r622137_rule F-38107r619138_fix
None SV-234957r622137_rule F-38108r619141_fix
None SV-234950r854257_rule F-38101r619120_fix
None SV-234951r854258_rule F-38102r619123_fix
None SV-234952r854260_rule F-38103r854259_fix
None SV-234989r622137_rule F-38140r619237_fix
None SV-234819r622137_rule F-37970r618727_fix
None SV-234818r877396_rule F-37969r618724_fix
None SV-234815r622137_rule F-37966r618715_fix
None SV-234814r622137_rule F-37965r618712_fix
None SV-234817r854185_rule F-37968r618721_fix
None SV-234816r877398_rule F-37967r618718_fix
None SV-234811r622137_rule F-37962r618703_fix
None SV-234810r622137_rule F-37961r618700_fix
None SV-234813r622137_rule F-37964r618709_fix
None SV-234812r622137_rule F-37963r618706_fix
None SV-234879r833010_rule F-38030r618907_fix
None SV-234878r861108_rule F-38029r618904_fix
None SV-234928r854238_rule F-38079r854237_fix
None SV-234873r858542_rule F-38024r618889_fix
None SV-234872r622137_rule F-38023r618886_fix
None SV-234871r928531_rule F-38022r928530_fix
None SV-234870r622137_rule F-38021r618880_fix
None SV-234877r622137_rule F-38028r618901_fix
None SV-234876r622137_rule F-38027r618898_fix
None SV-234875r622137_rule F-38026r618895_fix
None SV-234874r622137_rule F-38025r618892_fix
None SV-234961r622137_rule F-38112r619153_fix
None SV-234963r854263_rule F-38114r619159_fix
None SV-234949r854256_rule F-38100r619117_fix
None SV-234948r854255_rule F-38099r619114_fix
None SV-234947r854254_rule F-38098r619111_fix
None SV-234946r854253_rule F-38097r619108_fix
None SV-234945r854252_rule F-38096r619105_fix
None SV-234944r854251_rule F-38095r619102_fix
None SV-234943r854250_rule F-38094r619099_fix
None SV-234942r854249_rule F-38093r619096_fix
None SV-234941r854248_rule F-38092r619093_fix
None SV-234940r854247_rule F-38091r619090_fix
None SV-234891r622137_rule F-38042r618943_fix
None SV-234848r854194_rule F-37999r618814_fix
None SV-234849r877038_rule F-38000r618817_fix
None SV-234846r854192_rule F-37997r618808_fix
None SV-234847r854193_rule F-37998r618811_fix
None SV-234844r833003_rule F-37995r833002_fix
None SV-234845r622137_rule F-37996r618805_fix
None SV-234842r622137_rule F-37993r618796_fix
None SV-234843r622137_rule F-37994r618799_fix
None SV-234840r622137_rule F-37991r618790_fix
None SV-234841r622137_rule F-37992r618793_fix
None SV-234973r809559_rule F-38124r809558_fix
None SV-234976r622137_rule F-38127r619198_fix
None SV-234977r622137_rule F-38128r619201_fix
None SV-234975r622137_rule F-38126r619195_fix
None SV-234978r854270_rule F-38129r619204_fix
None SV-234979r854271_rule F-38130r619207_fix
None SV-234998r622137_rule F-38149r619264_fix
None SV-234999r622137_rule F-38150r619267_fix
None SV-234853r854199_rule F-38004r618829_fix
None SV-234852r877463_rule F-38003r618826_fix
None SV-234855r854201_rule F-38006r618835_fix
None SV-234854r854200_rule F-38005r618832_fix
None SV-234857r854203_rule F-38008r618841_fix
None SV-234856r854202_rule F-38007r618838_fix
None SV-234990r622137_rule F-38141r619240_fix
None SV-234991r622137_rule F-38142r619243_fix
None SV-234992r622137_rule F-38143r619246_fix
None SV-234993r622137_rule F-38144r619249_fix
None SV-234994r622137_rule F-38145r619252_fix
None SV-234995r622137_rule F-38146r619255_fix
None SV-234996r793060_rule F-38147r619258_fix
None SV-234997r622137_rule F-38148r619261_fix
None SV-234859r877380_rule F-38010r618847_fix
None SV-234965r877391_rule F-38116r619165_fix
None SV-234964r877036_rule F-38115r619162_fix
None SV-234967r877390_rule F-38118r619171_fix
None SV-234966r877390_rule F-38117r619168_fix
None SV-235030r622137_rule F-38181r619360_fix
None SV-235031r877377_rule F-38182r619363_fix
None SV-235032r877377_rule F-38183r619366_fix
None SV-234962r877393_rule F-38113r619156_fix
None SV-234969r877389_rule F-38120r619177_fix
None SV-234968r877390_rule F-38119r619174_fix
None SV-251723r833006_rule F-55114r833005_fix
None SV-251724r854274_rule F-55115r854273_fix
None SV-251725r809487_rule F-55116r809486_fix
Column8
fixtext
ENCRYPT_METHOD SHA512
MACs hmac-sha2-512,hmac-sha2-256
The SSHgrub2-mkconfig
> sudo daemon must be restarted for any changes to take effect.
--output=/tmp/grub2.cfg
> sudo mv /tmp/grub2.cfg /boot/efi/EFI/sles/grub.cfg
> sudo systemctl start firewalld.service
Edit the file "/etc/passwd" and provide each interactive user account that has a duplicate UID with a unique UID.
If "autofs"
> delay is inismicro
required for Network File System (NFS), it must be documented with the ISSO.
seconds
auth required pam_faildelay.so delay=4000000
FAIL_DELAY 4
> sudo systemctl restart auditd.service
Migrate the SUSE operating system audit data path onto a separate file system.
For every world-writable directory, replace "/tmp" in the command above with the world-writable directory that does not hav
> sudo sysctl --system
> sudo rm /[path]/[to]/[file]/shosts.equiv
> sudo rm /[path]/[to]/[file]/.shosts
> sudo systemctl daemon-reload
> sudo ip link set dev <devicename> promisc off
> sudo sysctl --system
> sudo sysctl --system
> sudo sysctl --system
> sudo sysctl --system
> sudo sysctl --system
> sudo sysctl --system
> sudo sysctl --system
> sudo chgrp <group> <file>
> sudo chown <user> <file>
> sudo augenrules --load
> sudo augenrules --load
> sudo augenrules --load
> sudo augenrules --load
> sudo augenrules --load
> sudo augenrules --load
> sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d -exec chown root '{}' \;
> sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type f -exec chown root '{}' \;
