From fa6ba57dd82c43d8523daedacb9b450ea8ea3964 Mon Sep 17 00:00:00 2001 From: svet-se Date: Fri, 1 Nov 2024 13:49:07 +0200 Subject: [PATCH 1/5] Update SLE15 STIG to V2R2 --- products/sle15/profiles/stig.profile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/products/sle15/profiles/stig.profile b/products/sle15/profiles/stig.profile index 68da4c680ae..adfaa2cc2bc 100644 --- a/products/sle15/profiles/stig.profile +++ b/products/sle15/profiles/stig.profile @@ -1,7 +1,7 @@ documentation_complete: true metadata: - version: V2R1 + version: V2R2 SMEs: - abergmann @@ -11,7 +11,7 @@ title: 'DISA STIG for SUSE Linux Enterprise 15' description: |- This profile contains configuration checks that align to the - DISA STIG for SUSE Linux Enterprise 15 V2R1. + DISA STIG for SUSE Linux Enterprise 15 V2R2. selections: From cb3b180316cc02bd9cef40d4a29c50e113500387 Mon Sep 17 00:00:00 2001 From: svet-se Date: Fri, 1 Nov 2024 13:52:18 +0200 Subject: [PATCH 2/5] Update SLE15 DISA STIG manual to V2R2 --- ... => disa-stig-sle15-v2r2-xccdf-manual.xml} | 183 +++++++++--------- 1 file changed, 87 insertions(+), 96 deletions(-) rename shared/references/{disa-stig-sle15-v2r1-xccdf-manual.xml => disa-stig-sle15-v2r2-xccdf-manual.xml} (95%) diff --git a/shared/references/disa-stig-sle15-v2r1-xccdf-manual.xml b/shared/references/disa-stig-sle15-v2r2-xccdf-manual.xml similarity index 95% rename from shared/references/disa-stig-sle15-v2r1-xccdf-manual.xml rename to shared/references/disa-stig-sle15-v2r2-xccdf-manual.xml index 21787df0faf..965384af889 100644 --- a/shared/references/disa-stig-sle15-v2r1-xccdf-manual.xml +++ b/shared/references/disa-stig-sle15-v2r2-xccdf-manual.xml @@ -1,4 +1,4 @@ -acceptedSUSE Linux Enterprise Server 15 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 1 Benchmark Date: 24 Jul 20243.51.10.02I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-010000The SUSE operating system must be a vendor-supported release.<VulnDiscussion>A SUSE operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001230Upgrade the SUSE operating system to a version supported by the vendor. If the system is not registered with the SUSE Customer Center, register the system against the correct subscription. If the system requires Long-Term Service Pack Support (LTSS), obtain the correct LTSS subscription for the system.Verify the SUSE operating system is a vendor-supported release. @@ -368,13 +368,13 @@ banner-message-text= Note: The "\n" characters are for formatting only. They will not be displayed on the GUI. -If the banner text does not exactly match the approved Standard Mandatory DoD Notice and Consent Banner, this is a finding.SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>SLES-15-010100The SUSE operating system must be able to lock the graphical user interface (GUI).<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. +If the banner text does not exactly match the approved Standard Mandatory DoD Notice and Consent Banner, this is a finding.SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>SLES-15-010100The SUSE operating system must be able to lock the graphical user interface (GUI).<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Regardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system. -Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000056CCI-000057CCI-000060Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable. This command must be run from an X11 session; otherwise, the command will not work correctly. +Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000056CCI-000057CCI-000060CCI-000058Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable. This command must be run from an X11 session; otherwise, the command will not work correctly. Configure the SUSE operating system to allow the user to lock the GUI. @@ -388,13 +388,13 @@ Run the following command: > sudo gsettings get org.gnome.desktop.lockdown disable-lock-screen -If the result is "true", this is a finding.SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>SLES-15-010110The SUSE operating system must utilize vlock to allow for session locking.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. +If the result is "true", this is a finding.SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>SLES-15-010110The SUSE operating system must utilize vlock to allow for session locking.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Regardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system. -Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, SRG-OS-000031-GPOS-00012</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000056CCI-000057CCI-000060Allow users to lock the console by installing the "kbd" package using zypper: +Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, SRG-OS-000031-GPOS-00012</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000056CCI-000057CCI-000060CCI-000058Allow users to lock the console by installing the "kbd" package using zypper: > sudo zypper install kbdCheck that the SUSE operating system has the "vlock" package installed by running the following command: @@ -416,24 +416,24 @@ Note: If the system does not have a graphical user interface installed, this req uint32 900 -If the command does not return a value less than or equal to "900", this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>SLES-15-010130The SUSE operating system must initiate a session lock after a 15-minute period of inactivity.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. +If the command does not return a value less than or equal to "900", this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>SLES-15-010130The SUSE operating system must initiate a session lock after a 10-minute period of inactivity.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the users to manually lock their SUSE operating system session prior to vacating the vicinity, the SUSE operating system needs to be able to identify when a user's session has idled and take action to initiate the session lock. -The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000057Configure the SUSE operating system to initiate a session lock after a 15-minute period of inactivity by modifying or creating (if it does not already exist) the "/etc/profile.d/autologout.sh" file and add the following lines to it: +The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000057Configure the SUSE operating system to initiate a session lock after a 10-minute period of inactivity by modifying or creating (if it does not already exist) the "/etc/profile.d/autologout.sh" file and add the following lines to it: -TMOUT=900 +TMOUT=600 readonly TMOUT export TMOUT Set the proper permissions for the "/etc/profile.d/autologout.sh" file with the following command: -> sudo chmod +x /etc/profile.d/autologout.shVerify the SUSE operating system must initiate a session logout after a 15-minute period of inactivity for all connection types. +> sudo chmod +x /etc/profile.d/autologout.shVerify the SUSE operating system must initiate a session logout after a 10-minute period of inactivity for all connection types. -Check the proper script exists to kill an idle session after a 15-minute period of inactivity with the following command: +Check the proper script exists to kill an idle session after a 10-minute period of inactivity with the following command: > cat /etc/profile.d/autologout.sh -TMOUT=900 +TMOUT=600 readonly TMOUT export TMOUT @@ -501,7 +501,7 @@ Check the SSH daemon configuration for allowed ciphers with the following comman Ciphers aes256-ctr,aes192-ctr,aes128-ctr -If any ciphers other than "aes256-ctr", "aes192-ctr", or "aes128-ctr" are listed, the order differs from the example above, or the "Ciphers" keyword is missing, this is a finding.SRG-OS-000066-GPOS-00034<GroupDescription></GroupDescription>SLES-15-010170The SUSE operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.<VulnDiscussion>Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. +If any ciphers other than "aes256-ctr", "aes192-ctr", or "aes128-ctr" are listed, the order differs from the example above, or the "Ciphers" keyword is missing, this is a finding.SRG-OS-000066-GPOS-00034<GroupDescription></GroupDescription>SLES-15-010170The SUSE operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.<VulnDiscussion>Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. @@ -509,7 +509,7 @@ When there is a chain of trust, usually the top entity to be trusted becomes the This requirement verifies that a certification path to an accepted trust anchor is used for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement. -Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000384-GPOS-00167</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000185CCI-004068Configure the SUSE operating system for PKI-based authentication to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. +Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000384-GPOS-00167</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000185CCI-004068CCI-001991Configure the SUSE operating system for PKI-based authentication to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. Modify all of the cert_policy lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "ca": @@ -786,7 +786,7 @@ Check that the "ClientAliveCountMax" variable is set to a value of "0" or less b ClientAliveCountMax 0 -If "ClientAliveCountMax" does not exist or "ClientAliveCountMax" is not set to a value of "0" or less in "/etc/ssh/sshd_config", or the line is commented out, this is a finding.SRG-OS-000185-GPOS-00079<GroupDescription></GroupDescription>SLES-15-010330All SUSE operating system persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at-rest protection.