| V-261264 | | SLEM 5 must implement an endpoint security tool. | Adding endpoint security tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additiona... |
| V-261265 | | SLEM 5 must display the Standard Mandatory DOD Notice and Consent Banner before granting any local or remote connection to the system. | Display of a standardized and approved use notification before granting access to SLEM 5 ensures privacy and security notification verbiage used is co... |
| V-261269 | | SLEM 5 must restrict access to the kernel message buffer. | Restricting access to the kernel message buffer limits access only to root. This prevents attackers from gaining additional system information as a no... |
| V-261270 | | SLEM 5 kernel core dumps must be disabled unless needed. | Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk... |
| V-261271 | | Address space layout randomization (ASLR) must be implemented by SLEM 5 to protect memory from unauthorized code execution. | Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Secur... |
| V-261272 | | SLEM 5 must implement kptr-restrict to prevent the leaking of internal kernel addresses. | Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Secur... |
| V-261273 | | Vendor-packaged SLEM 5 security patches and updates must be installed and up to date. | Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. Howev... |
| V-261275 | | SLEM 5 must remove all outdated software components after updated versions have been installed. | Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by advers... |
| V-261276 | | SLEM 5 must use vlock to allow for session locking. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but do... |
| V-261278 | | A separate file system must be used for SLEM 5 user home directories (such as /home or an equivalent). | The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.... |
| V-261279 | | SLEM 5 must use a separate file system for /var. | The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.... |
| V-261280 | | SLEM 5 must use a separate file system for the system audit data path. | The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.... |
| V-261281 | | SLEM 5 file systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed. | The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting an... |
| V-261282 | | SLEM 5 file systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed. | The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved... |
| V-261283 | | SLEM 5 file systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed. | The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting an... |
| V-261285 | | SLEM 5 file systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed. | The "nosuid" mount option causes the system to not execute setuid and setgid files with owner privileges. This option must be used for mounting any fi... |
| V-261286 | | SLEM 5 must disable the file system automounter unless required. | Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.... |
| V-261287 | | SLEM 5 must have directories that contain system commands set to a mode of 755 or less permissive. | If SLEM 5 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate tes... |
| V-261288 | | SLEM 5 must have system commands set to a mode of 755 or less permissive. | If SLEM 5 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate tes... |
| V-261289 | | SLEM 5 library directories must have mode 755 or less permissive. | If SLEM 5 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate tes... |
| V-261290 | | SLEM 5 library files must have mode 755 or less permissive. | If SLEM 5 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate tes... |
| V-261291 | | All SLEM 5 local interactive user home directories must have mode 750 or less permissive. | Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.... |
| V-261292 | | All SLEM 5 local initialization files must have mode 740 or less permissive. | Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accou... |
| V-261293 | | SLEM 5 SSH daemon public host key files must have mode 644 or less permissive. | If a public host key file is modified by an unauthorized user, the SSH service may be compromised.... |
| V-261294 | | SLEM 5 SSH daemon private host key files must have mode 640 or less permissive. | If an unauthorized user obtains the private SSH host key file, the host could be impersonated.... |
| V-261295 | | SLEM 5 library files must be owned by root. | If SLEM 5 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate tes... |
| V-261296 | | SLEM 5 library files must be group-owned by root. | If SLEM 5 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate tes... |
| V-261297 | | SLEM 5 library directories must be owned by root. | If SLEM 5 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate tes... |
| V-261298 | | SLEM 5 library directories must be group-owned by root. | If SLEM 5 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate tes... |
| V-261299 | | SLEM 5 must have system commands owned by root. | If SLEM 5 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate tes... |
| V-261300 | | SLEM 5 must have system commands group-owned by root or a system account. | If SLEM 5 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate tes... |
| V-261301 | | SLEM 5 must have directories that contain system commands owned by root. | If SLEM 5 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate tes... |
| V-261302 | | SLEM 5 must have directories that contain system commands group-owned by root. | If SLEM 5 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate tes... |
| V-261303 | | All SLEM 5 files and directories must have a valid owner. | Unowned files and directories may be unintentionally inherited if a user is assigned the same User Identifier (UID) as the UID of the unowned files.... |
| V-261304 | | All SLEM 5 files and directories must have a valid group owner. | Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group Identifier (GID) as the GID of the files with... |