> sudo find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type d -exec chmod 755 '{}' \;
> sudo find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f -exec chmod 755 '{}' \;
> sudo chkstat --set --system
> sudo find /var/log -perm /137 ! -name '*[bw]tmp' ! -name '*lastlog' -type f -exec chmod 640 '{}' \;
https://documentation.suse.com/sles/15-SP1/html/SLES-all/cha-security-cryptofs.html#sec-security-cryptofs-y2-part-run
> sudo systemctl restart sshd.service
If AIDE is installed, ensure the "xattrs" rule is present on all file and directory selection lists.
> sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec chgrp root '{}' \;
> sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type f -exec chgrp root '{}' \;
> sudo sysctl --system
> sudo sysctl --system
X11Forwarding no
StrictModes yes
> sudo sysctl --system
> sudo sysctl --system
> sudo sysctl --system
> sudo sysctl --system
$ sudo systemctl restart sshd
$ sudo sysctl --system
Done.
> sudo augenrules --load
> sudo augenrules --load
> sudo augenrules --load
> sudo augenrules --load
> sudo augenrules --load
> sudo augenrules --load
> sudo augenrules --load
>> sudo
sudo augenrules --loadauditd.service
systemctl enable
> sudo systemctl start auditd.service
> sudo augenrules --load
> sudo augenrules --load
If AIDE is installed, ensure the "acl" rule is present on all file and directory selection lists.
Note: Per requirement SLES-15-010418, the "mailx" package must be installed on the system to enable email functionality.
Remove any instances of the "nullok" option in "/etc/pam.d/common-auth" and "/etc/pam.d/common-password" to prevent
> sudo timedatectl set-timezone [ZONE]
> sudo chmod 0640 /etc/ssh/ssh_host*key
> sudo chmod 0644 /etc/ssh/ssh_host*key.pub
Migrate "/var" onto the separate file system/partition.
Migrate the non-privileged local interactive user home directories onto the separate file system/partition.
IgnoreUserKnownHosts yes
Additional information on the configuration of multifactor authentication on the SUSE operating system can be found at https
Configure the SUSE operating system "/etc/fstab" file to use the "noexec" option on file systems that
Configure the SUSE operating system "/etc/fstab" file to use the "nosuid" option on file systems that
If kernel core dumps are required, document the need with the ISSO.
> sudo chgrp root <directory>
> sudo augenrules --load
> sudo augenrules --load
> sudo augenrules --load
> sudo augenrules --load
> sudo augenrules --load
> sudo augenrules --load
offline_credentials_expiration = 1
> sudo augenrules --load
> sudo augenrules --load
> sudo zypper install mailx
> sudo chage -E $(date -d +3days +%Y-%m-%d) <temporary_account_name>
> sudo passwd -n 1 [USER]
Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "ucredit=-1" after t
Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "lcredit=-1" after th
CREATE_HOME yes
PrintLastLog yes
Edit "/etc/pam.d/common-password" and edit the line containing "pam_unix.so" to contain the SHA512 keyword after third c
Lock all interactive user accounts not using SHA512 hashing until the passwords can be regenerated.
Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "dcredit=-1" after t
Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "difok=8" after the
SHA_CRYPT_MIN_ROUNDS 5000
The DoD requirement is "1" but a greater value is acceptable.
> sudo augenrules --load
Users
Run themust log outcommand
following and back to
in again
updatebefore the system-wide settings take effect.
the database:
> sudo dconf update
> sudo zypper patch
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of
If the system requires Long-Term Service Pack Support (LTSS), obtain the correct LTSS subscription for the system.
Install and enable the latest Trellix ENSLTP package.
Save the file "/etc/gdm/Xsession".
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of
> sudo zypper remove vsftpd
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of
* hard maxlogins 10
auth sufficient pam_pkcs11.so
> sudo systemctl restart sshd.service
> sudo sysctl --system
> sudo sysctl --system
solver.upgradeRemoveDroppedPackages = true
Note: Per requirement SLES-15-010418, the "mailx" package must be installed on the system to enable email functionality.
*.* @@loghost:514
`date -d "+3 days" +%Y-%m-%d` sets the 72-hour expiration date for the account at the time the command is run.
Note: Manual changes to the listed files may be overwritten by the "pam-config" program. The "pam-config" program should
The DoD standard requires a minimum 15-character password length.
Edit "/etc/pam.d/common-password" and edit the line containing "pam_pwhistory.so" to contain the option "remember=5 us
password requisite pam_cracklib.so
Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "ocredit=-1" after t
disk_full_action = HALT
>> sudo
sudo chkstat --set /etc/permissions.local
chown root:root /etc/security/opasswd
> sudo chmod 0600 /etc/security/opasswd
The DoD requirement is 60 days.
> sudo augenrules --load
> sudo augenrules --load
action_mail_acct = root
> sudo newaliases
> sudo augenrules --load
> sudo augenrules --load
> sudo augenrules --load
>> sudo
sudo dconf update --output=/tmp/grub2.cfg
grub2-mkconfig
> sudo mv /tmp/grub2.cfg /boot/grub2/grub.cfg
> sudo zypper remove telnet-server
The SSHimage
- Select serviceand
willset
need
theto be Screen
Lock restarted in order
image foruser's
to the the changes
choice. to take effect.
- Exit Settings Dialog.
Additional information on the configuration of multifactor authentication on the SUSE operating system can be found at https