<VulnDiscussion>SUSE operating systems handling data requiring data-at-rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. +If "ClientAliveCountMax" does not exist or "ClientAliveCountMax" is not set to a value of "0" or less in "/etc/ssh/sshd_config", or the line is commented out, this is a finding.SRG-OS-000185-GPOS-00079<GroupDescription></GroupDescription>SLES-15-010330All SUSE operating system persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at-rest protection.<VulnDiscussion>SUSE operating systems handling data requiring data-at-rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). @@ -1152,13 +1152,13 @@ Active: active (exited) since Fri 2017-01-13 01:01:01 GMT; 1day 1h ago If something other than "Active: active" is returned, this is a finding. -Note: "pam_apparmor" must have properly configured profiles. All configurations will be based on the actual system setup and organization. See the "pam_apparmor" documentation for more information on configuring profiles.SRG-OS-000355-GPOS-00143<GroupDescription></GroupDescription>SLES-15-010400The SUSE operating system clock must, for networked systems, be synchronized to an authoritative DOD time source at least every 24 hours.<VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. +Note: "pam_apparmor" must have properly configured profiles. All configurations will be based on the actual system setup and organization. See the "pam_apparmor" documentation for more information on configuring profiles.SRG-OS-000355-GPOS-00143<GroupDescription></GroupDescription>SLES-15-010400The SUSE operating system clock must, for networked systems, be synchronized to an authoritative DOD time source at least every 24 hours.<VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). -Satisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004923CCI-004926The SUSE operating system clock must be configured to synchronize to an authoritative DOD time source when the time difference is greater than one second. +Satisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004923CCI-004926CCI-001891CCI-002046The SUSE operating system clock must be configured to synchronize to an authoritative DOD time source when the time difference is greater than one second. To configure the system clock to synchronize to an authoritative DOD time source at least every 24 hours, edit the file "/etc/chrony.conf". Add or correct the following lines by replacing "[time_source]" with an authoritative DOD time source: @@ -1216,11 +1216,11 @@ Check the "/etc/cron" subdirectories for a "crontab" file controlling the execut > sudo grep -R aide /etc/crontab /etc/cron.* /etc/crontab: 30 04 * * * /etc/aide -If the file integrity application does not exist, or a "crontab" file does not exist in "/etc/crontab", the "/etc/cron.daily" subdirectory, or "/etc/cron.weekly" subdirectory, this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>SLES-15-010430The SUSE operating system tool zypper must have gpgcheck enabled.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the SUSE operating system. This requirement ensures the software has not been tampered with and has been provided by a trusted vendor. +If the file integrity application does not exist, or a "crontab" file does not exist in "/etc/crontab", the "/etc/cron.daily" subdirectory, or "/etc/cron.weekly" subdirectory, this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>SLES-15-010430The SUSE operating system tool zypper must have gpgcheck enabled.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the SUSE operating system. This requirement ensures the software has not been tampered with and has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or SUSE operating system components must be signed with a certificate recognized and approved by the organization. -Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The SUSE operating system should not have to verify the software again. This requirement does not mandate DOD certificates for this purpose; however, the certificate used to verify the software must be from an approved Certification Authority (CA).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-003992Configure that the SUSE operating system tool zypper to enable gpgcheck by editing or adding the following line to "/etc/zypp/zypp.conf": +Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The SUSE operating system should not have to verify the software again. This requirement does not mandate DOD certificates for this purpose; however, the certificate used to verify the software must be from an approved Certification Authority (CA).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-003992CCI-001749Configure that the SUSE operating system tool zypper to enable gpgcheck by editing or adding the following line to "/etc/zypp/zypp.conf": gpgcheck = 1Verify that the SUSE operating system tool zypper has gpgcheck enabled. @@ -1230,17 +1230,17 @@ Check that zypper has gpgcheck enabled with the following command: gpgcheck = 1 -If "gpgcheck" is set to "0", "off", "no", or "false", this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>SLES-15-010450The SUSE operating system must reauthenticate users when changing authenticators, roles, or escalating privileges.<VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization. +If "gpgcheck" is set to "0", "off", "no", or "false", this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>SLES-15-010450The SUSE operating system must reauthenticate users when changing authenticators, roles, or escalating privileges.<VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When the SUSE operating system provides the capability to change user authenticators, change security roles, or escalate a functional capability, it is critical the user reauthenticate. -Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004895Configure the SUSE operating system to remove any occurrence of "NOPASSWD" or "!authenticate" found in the "/etc/sudoers" file. If the system does not use passwords for authentication, the "NOPASSWD" tag may exist in the file.Verify that the SUSE operating system requires reauthentication when changing authenticators, roles, or escalating privileges. +Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004895CCI-002038Configure the SUSE operating system to remove any occurrence of "NOPASSWD" or "!authenticate" found in the "/etc/sudoers" file. If the system does not use passwords for authentication, the "NOPASSWD" tag may exist in the file.Verify that the SUSE operating system requires reauthentication when changing authenticators, roles, or escalating privileges. Check that "/etc/sudoers" has no occurrences of "NOPASSWD" or "!authenticate" with the following command: > sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers -If any uncommented lines containing "!authenticate", or "NOPASSWD" are returned and active accounts on the system have valid passwords, this is a finding.SRG-OS-000375-GPOS-00160<GroupDescription></GroupDescription>SLES-15-010460The SUSE operating system must have the packages required for multifactor authentication to be installed.<VulnDiscussion>Using an authentication device, such as a Common Access Card (CAC) or token separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. +If any uncommented lines containing "!authenticate", or "NOPASSWD" are returned and active accounts on the system have valid passwords, this is a finding.SRG-OS-000375-GPOS-00160<GroupDescription></GroupDescription>SLES-15-010460The SUSE operating system must have the packages required for multifactor authentication to be installed.<VulnDiscussion>Using an authentication device, such as a Common Access Card (CAC) or token separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DOD CAC. @@ -1250,7 +1250,7 @@ Remote access is access to DOD nonpublic information systems by an authorized us This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). -Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161, SRG-OS-000377-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004046CCI-001953CCI-001954Configure the SUSE operating system to implement multifactor authentication by installing the required packages. +Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161, SRG-OS-000377-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004046CCI-001953CCI-001954CCI-001948Configure the SUSE operating system to implement multifactor authentication by installing the required packages. Install the packages required to support multifactor authentication with the following commands: @@ -1290,7 +1290,7 @@ Check for the presence of the packages required to support multifactor authentic > zypper info coolkey | grep -i installed -If any of the packages required for multifactor authentication are not installed, this is a finding.SRG-OS-000375-GPOS-00160<GroupDescription></GroupDescription>SLES-15-010470The SUSE operating system must implement certificate status checking for multifactor authentication.<VulnDiscussion>Using an authentication device, such as a Common Access Card (CAC) or token separate from the information system, ensures credentials stored on the authentication device will not be affected if the information system is compromised. +If any of the packages required for multifactor authentication are not installed, this is a finding.SRG-OS-000375-GPOS-00160<GroupDescription></GroupDescription>SLES-15-010470The SUSE operating system must implement certificate status checking for multifactor authentication.