| V-261305 | | All SLEM 5 local interactive user home directories must be group-owned by the home directory owner's primary group. | If the Group Identifier (GID) of a local interactive user's home directory is not the same as the primary GID of the user, this would allow unauthoriz... |
| V-261306 | | All SLEM 5 world-writable directories must be group-owned by root, sys, bin, or an application group. | If a world-writable directory has the sticky bit set and is not group-owned by a privileged Group Identifier (GID), unauthorized users may be able to ... |
| V-261307 | | The sticky bit must be set on all SLEM 5 world-writable directories. | Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the a... |
| V-261308 | | SLEM 5 must prevent unauthorized users from accessing system error messages. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-261309 | | SLEM 5 must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. | Any operating system providing too much information in error messages risks compromising the data and security of the structure, and content of error ... |
| V-261310 | | SLEM 5 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within d... |
| V-261311 | | SLEM 5 clock must, for networked systems, be synchronized to an authoritative DOD time source at least every 24 hours. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular ev... |
| V-261312 | | SLEM 5 must not have network interfaces in promiscuous mode unless approved and documented. | Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access thes... |
| V-261313 | | SLEM 5 must not forward Internet Protocol version 4 (IPv4) source-routed packets. | Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, ... |
| V-261314 | | SLEM 5 must not forward Internet Protocol version 4 (IPv4) source-routed packets by default. | Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, ... |
| V-261315 | | SLEM 5 must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted. | ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the hos... |
| V-261316 | | SLEM 5 must not allow interfaces to accept Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default. | ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the hos... |
| V-261317 | | SLEM 5 must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects. | ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain inform... |
| V-261318 | | SLEM 5 must not allow interfaces to send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default. | ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain inform... |
| V-261319 | | SLEM 5 must not be performing Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router. | Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not ... |
| V-261320 | | SLEM 5 must be configured to use TCP syncookies. | Denial of service (DoS) is a condition in which a resource is not available for legitimate users. When this occurs, the organization either cannot acc... |
| V-261321 | | SLEM 5 must not forward Internet Protocol version 6 (IPv6) source-routed packets. | Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, ... |
| V-261322 | | SLEM 5 must not forward Internet Protocol version 6 (IPv6) source-routed packets by default. | Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, ... |
| V-261323 | | SLEM 5 must prevent Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages from being accepted. | ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the hos... |
| V-261324 | | SLEM 5 must not allow interfaces to accept Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by default. | ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the hos... |
| V-261325 | | SLEM 5 must not be performing Internet Protocol version 6 (IPv6) packet forwarding unless the system is a router. | Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not ... |
| V-261326 | | SLEM 5 must not be performing Internet Protocol version 6 (IPv6) packet forwarding by default unless the system is a router. | Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not ... |
| V-261329 | | SLEM 5 must display the Standard Mandatory DOD Notice and Consent Banner before granting access via SSH. | Display of a standardized and approved use notification before granting access to SLEM 5 ensures privacy and security notification verbiage used is co... |
| V-261331 | | SLEM 5 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive. | Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a m... |
| V-261332 | | SLEM 5 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive. | Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a m... |
| V-261333 | | SLEM 5 SSH daemon must disable forwarded remote X connections for interactive users, unless to fulfill documented and validated mission requirements. | The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. A ... |
| V-261337 | | SLEM 5 must deny direct logons to the root account using remote access via SSH. | To ensure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated.
A group ... |
| V-261338 | | SLEM 5 must log SSH connection attempts and failures to the server. | Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities... |
| V-261339 | | SLEM 5 must display the date and time of the last successful account logon upon an SSH logon. | Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use.... |
| V-261340 | | SLEM 5 SSH daemon must be configured to not allow authentication using known hosts authentication. | Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misc... |
| V-261341 | | SLEM 5 SSH daemon must perform strict mode checking of home directory configuration files. | If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.... |
| V-261342 | | SLEM 5, for PKI-based authentication, must enforce authorized access to the corresponding private key. | If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure.