> sudo systemctl restart sshd.service
> sudo zypper install kbd
> sudo gsettings set org.gnome.desktop.lockdown disable-lock-screen false
> sudo chmod +x /etc/profile.d/autologout.sh
>Defaults
sudo gsettings
!rootpwset org.gnome.desktop.session idle-delay 900
Defaults
Defaults !runaspw
timestamp_timeout=[value]
Note: The "[value]" must be a number that is greater than or equal to "0".
> sudo augenrules --load
session required pam_lastlog.so showfailed
> sudo chage -I -1 -M 99999 [Emergency_Administrator]
DOD recommendation is 35 days, but a lower value greater than "0" is acceptable.
PermitRootLogin
ALL no
ALL=(ALL) ALL
ALL ALL=(ALL:ALL) ALL
If the account is associated with system commands or applications, the UID should be changed to one greater than "0" but les
> sudo usermod --shell /sbin/nologin nobody
Document all authorized accounts on the system.
> sudo chkstat --set /etc/permissions.local
> sudo augenrules --load
> sudo augenrules --load
> sudo augenrules --load
> sudo augenrules --load
> sudo augenrules --load
> sudo augenrules --load
> sudo augenrules --load
> sudo augenrules --load
> sudo augenrules --load
> sudo augenrules --load
> sudo augenrules --load
The DoD requirement is 60 days or less (greater than zero, as zero days will lock the account immediately).
Note: "pam_apparmor" must have properly configured profiles. All configurations will be based on the actual system setup an
server [time_source] maxpoll 16
> sudo firewall-cmd --panic-off
> sudo rm /etc/wicked/ifconfig/wlan0.xml
> sudo chgrp root [FILE]
> sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d -exec chgrp root '{}' \;
> sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec chown root '{}' \;
> sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d -exec chown root '{}' \;
> sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f -exec chmod 755 '{}' \;
> sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \;
> sudo augenrules --load
> sudo augenrules --load
> sudo augenrules --load
> sudo augenrules --load
network_failure_action = syslog
disk_full_action = syslog
> sudo mount -o remount /home
Configure the SUSE operating system "/etc/fstab" file to use the "nosuid" option on file systems tha
Configure the SUSE operating system to remove any occurrence of "NOPASSWD" or "!authenticate" foun
gpgcheck = 1
Additional information on the configuration of multifactor authentication on the SUSE operating system can be found at https
Additional information on the configuration of multifactor authentication on the SUSE operating system can be found at https
memcache_timeout = 86400
blacklist usb-storage
> sudo systemctl daemon-reload
>> sudo
sudo usermod -d /home/smithj
chgrp users /home/smithj smithj
> sudo chmod 0750 /home/smithj
> sudo chmod 0750 /home/smithj
> sudo chgrp users /home/smithj
> sudo chmod 0740 /home/smithj/.<INIT_FILE>
Edit the SUSE operating system local interactive user initialization files to change any PATH variable
> sudo chmod 0755 <file>
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2435.pdf
If audit records are not stored on a partition made specifically for audit records, a new partition with sufficient amount of spac
> sudo zypper in audit
enable_krb5 = yes
In "/etc/audisp/plugins.d/au-remote.conf", change the value of "active" to "yes", or add "active = yes" if no such setting exists
UMASK 077
DISPLAYMANAGER_AUTOLOGIN=""
DISPLAYMANAGER_PASSWORD_LESS_LOGIN="no"
PermitEmptyPasswords no
PermitUserEnvironment no
/usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
/usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
Set the value of the "space_left" keyword in "/etc/audit/auditd.conf" to 25 percent of the partition size.
remote_server
Add or modify the= [IPfollowing
ADDRESS]line:
@includedir /etc/sudoers.d
Remove any occurrences of "pam_succeed_if" in the file.
Lock an account:
$ sudo passwd -l [username]
Column9
checkid
C-38013r618744_chk
C-38014r618747_chk
C-38015r618750_chk
C-38008r618729_chk
C-38009r618732_chk
C-38010r618735_chk
C-38011r618738_chk
C-38171r619218_chk
C-38170r619215_chk
C-38169r619212_chk
C-38168r619209_chk
C-38016r618753_chk
C-38017r618756_chk
C-38173r619224_chk
C-38172r619221_chk
C-38176r619233_chk
C-38215r619350_chk
C-38214r619347_chk
C-38213r619344_chk
C-38212r619341_chk
C-38211r619338_chk
C-38210r619335_chk
C-38209r619332_chk
C-38208r619329_chk
C-38217r619356_chk
C-38216r619353_chk
C-38098r618999_chk
C-38099r619002_chk
C-38100r619005_chk
C-38101r619008_chk
C-38102r809461_chk
C-38106r809464_chk
C-38025r618780_chk
C-38024r618777_chk
C-38023r618774_chk
C-38022r618771_chk
C-38021r618768_chk
C-38020r880882_chk
C-38019r618762_chk
C-38018r618759_chk
C-38175r880969_chk
C-38027r618786_chk
C-38026r618783_chk
C-38206r619323_chk
C-38207r619326_chk
C-38201r619308_chk
C-38198r619299_chk
C-38204r619317_chk
C-38205r619320_chk
C-38202r619311_chk
C-38203r619314_chk
C-59597r880959_chk
C-59598r880962_chk
C-59599r880965_chk
C-38087r618966_chk
C-38091r618978_chk
C-38090r618975_chk
C-38089r618972_chk
C-38088r618969_chk
C-38095r618990_chk
C-38094r618987_chk
C-38093r618984_chk
C-38092r618981_chk
C-38097r618996_chk
C-38096r618993_chk
C-38174r880968_chk
C-38039r880946_chk
C-38086r618963_chk
C-38038r618819_chk
C-38197r880956_chk
C-38196r619293_chk
C-38193r619284_chk
C-38192r619281_chk
C-38195r619290_chk
C-38194r619287_chk
C-38189r619272_chk
C-38188r619269_chk
C-38191r619278_chk
C-38190r619275_chk
C-38124r619077_chk
C-38125r619080_chk