<VulnDiscussion>Using an authentication device, such as a Common Access Card (CAC) or token separate from the information system, ensures credentials stored on the authentication device will not be affected if the information system is compromised. Multifactor solutions that require devices separate from information systems to gain access include hardware tokens providing time-based or challenge-response authenticators, and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DOD CAC. @@ -1300,7 +1300,7 @@ Remote access is access to DOD nonpublic information systems by an authorized us This requirement only applies to components with device-specific functions, or for organizational users (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). -Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161, SRG-OS-000377-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004046CCI-001953CCI-001954Configure the SUSE operating system to certificate status checking for PKI authentication. +Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161, SRG-OS-000377-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004046CCI-001953CCI-001954CCI-001948Configure the SUSE operating system to certificate status checking for PKI authentication. Modify all of the cert_policy lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "ocsp_on". @@ -1550,7 +1550,7 @@ The result must contain the following line: * hard maxlogins 10 -If the "maxlogins" item is missing, the line does not begin with a star symbol, or the value is not set to "10" or less, this is a finding.SRG-OS-000068-GPOS-00036<GroupDescription></GroupDescription>SLES-15-020030The SUSE operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).<VulnDiscussion>Using an authentication device, such as a Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. +If the "maxlogins" item is missing, the line does not begin with a star symbol, or the value is not set to "10" or less, this is a finding.SRG-OS-000068-GPOS-00036<GroupDescription></GroupDescription>SLES-15-020030The SUSE operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).<VulnDiscussion>Using an authentication device, such as a Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DOD CAC. @@ -1560,7 +1560,7 @@ Remote access is access to DOD nonpublic information systems by an authorized us This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). -Satisfies: SRG-OS-000068-GPOS-00036, SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055, SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161, SRG-OS-000377-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000187CCI-000765CCI-000766CCI-004046CCI-001953CCI-001954CCI-004047Configure the SUSE operating system to implement multifactor authentication for remote access to privileged accounts via PAM. +Satisfies: SRG-OS-000068-GPOS-00036, SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055, SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161, SRG-OS-000377-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000187CCI-000765CCI-000766CCI-004046CCI-001953CCI-001954CCI-004047CCI-000767CCI-000768CCI-001948Configure the SUSE operating system to implement multifactor authentication for remote access to privileged accounts via PAM. Add or update "pam_pkcs11.so" in "/etc/pam.d/common-auth" to match the following line: @@ -1572,7 +1572,7 @@ Check that the "pam_pkcs11.so" option is configured in the "/etc/pam.d/common-au auth sufficient pam_pkcs11.so -If "pam_pkcs11.so" is not set in "/etc/pam.d/common-auth", this is a finding.SRG-OS-000109-GPOS-00056<GroupDescription></GroupDescription>SLES-15-020040The SUSE operating system must deny direct logons to the root account using remote access via SSH.<VulnDiscussion>To ensure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated. +If "pam_pkcs11.so" is not set in "/etc/pam.d/common-auth", this is a finding.SRG-OS-000109-GPOS-00056<GroupDescription></GroupDescription>SLES-15-020040The SUSE operating system must deny direct logons to the root account using remote access via SSH.<VulnDiscussion>To ensure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated. A group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does not uniquely identify individual users. Examples of the group authenticator is the UNIX OS "root" user account, the Windows "Administrator" account, the "sa" account, or a "helpdesk" account. @@ -1580,7 +1580,7 @@ For example, the UNIX and Windows SUSE operating systems offer a "switch user" c Users (and any processes acting on behalf of users) need to be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization, which outlines specific user actions that can be performed on the SUSE operating system without identification or authentication. -Requiring individuals to be authenticated with an individual authenticator prior to using a group authenticator allows for traceability of actions, as well as adding an additional level of protection of the actions that can be taken with group account knowledge.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004045Configure the SUSE operating system to deny direct logons to the root account using remote access via SSH. +Requiring individuals to be authenticated with an individual authenticator prior to using a group authenticator allows for traceability of actions, as well as adding an additional level of protection of the actions that can be taken with group account knowledge.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004045CCI-000770Configure the SUSE operating system to deny direct logons to the root account using remote access via SSH. Edit the appropriate "/etc/ssh/sshd_config" file, add or uncomment the line for "PermitRootLogin" and set its value to "no" (this file may be named differently or be in a different location): @@ -1592,9 +1592,9 @@ Check that SSH denies any user trying to log on directly as root with the follow PermitRootLogin no -If the "PermitRootLogin" keyword is set to "yes", is missing, or is commented out, this is a finding.SRG-OS-000118-GPOS-00060<GroupDescription></GroupDescription>SLES-15-020050The SUSE operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity after password expiration.<VulnDiscussion>Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. +If the "PermitRootLogin" keyword is set to "yes", is missing, or is commented out, this is a finding.SRG-OS-000118-GPOS-00060<GroupDescription></GroupDescription>SLES-15-020050The SUSE operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity after password expiration.<VulnDiscussion>Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. -The SUSE operating system needs to track periods of inactivity and disable application identifiers after 35 days of inactivity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-003627CCI-003628Configure the SUSE operating system to disable account identifiers after 35 days of inactivity since the password expiration. +The SUSE operating system needs to track periods of inactivity and disable application identifiers after 35 days of inactivity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-003627CCI-003628CCI-000795Configure the SUSE operating system to disable account identifiers after 35 days of inactivity since the password expiration. Run the following command to change the configuration for "useradd" to disable the account identifier after 35 days: @@ -1686,11 +1686,11 @@ ALL ALL=(ALL:ALL) ALLSRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>SLES-15-020102The SUSE operating system must require reauthentication when using the "sudo" command.<VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization. +ALL ALL=(ALL:ALL) ALLSRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>SLES-15-020102The SUSE operating system must require reauthentication when using the "sudo" command.<VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to re-authenticate when using the "sudo" command. -If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to reauthenticate for privileged actions until the user's session is terminated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004895Configure the "sudo" command to require reauthentication. +If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to reauthenticate for privileged actions until the user's session is terminated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004895CCI-002038Configure the "sudo" command to require reauthentication. Edit the /etc/sudoers file: > sudo visudo @@ -1743,9 +1743,9 @@ Check that "PrintLastLog" keyword in the sshd daemon configuration file is used PrintLastLog yes -If the "PrintLastLog" keyword is set to "no", is missing, or is commented out, this is a finding.SRG-OS-000069-GPOS-00037<GroupDescription></GroupDescription>SLES-15-020130The SUSE operating system must enforce passwords that contain at least one uppercase character.<VulnDiscussion>Use of a complex password helps increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. +If the "PrintLastLog" keyword is set to "no", is missing, or is commented out, this is a finding.SRG-OS-000069-GPOS-00037<GroupDescription></GroupDescription>SLES-15-020130The SUSE operating system must enforce passwords that contain at least one uppercase character.<VulnDiscussion>Use of a complex password helps increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004066Configure the SUSE operating system to enforce password complexity by requiring at least one uppercase character. +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004066CCI-000192Configure the SUSE operating system to enforce password complexity by requiring at least one uppercase character. Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "ucredit=-1" after the third column.Verify the SUSE operating system enforces password complexity by requiring at least one uppercase character. @@ -1754,9 +1754,9 @@ Check that the operating system enforces password complexity by requiring that a > grep pam_cracklib.so /etc/pam.d/common-password password requisite pam_cracklib.so ucredit=-1 -If the command does not return anything, the returned line is commented out, or has a second column value different from "requisite", or does not contain "ucredit=-1", this is a finding.SRG-OS-000070-GPOS-00038<GroupDescription></GroupDescription>SLES-15-020140The SUSE operating system must enforce passwords that contain at least one lowercase character.