Th... |
| V-261346 | | SLEM 5 wireless network adapters must be disabled unless approved and documented. | Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications ca... |
| V-261347 | | SLEM 5 must disable the USB mass storage kernel module. | Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
Peripherals include but are ... |
| V-261348 | | All SLEM 5 local interactive user accounts, upon creation, must be assigned a home directory. | If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.... |
| V-261349 | | SLEM 5 default permissions must be defined in such a way that all authenticated users can only read and modify their own files. | Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.... |
| V-261350 | | SLEM 5 shadow password suite must be configured to enforce a delay of at least five seconds between logon prompts following a failed logon attempt. | Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.... |
| V-261351 | | All SLEM 5 local interactive users must have a home directory assigned in the /etc/passwd file. | If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.... |
| V-261352 | | All SLEM 5 local interactive user home directories defined in the /etc/passwd file must exist. | If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working d... |
| V-261353 | | All SLEM 5 local interactive user initialization files executable search paths must contain only paths that resolve to the users' home directory. | The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If th... |
| V-261354 | | All SLEM 5 local initialization files must not execute world-writable programs. | If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user file... |
| V-261355 | | SLEM 5 must automatically expire temporary accounts within 72 hours. | Temporary accounts are privileged or nonprivileged accounts established during pressing circumstances, such as new software or hardware configuration ... |
| V-261356 | | SLEM 5 must never automatically remove or disable emergency administrator accounts. | Emergency administrator accounts, also known as "last resort" or "break glass" accounts, are local logon accounts enabled on the system for emergency ... |
| V-261357 | | SLEM 5 must not have unnecessary accounts. | Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for indiv... |
| V-261358 | | SLEM 5 must not have unnecessary account capabilities. | Accounts providing no operational purpose provide additional opportunities for system compromise. Therefore all necessary noninteractive accounts shou... |
| V-261360 | | SLEM 5 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity after password expiration. | Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected ac... |
| V-261361 | | SLEM 5 must not have duplicate User IDs (UIDs) for interactive users. | To ensure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and co... |
| V-261362 | | SLEM 5 must display the date and time of the last successful account logon upon logon. | Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.... |
| V-261363 | | SLEM 5 must initiate a session lock after a 15-minute period of inactivity. | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information syst... |
| V-261364 | | SLEM 5 must lock an account after three consecutive invalid access attempts. | By limiting the number of failed access attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing,... |
| V-261365 | | SLEM 5 must enforce a delay of at least five seconds between logon prompts following a failed logon attempt via pluggable authentication modules (PAM). | Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.... |
| V-261370 | | SLEM 5 must enable the SELinux targeted policy. | Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is de... |
| V-261371 | | SLEM 5 must prevent nonprivileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures. | Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary ... |
| V-261372 | | SLEM 5 must use the invoking user's password for privilege escalation when using "sudo". | The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates t... |
| V-261373 | | SLEM 5 must reauthenticate users when changing authenticators, roles, or escalating privileges. | Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
When SLEM 5 provides the capability t... |
| V-261374 | | SLEM 5 must require reauthentication when using the "sudo" command. | Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
When operating systems provide the ca... |
| V-261375 | | SLEM 5 must restrict privilege elevation to authorized personnel. | The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms the r... |
| V-261376 | | SLEM 5 must specify the default "include" directory for the /etc/sudoers file. | The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used ... |
| V-261377 | | SLEM 5 must enforce passwords that contain at least one uppercase character. | Use of a complex password helps increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of... |
| V-261378 | | SLEM 5 must enforce passwords that contain at least one lowercase character. | Use of a complex password helps increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of... |
| V-261379 | | SLEM 5 must enforce passwords that contain at least one numeric character. | Use of a complex password helps increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of... |
| V-261380 | | SLEM 5 must enforce passwords that contain at least one special character. | Use of a complex password helps increase the time and resources required to compromise the password. Password complexity or strength is a measure of t... |
| V-261381 | | SLEM 5 must prevent the use of dictionary words for passwords. | If SLEM 5 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportuni... |