C-38122r619071_chk
C-38123r619074_chk
C-38120r619065_chk
C-38121r619068_chk
C-38046r618843_chk
C-38126r619083_chk
C-38127r619086_chk
C-60661r902847_chk
C-60660r902844_chk
C-38078r618939_chk
C-38070r618915_chk
C-38071r618918_chk
C-38068r618909_chk
C-38069r618912_chk
C-38074r618927_chk
C-38075r618930_chk
C-38072r618921_chk
C-38073r618924_chk
C-38076r618933_chk
C-38077r618936_chk
C-38112r809467_chk
C-37996r618693_chk
C-37997r618696_chk
C-37990r618675_chk
C-37991r618678_chk
C-37988r618669_chk
C-37989r942855_chk
C-37994r618687_chk
C-37995r618690_chk
C-37992r618681_chk
C-37993r618684_chk
C-38056r618873_chk
C-38057r618876_chk
C-38048r618849_chk
C-38049r618852_chk
C-38050r618855_chk
C-38051r618858_chk
C-38052r902852_chk
C-38053r618864_chk
C-38054r618867_chk
C-38055r618870_chk
C-38083r618954_chk
C-38082r618951_chk
C-38085r618960_chk
C-38084r618957_chk
C-38146r619143_chk
C-38147r619146_chk
C-38081r618948_chk
C-38080r618945_chk
C-38142r619131_chk
C-38143r619134_chk
C-38144r619137_chk
C-38145r619140_chk
C-38138r619119_chk
C-38139r619122_chk
C-38140r809473_chk
C-38177r619236_chk
C-38007r618726_chk
C-38006r618723_chk
C-38003r618714_chk
C-38002r618711_chk
C-38005r618720_chk
C-38004r618717_chk
C-37999r618702_chk
C-37998r618699_chk
C-38001r618708_chk
C-38000r618705_chk
C-38067r833009_chk
C-38066r861107_chk
C-38116r809470_chk
C-38061r618888_chk
C-38060r618885_chk
C-38059r928529_chk
C-38058r618879_chk
C-38065r618900_chk
C-38064r618897_chk
C-38063r618894_chk
C-38062r618891_chk
C-38149r619152_chk
C-38151r619158_chk
C-38137r619116_chk
C-38136r619113_chk
C-38135r619110_chk
C-38134r619107_chk
C-38133r619104_chk
C-38132r619101_chk
C-38131r619098_chk
C-38130r619095_chk
C-38129r619092_chk
C-38128r619089_chk
C-38079r618942_chk
C-38036r618813_chk
C-38037r618816_chk
C-38034r618807_chk
C-38035r618810_chk
C-38032r833001_chk
C-38033r618804_chk
C-38030r618795_chk
C-38031r618798_chk
C-38028r618789_chk
C-38029r618792_chk
C-38161r809476_chk
C-38164r619197_chk
C-38165r619200_chk
C-38163r619194_chk
C-38166r619203_chk
C-38167r619206_chk
C-38186r619263_chk
C-38187r619266_chk
C-38041r618828_chk
C-38040r618825_chk
C-38043r618834_chk
C-38042r618831_chk
C-38045r618840_chk
C-38044r618837_chk
C-38178r619239_chk
C-38179r619242_chk
C-38180r619245_chk
C-38181r619248_chk
C-38182r619251_chk
C-38183r619254_chk
C-38184r793059_chk
C-38185r619260_chk
C-38047r618846_chk
C-38153r619164_chk
C-38152r619161_chk
C-38155r619170_chk
C-38154r619167_chk
C-38218r619359_chk
C-38219r619362_chk
C-38220r619365_chk
C-38150r619155_chk
C-38157r619176_chk
C-38156r619173_chk
C-55160r833004_chk
C-55161r854272_chk
C-55162r809485_chk
Column10
checktext
If "ENCRYPT_METHOD" is not set to "SHA512", if any values other that "SHA512" are configured, or if no output is produced, t
If any ciphers other than "hmac-sha2-512" or "hmac-sha2-256" are listed, the order differs from the example above, they are
If "ClientAliveInterval" is not set to "600" in "/etc/ssh/sshd_config", this is a finding.
If the root password entry does not begin with "password_pbkdf2", this is a finding.
If there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.
If output is produced, this is a finding.
If the "autofs" status is set to "active" and is not documented with the Information System Security Officer (ISSO) as an operati
If the value of "delay" is not set to "4000000", "delay" is commented out, "delay" is missing, or the "pam_faildelay" line is miss
If the value of "FAIL_DELAY" is not set to "4", "FAIL_DELAY" is commented out, or "FAIL_DELAY" is missing, then this is a findin
If any results are returned, this is a finding.
If a separate file system/partition does not exist for the system audit data path, this is a finding.
If any of the returned directories do not have the sticky bit set, or are not documented as having the write permission for the
If the network parameter "ipv4.tcp_syncookies" is not equal to "1" or nothing is returned, this is a finding.
If any "shosts.equiv" files are found on the system, this is a finding.
If any ".shosts" files are found on the system, this is a finding.
If the ctrl-alt-del.target is not masked, this is a finding.
If network interfaces are found on the system in promiscuous mode and their use has not been approved by the ISSO and doc
If the network parameter "ipv6.conf.default.forwarding" is not equal to "0" or nothing is returned, this is a finding.
If the network parameter "ipv6.conf.all.forwarding" is not equal to "0" or nothing is returned, this is a finding.
If the network parameter "ipv4.ip_forward" is not equal to "0" or nothing is returned, this is a finding.
If the network parameter "ipv4.conf.all.send_redirects" is not equal to "0" or nothing is returned, this is a finding.
If the network parameter "ipv4.conf.default.send_redirects" is not equal to "0" or nothing is returned, this is a finding.
If the network parameter "ipv6.conf.default.accept_redirects" is not equal to "0" or nothing is returned, this is a finding.
If the network parameter "ipv6.conf.all.accept_redirects" is not equal to "0" or nothing is returned, this is a finding.
If any files on the system do not have an assigned group, this is a finding.
If any files on the system do not have an assigned owner, this is a finding.
Note:
The
Note: "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
Note:
The
Notes:"-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
The
Note: "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
The
Note: "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