<VulnDiscussion>Use of a complex password helps increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. +If the command does not return anything, the returned line is commented out, or has a second column value different from "requisite", or does not contain "ucredit=-1", this is a finding.SRG-OS-000070-GPOS-00038<GroupDescription></GroupDescription>SLES-15-020140The SUSE operating system must enforce passwords that contain at least one lowercase character.<VulnDiscussion>Use of a complex password helps increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004066Configure the SUSE operating system to enforce password complexity by requiring at least one lowercase character. +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004066CCI-000193Configure the SUSE operating system to enforce password complexity by requiring at least one lowercase character. Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "lcredit=-1" after the third column.Verify the SUSE operating system enforces password complexity by requiring that at least one lowercase character. @@ -1765,9 +1765,9 @@ Check that the operating system enforces password complexity by requiring that a > grep pam_cracklib.so /etc/pam.d/common-password password requisite pam_cracklib.so lcredit=-1 -If the command does not return anything, the returned line is commented out, or has a second column value different from "requisite", or does not contain "lcredit=-1", this is a finding.SRG-OS-000071-GPOS-00039<GroupDescription></GroupDescription>SLES-15-020150The SUSE operating system must enforce passwords that contain at least one numeric character.<VulnDiscussion>Use of a complex password helps increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. +If the command does not return anything, the returned line is commented out, or has a second column value different from "requisite", or does not contain "lcredit=-1", this is a finding.SRG-OS-000071-GPOS-00039<GroupDescription></GroupDescription>SLES-15-020150The SUSE operating system must enforce passwords that contain at least one numeric character.<VulnDiscussion>Use of a complex password helps increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004066Configure the SUSE operating system to enforce password complexity by requiring at least one numeric character. +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004066CCI-000194Configure the SUSE operating system to enforce password complexity by requiring at least one numeric character. Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "dcredit=-1" after the third column.Verify the SUSE operating system enforces password complexity by requiring that at least one numeric character. @@ -1776,7 +1776,7 @@ Check that the operating system enforces password complexity by requiring that a > grep pam_cracklib.so /etc/pam.d/common-password password requisite pam_cracklib.so dcredit=-1 -If the command does not return anything, the returned line is commented out, or has a second column value different from "requisite", or does not contain "dcredit=-1", this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>SLES-15-020160The SUSE operating system must require the change of at least eight of the total number of characters when passwords are changed.<VulnDiscussion>If the SUSE operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004066Configure the SUSE operating system to require at least eight characters be changed between the old and new passwords during a password change with the following command: +If the command does not return anything, the returned line is commented out, or has a second column value different from "requisite", or does not contain "dcredit=-1", this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>SLES-15-020160The SUSE operating system must require the change of at least eight of the total number of characters when passwords are changed.<VulnDiscussion>If the SUSE operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004066CCI-000195Configure the SUSE operating system to require at least eight characters be changed between the old and new passwords during a password change with the following command: Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "difok=8" after the third column.Verify the SUSE operating system requires at least eight characters be changed between the old and new passwords during a password change. @@ -1785,7 +1785,7 @@ Check that the operating system requires at least eight characters be changed be > grep pam_cracklib.so /etc/pam.d/common-password password requisite pam_cracklib.so difok=8 -If the command does not return anything, the returned line is commented out, or has a second column value different from "requisite", or does not contain "difok", or the value is less than "8", this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>SLES-15-020170The SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to only store encrypted representations of passwords.<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004062Configure the SUSE operating system Linux PAM to only store encrypted representations of passwords. All account passwords must be hashed with SHA512 encryption strength. +If the command does not return anything, the returned line is commented out, or has a second column value different from "requisite", or does not contain "difok", or the value is less than "8", this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>SLES-15-020170The SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to only store encrypted representations of passwords.<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004062CCI-000196Configure the SUSE operating system Linux PAM to only store encrypted representations of passwords. All account passwords must be hashed with SHA512 encryption strength. Edit "/etc/pam.d/common-password" and edit the line containing "pam_unix.so" to contain the SHA512 keyword after third column. Remove the "nullok" option.Verify the SUSE operating system configures the Linux PAM to only store encrypted representations of passwords. All account passwords must be hashed with SHA512 encryption strength. @@ -1794,11 +1794,11 @@ Check that PAM is configured to create SHA512 hashed passwords by running the fo > grep pam_unix.so /etc/pam.d/common-password password required pam_unix.so sha512 -If the command does not return anything or the returned line is commented out, has a second column value different from "required", or does not contain "sha512", this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>SLES-15-020180The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords.<VulnDiscussion>The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy. +If the command does not return anything or the returned line is commented out, has a second column value different from "required", or does not contain "sha512", this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>SLES-15-020180The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords.<VulnDiscussion>The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. -Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004062CCI-000803Configure the SUSE operating system to encrypt all stored passwords with a strong cryptographic hash. +Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004062CCI-000803CCI-000196Configure the SUSE operating system to encrypt all stored passwords with a strong cryptographic hash. Edit/modify the following line in the "/etc/login.defs" file and set "ENCRYPT_METHOD" to have a value of "SHA512". @@ -1814,11 +1814,11 @@ $6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX Password hashes "!" or "*" indicate inactive accounts not available for logon and are not evaluated. -If any interactive user password hash does not begin with "$6", this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>SLES-15-020190The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords.<VulnDiscussion>The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy. +If any interactive user password hash does not begin with "$6", this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>SLES-15-020190The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords.<VulnDiscussion>The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. -Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004062CCI-000803Configure the SUSE operating system to encrypt all stored passwords with a strong cryptographic hash. +Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004062CCI-000803CCI-000196Configure the SUSE operating system to encrypt all stored passwords with a strong cryptographic hash. Edit/modify the following line in the "/etc/login.defs" file and set "SHA_CRYPT_MIN_ROUNDS" to a value no lower than "5000": @@ -1830,7 +1830,7 @@ Check that a minimum number of hash rounds is configured by running the followin If only one of "SHA_CRYPT_MIN_ROUNDS" or "SHA_CRYPT_MAX_ROUNDS" is set, and this value is below "5000", this is a finding. -If both "SHA_CRYPT_MIN_ROUNDS" and "SHA_CRYPT_MAX_ROUNDS" are set, and the highest value for either is below "5000", this is a finding.SRG-OS-000075-GPOS-00043<GroupDescription></GroupDescription>SLES-15-020200The SUSE operating system must be configured to create or update passwords with a minimum lifetime of 24 hours (one day).<VulnDiscussion>Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004066Configure the SUSE operating system to enforce 24 hours/one day or greater as the minimum password age. +If both "SHA_CRYPT_MIN_ROUNDS" and "SHA_CRYPT_MAX_ROUNDS" are set, and the highest value for either is below "5000", this is a finding.SRG-OS-000075-GPOS-00043<GroupDescription></GroupDescription>SLES-15-020200The SUSE operating system must be configured to create or update passwords with a minimum lifetime of 24 hours (one day).