STIGQter: STIG Summary: SUSE Linux Enterprise Server 15 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021:

The SUSE operating system file integrity tool must be configured to protect the integrity of the audit tools.

DISA Rule

SV-234962r622137_rule

Vulnerability Number

V-234962

Group Title

SRG-OS-000278-GPOS-00108

Rule Version

SLES-15-030630

Severity

CAT II

CCI(s)

• CCI-001496 - The information system implements cryptographic mechanisms to protect the integrity of audit tools.

Weight

10

Fix Recommendation

Configure the SUSE operating system file integrity tool to protect the integrity of the audit tools.

Add or update the following lines to "/etc/aide.conf" to protect the integrity of the audit tools:

# audit tools
/usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
/usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
/usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
/usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
/usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
/usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
/usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512

Check Contents

Verify that the SUSE operating system file integrity tool is configured to protect the integrity of the audit tools.

Check that AIDE is properly configured to protect the integrity of the audit tools by running the following command:

> sudo grep /usr/sbin/au /etc/aide.conf

/usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
/usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
/usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
/usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
/usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
/usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
/usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512

If AIDE is properly configured to protect the integrity of the audit tools, all lines listed above will be returned from the command.

If one or more lines are missing, or is commented out, this is a finding.

Vulnerability Number

V-234962

Documentable

False

Rule Version

SLES-15-030630

Severity Override Guidance

Verify that the SUSE operating system file integrity tool is configured to protect the integrity of the audit tools.

Check that AIDE is properly configured to protect the integrity of the audit tools by running the following command:

> sudo grep /usr/sbin/au /etc/aide.conf

/usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
/usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
/usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
/usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
/usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
/usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
/usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512

If AIDE is properly configured to protect the integrity of the audit tools, all lines listed above will be returned from the command.

If one or more lines are missing, or is commented out, this is a finding.

Check Content Reference

M

Target Key

5274

Comments