If any system wide library directory is returned, this is a finding.
If any system wide library file is returned, this is a finding.
If any of the aforementioned directories are found to be group-writable or world-writable, this is a finding.
If any files are found to be group-writable or world-writable, this is a finding.
If the effective permissions do not match the "permissions.local" file, the command does not return any output, or is commen
If command displays any output, this is a finding.
If any partitions other than pseudo file systems (such as /proc or /sys) are not listed or "/etc/crypttab" does not exist, this is a
If "ClientAliveCountMax" does not exist or "ClientAliveCountMax" is not set to a value of "0" or less in "/etc/ssh/sshd_config",
If the "xattrs" rule is not being used on all selection lines in the "/etc/aide.conf" file, or extended attributes are not being chec
If any system wide shared library directory is returned, this is a finding.
If any system wide shared library file is returned, this is a finding.
If the network parameter "ipv4.conf.all.accept_redirects" is not equal to "0" or nothing is returned, this is a finding.
If the network parameter "ipv4.conf.default.accept_redirects" is not equal to "0" or nothing is returned, this is a finding.
If the "X11Forwarding" keyword is set to "yes" and is not documented with the Information System Security Officer (ISSO) as a
If "StrictModes" is set to "no", is missing, or the returned line is commented out, this is a finding.
If the network parameter "ipv4.conf.default.accept_source_route" is not equal to "0" or nothing is returned, this is a finding.
If the network parameter "ipv6.conf.default.accept_source_route" is not equal to "0" or nothing is returned, this is a finding.
If the network parameter "ipv4.conf.all.accept_source_route" is not equal to "0" or nothing is returned, this is a finding.
If the network parameter "ipv6.conf.all.accept_source_route" is not equal to "0" or nothing is returned, this is a finding.
If "KexAlgorithms" is not configured, is commented out, or does not contain only the algorithms "ecdh-sha2-nistp256,ecdh-sh
If conflicting results are returned, this is a finding.
If the output is "Couldn't open file /var/lib/aide/aide.db for reading", this is a finding.
Notes:
The
Notes:"-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
The
Notes:"-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
Notes:
The
Notes:"-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
The
Note: "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
The
Note: "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
Note:
The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
If the service is not active or not enabled, this is a finding.
Note:
The
Note: "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
If the "acl" rule is not being used on all selection lines in the "/etc/aide.conf" file, or extended attributes are not being checked
If the file integrity application does not exist, or a "crontab" file does not exist in "/etc/crontab", the "/etc/cron.daily" subdirec
If null passwords can be used, this is a finding.
If "Time zone" is not set to "UTC" or "GMT", this is a finding.
If any file has a mode more permissive than "0640", this is a finding.
If any file has a mode more permissive than "0644", this is a finding.
If a separate entry for "/var" is not in use, this is a finding.
If a separate entry for the file system/partition that contains the non-privileged interactive users' home directories does not e
If the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding.
If any results are returned, this is a finding.
If a file system found in "/etc/fstab" refers to NFS and it does not have the "noexec" option set, and use of NFS exported binar
If a file system found in "/etc/fstab" refers to NFS and it does not have the "nosuid" option set, this is a finding.
If the service is active and is not documented, this is a finding.
If any world-writable directories are not owned by root, sys, bin, or an application group associated with the directory, this is a
Note:
The
Note: "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
The
Note: "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
The
Note: "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
The
Note: "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
The
Note: "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
If "offline_credentials_expiration" is not set to a value of "1", this is a finding.
Note:
The
Note: "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
If "mailx"
Verify eachpackage is accounts
of these not installed, thisexpiration
has an is a finding.
date set within 72 hours.
If any temporary accounts have no expiration date set or do not expire within 72 hours, this is a finding.
If any results are returned that are not associated with a system account, this is a finding.
If the command does not return anything, the returned line is commented out, or has a second column value different from "r
If the command does not return anything, the returned line is commented out, or has a second column value different from "r
If the value for "CREATE_HOME" parameter is not set to "yes", the line is missing, or the line is commented out, this is a findin
If the "PrintLastLog" keyword is set to "no", is missing, or is commented out, this is a finding.
If the command does not return anything or the returned line is commented out, has a second column value different from "r
