Verify that the version of KubeOS is vendor supported with the following command:

cat /etc/os-release | grep -i KubeOS
NAME="KubeOS"
...

If the installed version of KubeOS is not supported, this is a finding.

Verify KubeOS is not configured to reboot the system when Ctrl-Alt-Delete is pressed with the following command:

systemctl status ctrl-alt-del.target
ctrl-alt-del.target
     Loaded: masked (Reason: Unit ctrl-alt-del.target is masked.)
     Active: inactive (dead)

If ctrl-alt-del.target is not masked, this is a finding.

Note: If the system does not use a BIOS, this requirement is not applicable.

Verify that KubeOS has set an encrypted root password with the following command:

# awk '/^ *password/ && $1 == "password_pbkdf2"' /boot/grub2/grub.cfg
password_pbkdf2 root grub.pbkdf2.sha512.10000.03255F190F0E2F7B4F0D1C3216012309162F022A7A636771

If the root password entry does not begin with password_pbkdf2, this is a finding.

Note: If the system does not use UEFI, this requirement is not applicable.

Verify that KubeOS has set an encrypted root password with the following command:

# awk '/^ *password/ && $1 == "password_pbkdf2"' /boot/efi/EFI/openEuler/grub.cfg
password_pbkdf2 root grub.pbkdf2.sha512.10000.03255F190F0E2F7B4F0D1C3216012309162F022A7A636771

If the root password entry does not begin with password_pbkdf2, this is a finding.

Verify KubeOS is configured to restrict access to the kernel message buffer with the following commands:

sudo sysctl kernel.dmesg_restrict

kernel.dmesg_restrict = 1

If kernel.dmesg_restrict is not set to 1 or is missing, this is a finding.

Check that the configuration files are present to enable this kernel parameter:

sudo grep -r kernel.dmesg_restrict /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null

/etc/sysctl.conf:kernel.dmesg_restrict = 1

/etc/sysctl.d/99-sysctl.conf:kernel.dmesg_restrict = 1

If kernel.dmesg_restrict is not set to 1, is missing or commented out, this is a finding.

If conflicting results are returned, this is a finding.

Verify KubeOS implements Address space layout randomization (ASLR) with the following command:

sudo sysctl kernel.randomize_va_space

kernel.randomize_va_space = 2

If the kernel parameter kernel.randomize_va_space is not equal to 2, or nothing is returned, this is a finding.

Verify KubeOS prevents leaking of internal kernel addresses with the following command:

sudo sysctl kernel.kptr_restrict

kernel.kptr_restrict = 1

If the kernel parameter kernel.kptr_restrict is not equal to 1, or nothing is returned, this is a finding.

Check that KubeOS has the vlock package installed with the following command:

vlock -v

If a return value is displayed, the item passes the check. Otherwise, the item fails the check.

Verify the telnet-server package is not installed on KubeOS.

Check that the telnet-server package is not installed on KubeOS by running the following command:

whereis telnetd

If the telnet-server package is installed, this is a finding.

Verify that a separate file system/partition has been created for KubeOS nonprivileged local interactive users (those with a UID greater than 1000) home directories with the following command:

# awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6, $7}' /etc/passwd
adamsj 1002 /home/adamsj /bin/bash
jacksonm 1003 /home/jacksonm /bin/bash
smithj 1001 /home/smithj /bin/bash

The output of the command will give the directory/partition that contains the home directories for the nonprivileged users on the system (in this example, /home) and user's shell. All accounts with a valid shell (such as /bin/bash) are considered interactive users.

Check that a file system/partition has been created for the nonprivileged interactive users with the following command:

Note: The partition of /home is used in the example.

# grep /home /etc/fstab
UUID=c4e898dd-6cd9-4091-a733-9435e505957a /home btrfs defaults,subvol=@/home 0 0

If a separate entry for the file system/partition that contains the nonprivileged interactive users' home directories does not exist, this is a finding.

Verify that KubeOS has a separate file system/partition for "/var" with the following command:

grep /var /etc/fstab
     UUID=c4e898dd-6cd9-4091-a733-9435e505957a /var btrfs defaults,subvol=@/var,x-initrd.mount 0 0

If a separate entry for "/var" does not exist, this is a finding.

Verify that KubeOS has a separate file system/partition for the system audit data path with the following command:

Note: "/var/log/audit" is used as the example as it is a common location.

grep /var/log/audit /etc/fstab
     UUID=c4e898dd-6cd9-4091-a733-9435e505957a /var btrfs defaults,subvol=@/var/log/audit 0 0

If a separate entry for the system audit data path (in this example the "/var/log/audit" path) does not exist, ask the system administrator if the system audit logs are being written to a different file system/partition on the system and then grep for that file system/partition.

If a separate file system/partition does not exist for the system audit data path, this is a finding.