<VulnDiscussion>Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004066CCI-000198Configure the SUSE operating system to enforce 24 hours/one day or greater as the minimum password age. Edit the file "/etc/login.defs" and add or correct the following line. Replace [DAYS] with the appropriate amount of days: @@ -1844,7 +1844,7 @@ To check that the SUSE operating system enforces 24 hours/one day as the minimum PASS_MIN_DAYS 1 -If no output is produced, or if "PASS_MIN_DAYS" does not have a value of "1" or greater, this is a finding.SRG-OS-000075-GPOS-00043<GroupDescription></GroupDescription>SLES-15-020210The SUSE operating system must employ user passwords with a minimum lifetime of 24 hours (one day).<VulnDiscussion>Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004066Configure the SUSE operating system to enforce 24 hours/one day or greater as the minimum password age for user accounts. +If no output is produced, or if "PASS_MIN_DAYS" does not have a value of "1" or greater, this is a finding.SRG-OS-000075-GPOS-00043<GroupDescription></GroupDescription>SLES-15-020210The SUSE operating system must employ user passwords with a minimum lifetime of 24 hours (one day).<VulnDiscussion>Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004066CCI-000198Configure the SUSE operating system to enforce 24 hours/one day or greater as the minimum password age for user accounts. Change the minimum time period between password changes for each [USER] account to "1" day with the command, replacing [USER] with the user account that must be changed: @@ -1856,7 +1856,7 @@ Check the minimum time period between password changes for each user account wit smithj:1 -If any results are returned that are not associated with a system account, this is a finding.SRG-OS-000076-GPOS-00044<GroupDescription></GroupDescription>SLES-15-020220The SUSE operating system must be configured to create or update passwords with a maximum lifetime of 60 days.<VulnDiscussion>Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the SUSE operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the SUSE operating system passwords could be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004066Configure the SUSE operating system to enforce a maximum password age of 60 days or less. +If any results are returned that are not associated with a system account, this is a finding.SRG-OS-000076-GPOS-00044<GroupDescription></GroupDescription>SLES-15-020220The SUSE operating system must be configured to create or update passwords with a maximum lifetime of 60 days.<VulnDiscussion>Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the SUSE operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the SUSE operating system passwords could be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004066CCI-000199Configure the SUSE operating system to enforce a maximum password age of 60 days or less. Edit the file "/etc/login.defs" and add or correct the following line. Replace [DAYS] with the appropriate amount of days: @@ -1870,7 +1870,7 @@ Check that the SUSE operating system enforces 60 days or less as the maximum pas The DOD requirement is "60" days or less (greater than zero, as zero days will lock the account immediately). -If no output is produced, or if "PASS_MAX_DAYS" is not set to "60" days or less, this is a finding.SRG-OS-000076-GPOS-00044<GroupDescription></GroupDescription>SLES-15-020230The SUSE operating system must employ user passwords with a maximum lifetime of 60 days.<VulnDiscussion>Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the SUSE operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the SUSE operating system passwords could be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004066Configure the SUSE operating system to enforce a maximum password age of each [USER] account to 60 days. The command in the check text will give a list of users that need to be updated to be in compliance: +If no output is produced, or if "PASS_MAX_DAYS" is not set to "60" days or less, this is a finding.SRG-OS-000076-GPOS-00044<GroupDescription></GroupDescription>SLES-15-020230The SUSE operating system must employ user passwords with a maximum lifetime of 60 days.<VulnDiscussion>Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the SUSE operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the SUSE operating system passwords could be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004066CCI-000199Configure the SUSE operating system to enforce a maximum password age of each [USER] account to 60 days. The command in the check text will give a list of users that need to be updated to be in compliance: > sudo passwd -x 60 [USER] @@ -1880,9 +1880,9 @@ Check that the SUSE operating system enforces 60 days or less as the maximum use > sudo awk -F: '$5 > 60 || $5 == "" {print $1 ":" $5}' /etc/shadow -If any results are returned that are not associated with a system account, this is a finding.SRG-OS-000078-GPOS-00046<GroupDescription></GroupDescription>SLES-15-020260The SUSE operating system must employ passwords with a minimum of 15 characters.<VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. +If any results are returned that are not associated with a system account, this is a finding.SRG-OS-000078-GPOS-00046<GroupDescription></GroupDescription>SLES-15-020260The SUSE operating system must employ passwords with a minimum of 15 characters.<VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. -Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps determine strength and how long it takes to crack a password. Use of more characters in a password helps exponentially increase the time and/or resources required to compromise the password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004066Configure the SUSE operating system to enforce a minimum 15-character password length. +Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps determine strength and how long it takes to crack a password. Use of more characters in a password helps exponentially increase the time and/or resources required to compromise the password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004066CCI-000205Configure the SUSE operating system to enforce a minimum 15-character password length. Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "minlen=15" after the third column. @@ -1893,11 +1893,11 @@ Check that the operating system enforces a minimum 15-character password length > grep pam_cracklib.so /etc/pam.d/common-password password requisite pam_cracklib.so minlen=15 -If the command does not return anything, the returned line is commented out, or has a second column value different from "requisite", or does not contain "minlen" value, or the value is less than "15", this is a finding.SRG-OS-000266-GPOS-00101<GroupDescription></GroupDescription>SLES-15-020270The SUSE operating system must enforce passwords that contain at least one special character.<VulnDiscussion>Use of a complex password helps increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. +If the command does not return anything, the returned line is commented out, or has a second column value different from "requisite", or does not contain "minlen" value, or the value is less than "15", this is a finding.SRG-OS-000266-GPOS-00101<GroupDescription></GroupDescription>SLES-15-020270The SUSE operating system must enforce passwords that contain at least one special character.<VulnDiscussion>Use of a complex password helps increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor in determining how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. -Special characters are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004066Configure the SUSE operating system to enforce password complexity by requiring at least one special character. +Special characters are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004066CCI-001619Configure the SUSE operating system to enforce password complexity by requiring at least one special character. Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "ocredit=-1" after the third column.Verify the SUSE operating system enforces password complexity by requiring at least one special character. @@ -1927,11 +1927,11 @@ Check that blank or null passwords cannot be used by running the following comma If this produces any output, it may be possible to log on with accounts with empty passwords. -If null passwords can be used, this is a finding.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>SLES-15-030000The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.<VulnDiscussion>Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. +If null passwords can be used, this is a finding.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>SLES-15-030000The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.<VulnDiscussion>Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. To address access requirements, many SUSE operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. -Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000274-GPOS-00104, SRG-OS-000275-GPOS-00105, SRG-OS-000276-GPOS-00106, SRG-OS-000277-GPOS-00107, SRG-OS-000303-GPOS-00120, SRG-OS-000463-GPOS-00207, SRG-OS-000304-GPOS-00121, SRG-OS-000470-GPOS-00214, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000015CCI-000018CCI-000172CCI-001403CCI-002130Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/passwd" file occur. +Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000274-GPOS-00104, SRG-OS-000275-GPOS-00105, SRG-OS-000276-GPOS-00106, SRG-OS-000277-GPOS-00107, SRG-OS-000303-GPOS-00120, SRG-OS-000463-GPOS-00207, SRG-OS-000304-GPOS-00121, SRG-OS-000470-GPOS-00214, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000015CCI-000018CCI-000172CCI-001403CCI-002130CCI-001683CCI-001684CCI-001685CCI-001686CCI-002132Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/passwd" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": @@ -1953,11 +1953,11 @@ Check that the file is being audited by performing the following command: If the command does not return a line, this is a finding. -Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>SLES-15-030010The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.