If any interactive user password hash does not begin with "$6", this is a finding.
If the command does not return anything, the returned line is commented out, or has a second column value different from "r
If the command does not return anything, the returned line is commented out, or has a second column value different from "r
If both "SHA_CRYPT_MIN_ROUNDS" and "SHA_CRYPT_MAX_ROUNDS" are set, and the highest value for either is below "5000
If no output is produced, or if "PASS_MIN_DAYS" does not have a value of "1" or greater, this is a finding.
Note:
The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
If "banner-message-enable" is set to "false" or is missing completely, this is a finding.
If the banner text does not exactly match the approved Standard Mandatory DoD Notice and Consent Banner, this is a finding
If the SUSE operating system has not been patched within the site or PMO frequency, this is a finding.
If the output does not display the correct banner text, this is a finding.
If the release is not supported by the vendor, this is a finding.
If the daemon is not running, this is a finding.
If the beginning of the file does not contain the above text immediately after the line (#!/bin/sh), this is a finding.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of
If "vsftpd" is installed and is not documented with the Information System Security Officer (ISSO) as an operational requireme
If it does not, this is a finding.
If the "maxlogins" item is missing, the line does not begin with a star symbol, or the value is not set to "10" or less, this is a find
If "pam_pkcs11.so" is not set in "/etc/pam.d/common-auth", this is a finding.
If OpenSSH service is not active, this is a finding.
If the kernel parameter "kptr_restrict" is not equal to "1" or nothing is returned, this is a finding.
If the kernel parameter "randomize_va_space" is not equal to "2" or nothing is returned, this is a finding.
If "solver.upgradeRemoveDroppedPackages" is commented out, is set to "false", or is missing completely, this is a finding.
If the "aide" file does not exist under the "/etc/cron" directory structure or the cron job is not configured to execute a binary t
If any active message labels in the file do not have a line to send log messages to a remote server, this is a finding.
If any temporary accounts have no expiration date set or do not expire within "72" hours of their creation, this is a finding.
If the account option is missing, or commented out, this is a finding.
If the command does not return anything, the returned line is commented out, or has a second column value different from "r
If the command does not return a result, or the returned line is commented out, has a second column value different from "re
If the command does not return anything, or the returned line is commented out, this is a finding.
If the command does not return anything, the returned line is commented out, or has a second column value different from "r
If the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, this is a findin
If the command returns any output, this is a finding.
If "/etc/security/opasswd" does not exist, this is a finding.
If any results are returned that are not associated with a system account, this is a finding.
Note:
The
Note: "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
If the value of the "action_mail_acct" keyword is not set to "root" and/or other accounts for security personnel, the "action_m
If the alias for root does not forward to a monitored e-mail account, or the output is commented out, this is a finding.
Note:
The
Note: "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
The
Note: "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
The
If the"-k" allows
logout for is
value specifying an the
not [''] and arbitrary identifier.
writable status isThe
notstring
false,following
this "-k" does not need to match the example output abo
is a finding.
If the root password entry does not begin with "password_pbkdf2", this is a finding.
If the telnet-server package is installed, this is a finding.
If the output message does not contain "VERBOSE", the LogLevel keyword is missing, or the line is commented out, this is a fin
If nothing is returned or "org.gnome.desktop.screensaver" is not set, this is a finding.
If "cert_policy" is not set to include "ca", this is a finding.
If any ciphers other than "aes256-ctr", "aes192-ctr", or "aes128-ctr" are listed, the order differs from the example above, or th
If the command outputs "no matching items found", this is a finding.
If the result is "true", this is a finding.
If the file "/etc/profile.d/autologout.sh" does not exist or the output from the function call is not the same, this is a finding.
If
If the command
"Defaults does isnot
!rootpw" notreturn a value
defined, this less than or equal to "900", this is a finding.
is a finding.
If "Defaults !runaspw" is not defined, this is a finding.
If "timestamp_timeout" is set to a negative number, is commented out, or no results are returned, this is a finding.
Note:
The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
If "pam_lastlog" is missing from "/etc/pam.d/login" file, the "silent" option is present, or the returned line is commented out,
If "Password expires" or "Account expires" is set to anything other than "never", this is a finding.
If no output is produced, or if "INACTIVE" is not set to a value greater than "0" and less than or equal to "35", this is a finding.