Verify KubeOS file systems that are being NFS exported are mounted with the nosuid option with the following command:

grep nfs /etc/fstab

     UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid 0 0

If a file system found in "/etc/fstab" refers to NFS and it does not have the nosuid option set, this is a finding.

Verify KubeOS file systems that are being NFS exported are mounted with the noexec option with the following command:

grep nfs /etc/fstab

     UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,noexec 0 0

If a file system found in "/etc/fstab" refers to NFS and it does not have the noexec option set, and use of NFS exported binaries is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.

Verify that KubeOS file systems that contain user home directories are mounted with the nosuid option.

Print the currently active file system mount options of the file system(s) that contain the user home directories with the following command:

# for X in `awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd`; do findmnt -nkT $X; done | sort -r
/home /dev/mapper/system-home ext4 rw,nosuid,realtime,data=ordered

If a file system containing user home directories is not mounted with the nosuid option, this is a finding.

Note: If a separate file system has not been created for the user home directories (user home directories are mounted under /), this is not a finding as the nosuid option cannot be used on the / system.

Verify KubeOS disables the ability to automount devices.

Verify the automounter service is active with the following command:

systemctl status autofs
     autofs.service - Automounts filesystems on demand
          Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled)
          Active: inactive (dead)

If the autofs status is set to active and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.

Verify that the system command directories have mode "755" or less permissive with the following command:

find -L  /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c "%n %a" '{}' \;

If any directories are found to be group-writable or world-writable, this is a finding.

Verify that the system command directories have mode "755" or less permissive with the following command:

find -L  /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c "%n %a" '{}' \;

If any directories are found to be group-writable or world-writable, this is a finding.

Verify the system-wide shared library directories "/lib", "/lib64", "/usr/lib" and "/usr/lib64" have mode "755" or less permissive with the following command:

sudo find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type d -exec stat -c "%n %a" '{}' \;

If any of the aforementioned directories are found to be group-writable or world-writable, this is a finding.

Verify the systemwide shared library files contained in the directories "/lib", "/lib64", "/usr/lib", and "/usr/lib64" have mode 0755 or less permissive.

Check that the systemwide shared library files have mode 0755 or less permissive with the following command:

sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' -perm /022 -exec stat -c "%n %a" {} +

If any output is returned, this is a finding.

Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information.

Verify the assigned home directory of all KubeOS local interactive users has a mode of 750 or less permissive with the following command:

# ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)
-rwxr-x--- 1 smithj users 18 Mar 5 17:6 /home/smithj

If home directories referenced in /etc/passwd do not have a mode of 750 or less permissive, this is a finding.

Verify that all KubeOS local initialization files have a mode of "740" or less permissive with the following command:

Note: The example will be for the user smithj, who has a home directory of "/home/smithj".

sudo ls -al /home/smithj/.* | more
     -rw-r-x---- 1 smithj users 896 Mar 10 2011 .profile
     -rw-r-x---- 1 smithj users 497 Jan 6 27 .login
     -rw-r-x---- 1 smithj users 886 Jan 6 27 .something

If any local initialization files have a mode more permissive than "740", this is a finding.

Verify KubeOS SSH daemon public host key files have mode "644" or less permissive with the following command:

Note: SSH public key files may be found in other directories on the system depending on the installation.

find /etc/ssh -name 'ssh_host*key.pub' -exec stat -c "%a %n" {} \;
     644 /etc/ssh/ssh_host_rsa_key.pub
     644 /etc/ssh/ssh_host_dsa_key.pub
     644 /etc/ssh/ssh_host_ecdsa_key.pub
     644 /etc/ssh/ssh_host_ed25519_key.pub

If any file has a mode more permissive than "644", this is a finding.

Verify KubeOS SSH daemon private host key files have mode "640" or less permissive.

The following command will find all SSH private key files on the system with the following command:

sudo find / -name '*ssh_host*key' -exec ls -lL {} \;

Check the mode of the private host key files under "/etc/ssh" file with the following command:

find /etc/ssh -name 'ssh_host*key' -exec stat -c "%a %n" {} \;

640 /etc/ssh/ssh_host_rsa_key

640 /etc/ssh/ssh_host_dsa_key

640 /etc/ssh/ssh_host_ecdsa_key

640 /etc/ssh/ssh_host_ed25519_key

If any file has a mode more permissive than "640", this is a finding.

Verify the systemwide shared library files contained in the directories "/lib", "/lib64", "/usr/lib", and "/usr/lib64" are owned by root with the following command:

sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' ! -user root -exec stat -c "%n %U" {} +

If any output is returned, this is a finding.

Verify the systemwide shared library files contained in the directories "/lib", "/lib64", "/usr/lib", and "/usr/lib64" are group owned by root with the following command:

sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' ! -group root -exec stat -c "%n %G" {} +

If any output is returned, this is a finding.