<VulnDiscussion>Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. +Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>SLES-15-030010The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.<VulnDiscussion>Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. To address access requirements, many SUSE operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. -Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000463-GPOS-00207, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000018CCI-000172CCI-001403CCI-002130CCI-000015Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/group" file occur. +Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000463-GPOS-00207, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000018CCI-000172CCI-001403CCI-002130CCI-000015CCI-002132Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/group" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": @@ -1979,11 +1979,11 @@ Check that the file is being audited by performing the following command: If the command does not return a line, this is a finding. -Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>SLES-15-030020The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.<VulnDiscussion>Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. +Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>SLES-15-030020The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.<VulnDiscussion>Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. To address access requirements, many SUSE operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. -Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000463-GPOS-00207, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000018CCI-000172CCI-001403CCI-002130CCI-000015Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/shadow" file occur. +Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000463-GPOS-00207, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000018CCI-000172CCI-001403CCI-002130CCI-000015CCI-002132Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/shadow" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": @@ -2005,11 +2005,11 @@ Check that the file is being audited by performing the following command: If the command does not return a line, this is a finding. -Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>SLES-15-030030The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.<VulnDiscussion>Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. +Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>SLES-15-030030The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.<VulnDiscussion>Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. To address access requirements, many SUSE operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. -Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000463-GPOS-00207, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000018CCI-000172CCI-001403CCI-002130CCI-000015Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/security/opasswd" file occur. +Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000463-GPOS-00207, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000018CCI-000172CCI-001403CCI-002130CCI-000015CCI-002132Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/security/opasswd" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": @@ -3296,9 +3296,9 @@ Check that AIDE is properly configured to protect the integrity of the audit too If AIDE is properly configured to protect the integrity of the audit tools, all lines listed above will be returned from the command. -If one or more lines are missing, or is commented out, this is a finding.SRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>SLES-15-030640The SUSE operating system must generate audit records for all uses of the privileged functions.<VulnDiscussion>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. +If one or more lines are missing, or is commented out, this is a finding.SRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>SLES-15-030640The SUSE operating system must generate audit records for all uses of the privileged functions.<VulnDiscussion>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000359-GPOS-00146, SRG-OS-000365-GPOS-00152</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-003938CCI-001875CCI-001877CCI-001878CCI-001879CCI-001880CCI-001881CCI-001882CCI-001889CCI-001914CCI-002234Configure the SUSE operating system to generate an audit record for any privileged use of the "execve" system call. +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000359-GPOS-00146, SRG-OS-000365-GPOS-00152</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-003938CCI-001875CCI-001877CCI-001878CCI-001879CCI-001880CCI-001881CCI-001882CCI-001889CCI-001914CCI-002234CCI-001814Configure the SUSE operating system to generate an audit record for any privileged use of the "execve" system call. Add or update the following rules in "/etc/audit/rules.d/audit.rules": @@ -3326,13 +3326,13 @@ If both the "b32" and "b64" audit rules for "SUID" files are not defined, this i If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding. -Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000337-GPOS-00129<GroupDescription></GroupDescription>SLES-15-030650The SUSE operating system must have the auditing package installed.<VulnDiscussion>Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. +Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000337-GPOS-00129<GroupDescription></GroupDescription>SLES-15-030650The SUSE operating system must have the auditing package installed.<VulnDiscussion>Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the SUSE operating system audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured SUSE operating system. -Satisfies: SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000359-GPOS-00146, SRG-OS-000365-GPOS-00152, SRG-OS-000474-GPOS-00219, SRG-OS-000475-GPOS-00220</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000172CCI-003938CCI-001875CCI-001877CCI-001878CCI-001879CCI-001880CCI-001881CCI-001882CCI-001889CCI-001914The SUSE operating system auditd package must be installed on the system. If it is not installed, use the following command to install it: +Satisfies: SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000359-GPOS-00146, SRG-OS-000365-GPOS-00152, SRG-OS-000474-GPOS-00219, SRG-OS-000475-GPOS-00220</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000172CCI-003938CCI-001875CCI-001877CCI-001878CCI-001879CCI-001880CCI-001881CCI-001882CCI-001889CCI-001914CCI-001814The SUSE operating system auditd package must be installed on the system. If it is not installed, use the following command to install it: > sudo zypper in auditVerify the SUSE operating system auditing package is installed. @@ -3367,43 +3367,34 @@ If the audit records are not written to a partition made specifically for audit The partition size needed to capture a week of audit records is based on the activity level of the system and the total storage capacity available. In normal circumstances, 10.0 GB of storage space for audit records will be sufficient. -If the audit record partition is not allocated sufficient storage capacity, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>SLES-15-030670The audit-audispd-plugins must be installed on the SUSE operating system.<VulnDiscussion>The audit-audispd-plugins must be installed on the SUSE operating system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001851Install the "audit-audispd-plugins" package on the SUSE operating system by running the following command: +If the audit record partition is not allocated sufficient storage capacity, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>SLES-15-030670The audit-audispd-plugins must be installed on the SUSE operating system.<VulnDiscussion>The audit-audispd-plugins must be installed on the SUSE operating system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001851Install the "audit-audispd-plugins" package on the SUSE operating system by running the following command: -> sudo zypper install audit-audispd-plugins - -In "/etc/audisp/plugins.d/au-remote.conf", change the value of "active" to "yes", or add "active = yes" if no such setting exists in the file.Verify that the "audit-audispd-plugins" package is installed on the SUSE operating system. +> sudo zypper install audit-audispd-pluginsVerify that the "audit-audispd-plugins" package is installed on the SUSE operating system. Check that the "audit-audispd-plugins" package is installed on the SUSE operating system with the following command: > zypper info audit-audispd-plugins | grep Installed -If the "audit-audispd-plugins" package is not installed, this is a finding. - -Verify the "au-remote" plugin is enabled with the following command: - -> sudo grep -i active /etc/audisp/plugins.d/au-remote.conf -active = yes - -If "active" is missing, commented out, or is not set to "yes", this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>SLES-15-030680The SUSE operating system audit event multiplexor must be configured to use Kerberos.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. +If the "audit-audispd-plugins" package is not installed, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>SLES-15-030680The SUSE operating system audit event multiplexor must be configured to use Kerberos.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. -Allowing devices and users to connect to or from the system without first authenticating them allows untrusted access and can lead to a compromise or attack. Audit events that may include sensitive data must be encrypted prior to transmission. Kerberos provides a mechanism to provide both authentication and encryption for audit event records.