If the "PermitRootLogin"
ALL ALL=(ALL) ALL keyword is set to "yes", is missing, or is commented out, this is a finding.
ALL ALL=(ALL:ALL) ALL
If any accounts other than root have a UID of "0", this is a finding.
If a non-interactive accounts such as "games" or "nobody" is listed with an interactive shell, this is a finding.
If the accounts on the system do not match the provided documentation, this is a finding.
If the command returns any output, this is a finding.
Note:
The
Note: "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
The
Note: "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
Note:
The
Note: "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
The
Note: "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
The
Note: "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
The
Note: "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
The
Note: "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
The
Note: "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
The
Note: "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
If no output is produced, or if "PASS_MAX_DAYS" is not set to "60" days or less, this is a finding.
Note: "pam_apparmor" must have properly configured profiles. All configurations will be based on the actual system setup an
If the parameter "server" is not set, is not set to an authoritative DoD time source, or is commented out, this is a finding.
If the service is not active, this is a finding.
If a wireless interface is configured and has not been documented and approved, this is a finding.
If any system commands are returned that are not Set Group ID upon execution (SGID) files and group-owned by a required sy
If any system commands directories are returned that are not Set Group ID up on execution (SGID) files and owned by a privile
If any system commands are returned, this is a finding.
If any system commands directories are returned, this is a finding.
If any files are found to be group-writable or world-writable, this is a finding.
If any directories are found to be group-writable or world-writable, this is a finding.
Note:
The
Note: "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
The
Note: "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
The
Note: "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output abo
If the "network_failure_action" option is not set to "syslog", "single", or "halt" or the line is commented out, this is a finding.
If "disk_full_action" is not set to "syslog", "single", or "halt" or the line is commented out, this is a finding.
Note: If a separate file system has not been created for the user home directories (user home directories are mounted under "
If a file system found in "/etc/fstab" refers to removable media and it does not have the "nosuid" option set, this is a finding.
If any uncommented lines containing "!authenticate", or "NOPASSWD" are returned and active accounts on the system have v
If "gpgcheck" is set to "0", "off", "no", or "false", this is a finding.
If "cert_policy" is not set to include "ocsp", this is a finding.
If any of the packages required for multifactor authentication are not installed, this is a finding.
If "memcache_timeout" has a value greater than "86400", or is missing, this is a finding.
If nothing is output from the command, this is a finding.
If the "CtrlAltDelBurstAction" is not set to "none", commented out, or is missing, this is a finding.
If any interactive users do not have a home directory assigned, this is a finding.
If any home directories referenced in "/etc/passwd" are returned as not defined, this is a finding.
If home directories referenced in "/etc/passwd" do not have a mode of "0750" or less permissive, this is a finding.
If the user home directory referenced in "/etc/passwd" is not group-owned by that user's primary GID, this is a finding.
If any local initialization files have a mode more permissive than "0740", this is a finding.
If
If any
any local
local interactive
initializationuser
filesinitialization
are found tofiles have executable
reference search path statements that include directories outside of their
world-writable
files, this is a finding.
If nothing is returned, the file does not exist, or the value returned is "0", this is a finding.
If the audit record partition is not allocated sufficient storage capacity, this is a finding.
If the package "audit" is not installed on the system, then this is a finding.
If "enable_krb5" is not set to "yes", or is commented out, this is a finding.
If "active" is missing, commented out, or is not set to "yes", this is a finding.
If the value of "UMASK" is not set to "077", or "UMASK" is missing, this is a finding.
"DISPLAYMANAGER_PASSWORD_LESS_LOGIN"
If parameter is not set to "no", this is a finding.
If "PermitEmptyPasswords" or "PermitUserEnvironment" keywords are not set to "no", are missing completely, or are comme
If one or more lines are missing, or is commented out, this is a finding.
If the value of the "space_left" keyword is not set to 25 percent of the total partition size, this is a finding.
If "remote_server" is not set to an external server or media, or is commented out, this is a finding.
If results are returned, this is a finding.
If any occurrences of "pam_succeed_if" are returned from the command, this is a finding.
If the command returns any results, this is a finding.
no output is produced, this is a finding.
xample above, they are missing, or the returned line is commented out, this is a finding.