| V-261382 | | SLEM 5 must employ passwords with a minimum of 15 characters. | The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexit... |
| V-261383 | | SLEM 5 must require the change of at least eight of the total number of characters when passwords are changed. | If SLEM 5 allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the ... |
| V-261384 | | SLEM 5 must not allow passwords to be reused for a minimum of five generations. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the in... |
| V-261385 | | SLEM 5 must configure the Linux Pluggable Authentication Modules (PAM) to only store encrypted representations of passwords. | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can ... |
| V-261388 | | SLEM 5 must employ user passwords with a minimum lifetime of 24 hours (one day). | Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement. If user... |
| V-261389 | | SLEM 5 must employ user passwords with a maximum lifetime of 60 days. | Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If SLEM 5 does not limit the lif... |
| V-261390 | | SLEM 5 must employ a password history file. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the in... |
| V-261393 | | SLEM 5 must employ FIPS 140-2/140-3 approved cryptographic hashing algorithm for system authentication (login.defs). | Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied on to provide confi... |
| V-261394 | | SLEM 5 must be configured to create or update passwords with a minimum lifetime of 24 hours (one day). | Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement. If user... |
| V-261395 | | SLEM 5 must be configured to create or update passwords with a maximum lifetime of 60 days. | Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If SLEM 5 does not limit the lif... |
| V-261396 | | SLEM 5 must have the packages required for multifactor authentication to be installed. | Using an authentication device, such as a Common Access Card (CAC) or token separate from the information system, ensures that even if the information... |
| V-261397 | | SLEM 5 must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM). | Using an authentication device, such as a Common Access Card (CAC) or token that is separate from the information system, ensures that even if the inf... |
| V-261398 | | SLEM 5 must implement certificate status checking for multifactor authentication. | Using an authentication device, such as a Common Access Card (CAC) or token separate from the information system, ensures credentials stored on the au... |
| V-261399 | | If Network Security Services (NSS) is being used by SLEM 5 it must prohibit the use of cached authentications after one day. | If cached authentication information is out of date, the validity of the authentication information may be questionable.... |
| V-261400 | | SLEM 5 must configure the Linux Pluggable Authentication Modules (PAM) to prohibit the use of cached offline authentications after one day. | If cached authentication information is out of date, the validity of the authentication information may be questionable.... |
| V-261401 | | SLEM 5, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly tru... |
| V-261402 | | SLEM 5 must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes. | The "pam-config" command line utility automatically generates a system PAM configuration as packages are installed, updated, or removed from the syste... |
| V-261403 | | SLEM 5 must use a file integrity tool to verify correct operation of all security functions. | Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is d... |
| V-261404 | | SLEM 5 file integrity tool must be configured to verify Access Control Lists (ACLs). | ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools.... |
| V-261405 | | SLEM 5 file integrity tool must be configured to verify extended attributes. | Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.... |
| V-261406 | | SLEM 5 file integrity tool must be configured to protect the integrity of the audit tools. | Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit informat... |
| V-261407 | | Advanced Intrusion Detection Environment (AIDE) must verify the baseline SLEM 5 configuration at least weekly. | Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to SLEM 5. Changes... |
| V-261408 | | SLEM 5 must notify the system administrator (SA) when Advanced Intrusion Detection Environment (AIDE) discovers anomalies in the operation of any security functions. | If anomalies are not acted on, security functions may fail to secure the system.
Security function is defined as the hardware, software, and/or firmw... |
| V-261409 | | SLEM 5 must offload rsyslog messages for networked systems in real time and offload standalone systems at least weekly. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Offloading is a common process in information sy... |
| V-261410 | | SLEM 5 must have the auditing package installed. | Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to es... |
| V-261411 | | SLEM 5 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. | Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to es... |
| V-261412 | | The audit-audispd-plugins package must be installed on SLEM 5. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Offloading is a common process in information sy... |
| V-261413 | | SLEM 5 must allocate audit record storage capacity to store at least one week of audit records when audit records are not immediately sent to a central audit record storage facility. | To ensure SLEM 5 has a sufficient storage capacity in which to write the audit logs, SLEM 5 must be able to allocate audit record storage capacity.