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001851Configure the SUSE operating system audit event multiplexor to use Kerberos by editing the "/etc/audisp/audisp-remote.conf" file. +Allowing devices and users to connect to or from the system without first authenticating them allows untrusted access and can lead to a compromise or attack. Audit events that may include sensitive data must be encrypted prior to transmission. Kerberos provides a mechanism to provide both authentication and encryption for audit event records.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001851Configure the SUSE operating system audit event multiplexor to use Kerberos by editing the "/etc/audit/audisp-remote.conf" file. Edit or add the following line to match the text below: -enable_krb5 = yesDetermine if the SUSE operating system audit event multiplexor is configured to use Kerberos by running the following command: +transport = krb5Determine if the SUSE operating system audit event multiplexor is configured to use Kerberos by running the following command: -> sudo grep enable_krb5 /etc/audisp/audisp-remote.conf -enable_krb5 = yes +> sudo grep transport /etc/audit/audisp-remote.conf +transport = krb5 -If "enable_krb5" is not set to "yes", or is commented out, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>SLES-15-030690Audispd must off-load audit records onto a different system or media from the SUSE operating system being audited.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. +If "transport" is not set to "krb5", or is commented out, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>SLES-15-030690Audispd must off-load audit records onto a different system or media from the SUSE operating system being audited.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. -Off-loading is a common process in information systems with limited audit storage capacity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001851Configure the SUSE operating system "/etc/audisp/audisp-remote.conf" file to off-load audit records onto a different system or media by adding or editing the following line with the correct IP address: +Off-loading is a common process in information systems with limited audit storage capacity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001851Configure the SUSE operating system "/etc/audit/audisp-remote.conf" file to off-load audit records onto a different system or media by adding or editing the following line with the correct IP address: -remote_server = [IP ADDRESS]Verify "audispd" off-loads audit records onto a different system or media from the SUSE operating system being audited. +remote_server = [IP ADDRESS]Verify "audispd" off-loads audit records onto a different system or media from the SUSE operating system being audited. Check if "audispd" is configured to off-load audit records onto a different system or media from the SUSE operating system by running the following command: -> sudo grep remote_server /etc/audisp/audisp-remote.conf +> sudo grep remote_server /etc/audit/audisp-remote.conf remote_server = 192.168.1.101 If "remote_server" is not set to an external server or media, or is commented out, this is a finding.SRG-OS-000343-GPOS-00134<GroupDescription></GroupDescription>SLES-15-030700The SUSE operating system auditd service must notify the System Administrator (SA) and Information System Security Officer (ISSO) immediately when audit storage capacity is 75 percent full.<VulnDiscussion>If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001855Check the system configuration to determine the partition to which the audit records are written: @@ -3538,31 +3529,31 @@ Check that the file is being audited by performing the following command: If the command does not return a line that matches the example, this is a finding. Note: -The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000479-GPOS-00224<GroupDescription></GroupDescription>SLES-15-030790The SUSE operating system must off-load audit records onto a different system or media from the system being audited.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. +The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.SRG-OS-000479-GPOS-00224<GroupDescription></GroupDescription>SLES-15-030790The SUSE operating system must off-load audit records onto a different system or media from the system being audited.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. -Off-loading is a common process in information systems with limited audit storage capacity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001851Configure the SUSE operating system to take the appropriate action if it cannot off-load audit records to a different system or storage media from the system being audited due to a network failure. +Off-loading is a common process in information systems with limited audit storage capacity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001851Configure the SUSE operating system to take the appropriate action if it cannot off-load audit records to a different system or storage media from the system being audited due to a network failure. -Uncomment the "network_failure_action" option in "/etc/audisp/audisp-remote.conf" and set it to "syslog", "single", or "halt". See the example below: +Uncomment the "network_failure_action" option in "/etc/audit/audisp-remote.conf" and set it to "syslog", "single", or "halt". See the example below: -network_failure_action = syslogVerify what action the audit system takes if it cannot off-load audit records to a different system or storage media from the SUSE operating system being audited. +network_failure_action = syslogVerify what action the audit system takes if it cannot off-load audit records to a different system or storage media from the SUSE operating system being audited. Check the action that the audit system takes in the event of a network failure with the following command: -> sudo grep -i "network_failure_action" /etc/audisp/audisp-remote.conf +> sudo grep -i "network_failure_action" /etc/audit/audisp-remote.conf network_failure_action = syslog -If the "network_failure_action" option is not set to "syslog", "single", or "halt" or the line is commented out, this is a finding.SRG-OS-000479-GPOS-00224<GroupDescription></GroupDescription>SLES-15-030800Audispd must take appropriate action when the SUSE operating system audit storage is full.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. +If the "network_failure_action" option is not set to "syslog", "single", or "halt" or the line is commented out, this is a finding.SRG-OS-000479-GPOS-00224<GroupDescription></GroupDescription>SLES-15-030800Audispd must take appropriate action when the SUSE operating system audit storage is full.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. -Off-loading is a common process in information systems with limited audit storage capacity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001851Configure the SUSE operating system to take the appropriate action if the audit storage is full. +Off-loading is a common process in information systems with limited audit storage capacity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001851Configure the SUSE operating system to take the appropriate action if the audit storage is full. -Add, edit, or uncomment the "disk_full_action" option in "/etc/audisp/audisp-remote.conf". Set it to "syslog", "single" or "halt" as in the example below: +Add, edit, or uncomment the "disk_full_action" option in "/etc/audit/audisp-remote.conf". Set it to "syslog", "single" or "halt" as in the example below: -disk_full_action = syslogVerify the audit system off-loads audit records if the SUSE operating system storage volume becomes full. +disk_full_action = syslogVerify the audit system off-loads audit records if the SUSE operating system storage volume becomes full. Check that the records are properly off-loaded to a remote server with the following command: -> sudo grep -i "disk_full_action" /etc/audisp/audisp-remote.conf +> sudo grep -i "disk_full_action" /etc/audit/audisp-remote.conf disk_full_action = syslog If "disk_full_action" is not set to "syslog", "single", or "halt" or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-030810The SUSE operating system must use a separate file system for the system audit data path.<VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Migrate the SUSE operating system audit data path onto a separate file system.Verify that the SUSE operating system has a separate file system/partition for the system audit data path. @@ -4328,11 +4319,11 @@ Verify the operating system does not have nested "include" files or directories > sudo grep -r include /etc/sudoers.d -If results are returned, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>SLES-15-020104The SUSE operating system must not be configured to bypass password requirements for privilege escalation.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. +If results are returned, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>SLES-15-020104The SUSE operating system must not be configured to bypass password requirements for privilege escalation.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. -Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004895Configure the operating system to require users to supply a password for privilege escalation. +Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-004895CCI-002038Configure the operating system to require users to supply a password for privilege escalation. Check the configuration of the "/etc/ pam.d/sudo" file with the following command: From 33d220b713f6cb420f1dda68852892008405ea0b Mon Sep 17 00:00:00 2001 From: svet-se Date: Fri, 1 Nov 2024 13:58:06 +0200 Subject: [PATCH 3/5] Adjust tmout to 10 minutes for SLES-15-010130 --- products/sle15/profiles/stig.