Verify the system-wide shared library directories contained in the directories "/lib", "/lib64", "/usr/lib" and "/usr/lib64" are owned by root with the following command:

sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d -exec stat -c "%n %U" '{}' \;

If any system wide library directory is returned, this is a finding.

Verify the system-wide shared library directories contained in the directories "/lib", "/lib64", "/usr/lib" and "/usr/lib64" are group-owned by root with the following command:

sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec stat -c "%n %G" '{}' \;

If any system wide library directory is returned, this is a finding.

Verify that the system commands are owned by root with the following command:

sudo find -L  /usr/local/bin /usr/local/sbin ! -user root -type f -exec stat -c "%n %U" '{}' \;

If any system commands are returned, this is a finding.

Verify that the system commands are group-owned by root with the following command:

sudo find -L  /usr/local/bin /usr/local/sbin! -group root -type f -exec stat -c "%n %G" '{}' \;

If any system commands are returned, this is a finding.

Verify that the system command directories are owned by root with the following command:

find -L  /usr/local/bin /usr/local/sbin ! -user root -type d -exec stat -c "%n %U" '{}' \;

If any system command directories are returned, this is a finding.

Verify that the system command directories are group-owned by root with the following command:

find -L  /usr/local/bin /usr/local/sbin ! -group root -type d -exec stat -c "%n %G" '{}' \;

If any system command directories are returned, this is a finding.

Verify that all KubeOS files and directories on the system have a valid owner with the following command:

Note: The value after -fstype must be replaced with the filesystem type. XFS is used as an example.

sudo find / -fstype xfs -nouser

If any files on the system do not have a valid owner, this is a finding.

Verify all KubeOS files and directories on the system have a valid group with the following command:

Note: The value after -fstype must be replaced with the filesystem type. XFS is used as an example.

sudo find / -fstype xfs -nogroup

If any files on the system do not have a valid group, this is a finding.

Verify the assigned home directory of all KubeOS local interactive users is group-owned by that user's primary GID with the following command:

Note: This may miss local interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information. The returned directory /home/smithj is used as an example.

# awk -F: '($3>=1000)&&($7 !~ /nologin/){print $4, $6}' /etc/passwd)
250:/home/smithj

Check the user's primary group with the following command:

# grep users /etc/group
users:x:250:smithj,jonesj,jacksons

If the user home directory referenced in /etc/passwd is not group-owned by that user's primary GID, this is a finding.

Verify all KubeOS world-writable directories are group-owned by root, sys, bin, or an application group with the following command:

sudo find / -perm -002 -type d -exec ls -lLd {} \;
     drwxrwxrwt. 2 root root 40 Aug 26 13:7 /dev/mqueue
     drwxrwxrwt. 2 root root 220 Aug 26 13:23 /dev/shm
     drwxrwxrwt. 14 root root 4096 Aug 26 13:29 /tmp

If any world-writable directories are not owned by root, sys, bin, or an application group associated with the directory, this is a finding.

Verify KubeOS prevents unauthorized and unintended information transfer via the shared system resources with the following command:

sudo find / \( -path /.snapshots -o -path /sys -o -path /proc \) -prune -o -perm -002 -type d -exec ls -lLd {} \;
     256 0 drwxrwxrwt 1 root root 4096 Jun 14 06:45 /tmp

If any of the returned directories do not have the sticky bit set, or are not documented as having the write permission for the other class, this is a finding.

Verify KubeOS prevents unauthorized users from accessing system error messages.

Check the "/var/log/messages" file permissions with the following command:

sudo stat -c "%n %U:%G %a" /var/log/messages
     /var/log/messages root:root 640

Check that permissions.local file contains the correct permissions rules with the following command:

grep -i messages /etc/permissions.local
     /var/log/messages root:root 640

If the effective permissions do not match the permissions.local file, the command does not return any output, or is commented out, this is a finding.

Verify KubeOS has all system log files under the /var/log directory with a permission set to "640", by using the following command:

Note: The btmp, wtmp, and lastlog files are excluded. Refer to the Vulnerability Discussion for details.

sudo find /var/log -perm /137 ! -name '*[bw]tmp' ! -name '*lastlog' -type f -exec stat -c "%n %a" {} \;

If command displays any output, this is a finding.

Verify KubeOS firewalld.service is enabled and running with the following command:

systemctl status firewalld.service
          firewalld.service - firewalld - dynamic firewall daemon
               Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
               Active: active (running) since Wed 2023-11-29 08:12:35 MST

If the service is not enabled and active, this is a finding.

Check the firewall configuration for any unnecessary or prohibited functions, ports, protocols, and/or services by running the following command:

sudo firewall-cmd --list-all

Ask the system administrator for the site or program PPSM Component Local Services Assessment (Component Local Services Assessment (CLSA). Verify the services allowed by the firewall match the PPSM CLSA.