T... |
| V-261414 | | SLEM 5 auditd service must notify the system administrator (SA) and information system security officer (ISSO) immediately when audit storage capacity is 75 percent full. | If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storag... |
| V-261415 | | SLEM 5 audit system must take appropriate action when the audit storage volume is full. | It is critical that when SLEM 5 is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing fai... |
| V-261416 | | SLEM 5 must offload audit records onto a different system or media from the system being audited. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Offloading is a common process in information sy... |
| V-261417 | | Audispd must take appropriate action when SLEM 5 audit storage is full. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Offloading is a common process in information sy... |
| V-261418 | | SLEM 5 must protect audit rules from unauthorized modification. | Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the ... |
| V-261419 | | SLEM 5 audit tools must have the proper permissions configured to protect against unauthorized access. | Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Protecting audit tools is necessary t... |
| V-261420 | | SLEM 5 audit tools must have the proper permissions applied to protect against unauthorized access. | Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Protecting audit tools is necessary t... |
| V-261422 | | Audispd must offload audit records onto a different system or media from SLEM 5 being audited. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Offloading is a common process in information sy... |
| V-261423 | | The information system security officer (ISSO) and system administrator (SA), at a minimum, must have mail aliases to be notified of a SLEM 5 audit processing failure. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notificatio... |
| V-261424 | | The information system security officer (ISSO) and system administrator (SA), at a minimum, must be alerted of a SLEM 5 audit processing failure event. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notificatio... |
| V-261425 | | SLEM 5 must generate audit records for all uses of the "chacl" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-261426 | | SLEM 5 must generate audit records for all uses of the "chage" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-261427 | | SLEM 5 must generate audit records for all uses of the "chcon" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-261428 | | SLEM 5 must generate audit records for all uses of the "chfn" command. | Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
At a minimum, the organizat... |
| V-261429 | | SLEM 5 must generate audit records for all uses of the "chmod" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-261430 | | SLEM 5 must generate audit records for a uses of the "chsh" command. | Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
At a minimum, the organizat... |
| V-261431 | | SLEM 5 must generate audit records for all uses of the "crontab" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-261432 | | SLEM 5 must generate audit records for all uses of the "gpasswd" command. | Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
At a minimum, the organizat... |
| V-261433 | | SLEM 5 must generate audit records for all uses of the "insmod" command. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or... |
| V-261434 | | SLEM 5 must generate audit records for all uses of the "kmod" command. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or... |
| V-261435 | | SLEM 5 must generate audit records for all uses of the "modprobe" command. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or... |
| V-261436 | | SLEM 5 must generate audit records for all uses of the "newgrp" command. | Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
At a minimum, the organizat... |
| V-261437 | | SLEM 5 must generate audit records for all uses of the "pam_timestamp_check" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-261438 | | SLEM 5 must generate audit records for all uses of the "passwd" command. | Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
At a minimum, the organizat... |
| V-261439 | | SLEM 5 must generate audit records for all uses of the "rm" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-261440 | | SLEM 5 must generate audit records for all uses of the "rmmod" command. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or... |
| V-261441 | | SLEM 5 must generate audit records for all uses of the "setfacl" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-261442 | | SLEM 5 must generate audit records for all uses of the "ssh-agent" command. | Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
At a minimum, the organizat... |
| V-261443 | | SLEM 5 must generate audit records for all uses of the "ssh-keysign" command. | Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
At a minimum, the organizat... |
| V-261444 | | SLEM 5 must generate audit records for all uses of the "su" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-261445 | | SLEM 5 must generate audit records for all uses of the "sudo" command. | Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
At a minimum, the organizat... |
| V-261446 | | SLEM 5 must generate audit records for all uses of the "sudoedit" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-261447 | | SLEM 5 must generate audit records for all uses of the "unix_chkpwd" or "unix2_chkpwd" commands. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-261448 | | SLEM 5 must generate audit records for all uses of the "usermod" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-261449 | | SLEM 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. | Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way t... |
| V-261450 | | SLEM 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd. | Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way t... |
| V-261451 | | SLEM 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. | Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way t... |
| V-261452 | | SLEM 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. | Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way t... |
| V-261453 | | SLEM 5 must generate audit records for all uses of the "chmod", "fchmod" and "fchmodat" system calls. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-261454 | | SLEM 5 must generate audit records for all uses of the "chown", "fchown", "fchownat", and "lchown" system calls. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-261455 | | SLEM 5 must generate audit records for all uses of the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" system calls. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-261456 | | SLEM 5 must generate audit records for all uses of the "delete_module" system call. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-261457 | | SLEM 5 must generate audit records for all uses of the "init_module" and "finit_module" system calls. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-261458 | | SLEM 5 must generate audit records for all uses of the "mount" system call. | Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