fficer (ISSO) as an operational requirement, this is a finding.


m_faildelay" line is missing completely, this is a finding.
sing, then this is a finding.

write permission for the other class, this is a finding.

ved by the ISSO and documented, this is a finding.


is a finding.

is a finding.
this is a finding.
d, this is a finding.
s is a finding.

he example output above.


he example output above.
he example output above.
he example output above.
he example output above.
he example output above.

ding.

ny output, or is commented out, this is a finding.

does not exist, this is a finding.


"/etc/ssh/sshd_config", or the line is commented out, this is a finding.
utes are not being checked by another file integrity tool, this is a finding.
s is a finding.
d, this is a finding.
curity Officer (ISSO) as an operational requirement, is missing, or is commented out, this is a finding.

urned, this is a finding.


urned, this is a finding.
d, this is a finding.
d, this is a finding.
-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256" in exact order, this is a finding.

he example output above.


he example output above.
he example output above.
he example output above.
he example output above.
he example output above.
he example output above.
he example output above.

he example output above.


he example output above.
es are not being checked by another file integrity tool, this is a finding.
etc/cron.daily" subdirectory, or "/etc/cron.weekly" subdirectory, this is a finding.

e directories does not exist, this is a finding.


finding.

e of NFS exported binaries is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a

th the directory, this is a finding.


he example output above.
he example output above.
he example output above.
he example output above.
he example output above.
he example output above.

he example output above.


he example output above.
n value different from "requisite", or does not contain "ucredit=-1", this is a finding.
n value different from "requisite", or does not contain "lcredit=-1", this is a finding.
nted out, this is a finding.

value different from "required", or does not contain "sha512", this is a finding.

n value different from "requisite", or does not contain "dcredit=-1", this is a finding.
n value different from "requisite", or does not contain "difok", or the value is less than "8", this is a finding.
or either is below "5000", this is a finding.
ng.
he example output above.

Banner, this is a finding.

s a finding.
rching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attor
operational requirement, this is a finding.

"10" or less, this is a finding.

ely, this is a finding.


ed to execute a binary to send an email (such as "/bin/mail"), this is a finding.
is a finding.
tion, this is a finding.

n value different from "requisite", or does not contain "minlen" value, or the value is less than "15", this is a finding.
value different from "requisite", does not contain "remember" value, the value is less than "5", or is missing the "use_authtok" keyword, t

n value different from "requisite", or does not contain "ocredit=-1", this is a finding.
nted out, this is a finding.

he example output above.


he example output above.
ersonnel, the "action_mail_acct" keyword is missing, or the returned line is commented out, this is a finding.
this is a finding.
he example output above.
he example output above.
he example output above.

mented out, this is a finding.

he example above, or the "Ciphers" keyword is missing, this is a finding.

ame, this is a finding.

s is a finding.
he example output above.
line is commented out, this is a finding.

o "35", this is a finding.

he example output above.


he example output above.
he example output above.
he example output above.
he example output above.
he example output above.
he example output above.
he example output above.
he example output above.
he example output above.
he example output above.

actual system setup and organization. See the "pam_apparmor" documentation for more information on configuring profiles.
ut, this is a finding.

-owned by a required system account, this is a finding.


s and owned by a privileged account, this is a finding.
he example output above.
he example output above.
he example output above.
he example output above.
d out, this is a finding.

ies are mounted under "/"), this is not a finding as the "nosuid" option cannot be used on the "/" system.
on set, this is a finding.
nts on the system have valid passwords, this is a finding.

is a finding.
this is a finding.

ctories outside of their home directory, and the additional path statements are not documented with the ISSO as an operational requirem

mpletely, or are commented out, this is a finding.

ng.
rder, this is a finding.

perational requirement, this is a finding.


presentation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private

ng the "use_authtok" keyword, this is a finding.


configuring profiles.
ISSO as an operational requirement, this is a finding.
ns and work product are private and confidential. See User Agreement for details."

You might also like