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/products/sle15/profiles/stig.profile b/products/sle15/profiles/stig.profile index adfaa2cc2bc..4940147022f 100644 --- a/products/sle15/profiles/stig.profile +++ b/products/sle15/profiles/stig.profile @@ -17,7 +17,7 @@ description: |- selections: - var_account_disable_post_pw_expiration=35 - var_accounts_fail_delay=4 - - var_accounts_tmout=15_min + - var_accounts_tmout=10_min - inactivity_timeout_value=15_minutes - var_password_pam_dcredit=1 - var_password_pam_lcredit=1 From 6b97cb2cb1c67d30c9e8006356a54b553cee42ac Mon Sep 17 00:00:00 2001 From: svet-se Date: Mon, 4 Nov 2024 11:39:48 +0200 Subject: [PATCH 4/5] Update SLES-15-030680 check and fix --- .../auditd_audispd_encrypt_sent_records/ansible/shared.yml | 2 +- .../auditd_audispd_encrypt_sent_records/bash/shared.sh | 2 +- .../auditd_audispd_encrypt_sent_records/oval/shared.xml | 4 ++-- .../auditd_audispd_encrypt_sent_records/rule.yml | 6 +++--- .../tests/transport_bogus_value.fail.sh | 2 +- .../tests/transport_correct_value.pass.sh | 2 +- .../tests/transport_not_there.fail.sh | 2 +- .../tests/transport_wrong_value.fail.sh | 2 +- 8 files changed, 11 insertions(+), 11 deletions(-) diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/ansible/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/ansible/shared.yml index e9e83bcd181..90f639966fb 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/ansible/shared.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_sle,multi_platform_slmicro +# platform = Oracle Linux 7,Red Hat Virtualization 4,SUSE Linux Enterprise 12,multi_platform_slmicro # reboot = false # complexity = low # disruption = low diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/bash/shared.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/bash/shared.sh index be3e74b0bf8..5e49158b5a1 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/bash/shared.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/bash/shared.sh @@ -1,7 +1,7 @@ # platform = multi_platform_all AUDISP_REMOTE_CONFIG="{{{ audisp_conf_path }}}/audisp-remote.conf" -{{% if product in ["rhel8", "fedora", "ol8", "rhv4"] %}} +{{% if product in ["rhel8", "fedora", "ol8", "rhv4", "sle15"] %}} option="^transport" value="KRB5" {{% else %}} diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/oval/shared.xml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/oval/shared.xml index e8d055f908c..f5932e35a1c 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/oval/shared.xml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/oval/shared.xml @@ -2,7 +2,7 @@ - {{% if product in ["rhel8", "fedora", "ol8", "rhv4"] %}} + {{% if product in ["rhel8", "fedora", "ol8", "rhv4", "sle15"] %}} {{{ oval_metadata("transport setting in " + audisp_config_file_path + " is set to 'KRB5'") }}} {{% else %}} {{{ oval_metadata("enable_krb5 setting in " + audisp_config_file_path + " is set to 'yes'") }}} @@ -22,7 +22,7 @@ {{{ audisp_config_file_path }}} -{{% if product in ["rhel8", "fedora", "ol8", "rhv4"] %}} +{{% if product in ["rhel8", "fedora", "ol8", "rhv4", "sle15"] %}} ^[ ]*transport[ ]+=[ ]+KRB5[ ]*$ {{% else %}} ^[ ]*enable_krb5[ ]+=[ ]+yes[ ]*$ diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml index 840908090db..a08582b0629 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml @@ -6,7 +6,7 @@ title: 'Encrypt Audit Records Sent With audispd Plugin' description: |- Configure the operating system to encrypt the transfer of off-loaded audit records onto a different system or media from the system being audited. -{{% if product in ["rhel8", "fedora", "ol8", "rhv4"] %}} +{{% if product in ["rhel8", "fedora", "ol8", "rhv4", "sle15"] %}} Set the transport option in 
{{{ audisp_conf_path }}}/audisp-remote.conf
to KRB5. {{% else %}} @@ -43,7 +43,7 @@ ocil_clause: 'audispd is not encrypting audit records when sent over the network ocil: |- To verify the audispd plugin encrypts audit records off-loaded onto a different system or media from the system being audited, run the following command: -{{% if product in ["rhel8", "fedora", "ol8", "rhv4"] %}} +{{% if product in ["rhel8", "fedora", "ol8", "rhv4", "sle15"] %}} 
$ sudo grep -i transport {{{ audisp_conf_path }}}/audisp-remote.conf
The output should return the following: 
transport = KRB5
@@ -55,7 +55,7 @@ ocil: |- fixtext: |- Configure {{{ full_name }}} to encrypt audit records sent with audispd plugin. -{{% if product in ["fedora", "ol8", "ol9", "rhv4"] or "rhel" in product %}} +{{% if product in ["fedora", "ol8", "ol9", "rhv4", "sle15"] or "rhel" in product %}} Set the "transport" option in "{{{ audisp_conf_path }}}/audisp-remote.conf" to "KRB5". {{% else %}} Uncomment the "enable_krb5" option in "{{{ audisp_conf_path }}}/audisp-remote.conf", diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/tests/transport_bogus_value.fail.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/tests/transport_bogus_value.fail.sh index 1ee02140b42..400fd4d9fca 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/tests/transport_bogus_value.fail.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/tests/transport_bogus_value.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = Red Hat Enterprise Linux 8,multi_platform_fedora +# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,SUSE Linux Enterprise 15 . $SHARED/auditd_utils.sh prepare_auditd_test_enviroment diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/tests/transport_correct_value.pass.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/tests/transport_correct_value.pass.sh index b6775223d9a..ee015120063 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/tests/transport_correct_value.pass.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/tests/transport_correct_value.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = Red Hat Enterprise Linux 8,multi_platform_fedora +# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,SUSE Linux Enterprise 15 . $SHARED/auditd_utils.sh prepare_auditd_test_enviroment diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/tests/transport_not_there.fail.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/tests/transport_not_there.fail.sh index bf1c533c688..924410d21cb 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/tests/transport_not_there.fail.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/tests/transport_not_there.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = Red Hat Enterprise Linux 8,multi_platform_fedora +# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,SUSE Linux Enterprise 15 . $SHARED/auditd_utils.sh prepare_auditd_test_enviroment diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/tests/transport_wrong_value.fail.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/tests/transport_wrong_value.fail.sh index 864e97b312a..0a01496e821 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/tests/transport_wrong_value.fail.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/tests/transport_wrong_value.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = Red Hat Enterprise Linux 8,multi_platform_fedora +# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,SUSE Linux Enterprise 15 . $SHARED/auditd_utils.sh prepare_auditd_test_enviroment From f6f740030b648e9cad17db8147ec2fab1ebe9ed8 Mon Sep 17 00:00:00 2001 From: svet-se Date: Mon, 4 Nov 2024 13:57:40 +0200 Subject: [PATCH 5/5] Fix tests --- .../tests/transport_bogus_value.fail.sh | 2 +- .../tests/transport_correct_value.pass.sh | 2 +- .../tests/transport_not_there.fail.sh | 2 +- .../tests/transport_wrong_value.fail.sh | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/tests/transport_bogus_value.fail.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/tests/transport_bogus_value.fail.sh index 400fd4d9fca..1ee02140b42 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/tests/transport_bogus_value.fail.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/tests/transport_bogus_value.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,SUSE Linux Enterprise 15 +# platform = Red Hat Enterprise Linux 8,multi_platform_fedora . $SHARED/auditd_utils.sh prepare_auditd_test_enviroment diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/tests/transport_correct_value.pass.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/tests/transport_correct_value.pass.sh index ee015120063..b6775223d9a 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/tests/transport_correct_value.pass.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/tests/transport_correct_value.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,SUSE Linux Enterprise 15 +# platform = Red Hat Enterprise Linux 8,multi_platform_fedora . $SHARED/auditd_utils.sh prepare_auditd_test_enviroment diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/tests/transport_not_there.fail.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/tests/transport_not_there.fail.sh index 924410d21cb..bf1c533c688 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/tests/transport_not_there.fail.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/tests/transport_not_there.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,SUSE Linux Enterprise 15 +# platform = Red Hat Enterprise Linux 8,multi_platform_fedora . $SHARED/auditd_utils.sh prepare_auditd_test_enviroment diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/tests/transport_wrong_value.fail.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/tests/transport_wrong_value.fail.sh index 0a01496e821..864e97b312a 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/tests/transport_wrong_value.fail.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/tests/transport_wrong_value.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit -# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,SUSE Linux Enterprise 15 +# platform = Red Hat Enterprise Linux 8,multi_platform_fedora . $SHARED/auditd_utils.sh prepare_auditd_test_enviroment