At a minimum, the organizat... |
| V-261459 | | SLEM 5 must generate audit records for all uses of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-261460 | | SLEM 5 must generate audit records for all uses of the "umount" system call. | Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
At a minimum, the organizat... |
| V-261461 | | SLEM 5 must generate audit records for all uses of the "unlink", "unlinkat", "rename", "renameat", and "rmdir" system calls. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-261462 | | SLEM 5 must generate audit records for all uses of privileged functions. | Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromise... |
| V-261463 | | SLEM 5 must generate audit records for all modifications to the "lastlog" file. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-261464 | | SLEM 5 must generate audit records for all modifications to the "tallylog" file must generate an audit record. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-261465 | | SLEM 5 must audit all uses of the sudoers file and all files in the "/etc/sudoers.d/" directory. | Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
At a minimum, the organizat... |
| V-261466 | | Successful/unsuccessful uses of "setfiles" in SLEM 5 must generate an audit record. | Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
At a minimum, the organizat... |
| V-261467 | | Successful/unsuccessful uses of "semanage" in SLEM 5 must generate an audit record. | Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
At a minimum, the organizat... |
| V-261468 | | Successful/unsuccessful uses of "setsebool" in SLEM 5 must generate an audit record. | Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
At a minimum, the organizat... |
| V-261469 | | SLEM 5 must generate audit records for the "/run/utmp file". | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-261470 | | SLEM 5 must generate audit records for the "/var/log/btmp" file. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-261471 | | SLEM 5 must generate audit records for the "/var/log/wtmp" file. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-261472 | | SLEM 5 must not disable syscall auditing. | By default, SLEM 5 includes the "-a task,never" audit rule as a default. This rule suppresses syscall auditing for all tasks started with this rule in... |
| V-261367 | | SLEM 5 must limit the number of concurrent sessions to 10 for all accounts and/or account types. | SLEM 5 management includes the ability to control the number of users and user sessions that use a SLEM 5. Limiting the number of allowed users and se... |
| V-261368 | | SLEM 5 must have policycoreutils package installed. | Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is de... |
| V-261421 | | SLEM 5 audit event multiplexor must be configured to use Kerberos. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Allowing devices and users to connect to or from... |
| V-261263 | | SLEM 5 must be a vendor-supported release. | A SLEM 5 release is considered supported if the vendor continues to provide security patches for the product. With an unsupported release, it will not... |
| V-261266 | | SLEM 5 must disable the x86 Ctrl-Alt-Delete key sequence. | A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case o... |
| V-261267 | | SLEM 5 with a basic input/output system (BIOS) must require authentication upon booting into single-user and maintenance modes. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD syst... |
| V-261268 | | SLEM 5 with Unified Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. | If the system allows a user to boot into single-user or maintenance mode without authentication, any user that invokes single-user or maintenance mode... |
| V-261274 | | The SLEM 5 tool zypper must have gpgcheck enabled. | Changes to any software components can have significant effects on the overall security of SLEM 5. This requirement ensures the software has not been ... |
| V-261277 | | SLEM 5 must not have the telnet-server package installed. | It is detrimental for SLEM 5 to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabili... |
| V-261284 | | All SLEM 5 persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at-rest protection. | SLEM 5 handling data requiring data-at-rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of th... |
| V-261327 | | SLEM 5 must have SSH installed to protect the confidentiality and integrity of transmitted information. | Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercep... |
| V-261328 | | SLEM 5 must use SSH to protect the confidentiality and integrity of transmitted information. | Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercep... |
| V-261330 | | SLEM 5 must not allow unattended or automatic logon via SSH. | Failure to restrict system access via SSH to authenticated users negatively impacts SLEM 5 security.... |
| V-261334 | | SLEM 5 must implement DOD-approved encryption to protect the confidentiality of SSH remote connections. | Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
Remote ... |
| V-261335 | | SLEM 5 SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2/140-3 approved cryptographic hash algorithms. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access (e.g., RDP) is access ... |
| V-261336 | | SLEM 5 SSH server must be configured to use only FIPS 140-2/140-3 validated key exchange algorithms. | Without cryptographic integrity protections provided by FIPS 140-2/140-3 validated cryptographic algorithms, information can be viewed and altered by ... |
| V-261343 | | There must be no .shosts files on SLEM 5. | The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not suffici... |
| V-261344 | | There must be no shosts.equiv files on SLEM 5. | The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for prevent... |
| V-261345 | | SLEM 5 must not allow unattended or automatic logon via the graphical user interface (GUI). | Failure to restrict system access to authenticated users negatively impacts SLEM 5 security.... |
| V-261359 | | SLEM 5 root account must be the only account with unrestricted access to the system. | If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricted access to the entire SL... |
| V-261369 | | SLEM 5 must use a Linux Security Module configured to enforce limits on system services. | Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is de... |
| V-261386 | | SLEM 5 must not be configured to allow blank or null passwords. | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can ... |
| V-261387 | | SLEM 5 must not have accounts configured with blank or null passwords. | If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should ne... |
| V-261391 | | SLEM 5 must employ FIPS 140-2/140-3-approved cryptographic hashing algorithms for system authentication. | The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required... |
| V-261392 | | SLEM 5 shadow password suite must be configured to use a sufficient number of hashing rounds. | The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required... |
| V-261473 | | FIPS 140-2/140-3 mode must be enabled on SLEM 5. | Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. SLEM 5 must implement cryptographic modules... |