If there are any additional ports, protocols, or services that are not included in the PPSM CLSA, this is a finding.

If there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.

Verify that KubeOS clock must be configured to synchronize to an authoritative DOD time source when the time difference is greater than one second with the following command:

sudo grep maxpoll /etc/chrony.conf
     server 0.us.pool.ntp.mil maxpoll 16

If the server parameter is not set to an authoritative DOD time source, maxpoll is greater than "16", the line is commented out, or the line is missing, this is a finding.

Verify KubeOS network interfaces are not in promiscuous mode with the following command:

ip link | grep -i promisc

If network interfaces are found on the system in promiscuous mode and their use has not been approved by the ISSO and documented, this is a finding.

Verify KubeOS does not accept IPv4 source-routed packets with the following command:

sudo sysctl net.ipv4.conf.all.accept_source_route

     net.ipv4.conf.all.accept_source_route = 0

If the network parameter ipv4.conf.all.accept_source_route is not equal to "0", or nothing is returned, this is a finding.

Verify KubeOS does not accept IPv4 source-routed packets by default with the following command:

sudo sysctl net.ipv4.conf.default.accept_source_route

     net.ipv4.conf.default.accept_source_route = 0

If the network parameter ipv4.conf.default.accept_source_route is not equal to "0", or nothing is returned, this is a finding.

Verify KubeOS does not accept IPv4 ICMP redirect messages with the following command:

sudo sysctl net.ipv4.conf.all.accept_redirects

     net.ipv4.conf.all.accept_redirects = 0

If the network parameter ipv4.conf.all.accept_redirects is not equal to "0", or nothing is returned, this is a finding.

Verify KubeOS does not accept IPv4 ICMP redirect messages by default with the following command:

sudo sysctl net.ipv4.conf.default.accept_redirects

     net.ipv4.conf.default.accept_redirects = 0

If the network parameter ipv4.conf.default.accept_redirects is not equal to "0", or nothing is returned, this is a finding.

Verify KubeOS does not allow interfaces to perform IPv4 ICMP redirects with the following command:

sudo sysctl net.ipv4.conf.all.send_redirects

     net.ipv4.conf.all.send_redirects = 0

If the network parameter ipv4.conf.all.send_redirects is not equal to "0", or nothing is returned, this is a finding.

Verify KubeOS does not allow interfaces to perform IPv4 ICMP redirects by default with the following command:

sudo sysctl net.ipv4.conf.default.send_redirects

     net.ipv4.conf.default.send_redirects = 0

If the network parameter ipv4.conf.default.send_redirects is not equal to "0", or nothing is returned, this is a finding.

Verify KubeOS is not performing IPv4 packet forwarding, unless the system is a router with the following command:

sudo sysctl net.ipv4.ip_forward

     net.ipv4.ip_forward = 0

If the network parameter ipv4.ip_forward is not equal to "0", or nothing is returned, this is a finding.

Verify KubeOS is configured to use IPv4 TCP syncookies with the following command:

sudo sysctl net.ipv4.tcp_syncookies

     net.ipv4.tcp_syncookies = 1

If the network parameter ipv4.tcp_syncookies is not equal to "1", or nothing is returned, this is a finding.

Verify KubeOS does not accept IPv6 source-routed packets with the following command:

sudo sysctl net.ipv6.conf.all.accept_source_route

     net.ipv6.conf.all.accept_source_route = 0

If the network parameter ipv6.conf.all.accept_source_route is not equal to "0" or nothing is returned, this is a finding.

Verify KubeOS does not accept IPv6 source-routed packets by default with the following command:

sudo sysctl net.ipv6.conf.default.accept_source_route

     net.ipv6.conf.default.accept_source_route = 0

If the network parameter ipv6.conf.default.accept_source_route is not equal to "0", or nothing is returned, this is a finding.

Verify KubeOS does not accept IPv6 ICMP redirect messages with the following command:

sudo sysctl net.ipv6.conf.all.accept_redirects

     net.ipv6.conf.all.accept_redirects = 0

If the network parameter ipv6.conf.all.accept_redirects is not equal to "0", or nothing is returned, this is a finding.

Verify KubeOS does not allow IPv6 ICMP redirect messages by default with the following command:

sudo sysctl net.ipv6.conf.default.accept_redirects

     net.ipv6.conf.default.accept_redirects = 0

If the network parameter ipv6.conf.default.accept_redirects is not equal to "0", or nothing is returned, this is a finding.

Verify KubeOS is not performing IPv6 packet forwarding, unless the system is a router with the following command:

sudo sysctl net.ipv6.conf.all.forwarding

     net.ipv6.conf.all.forwarding = 0

If the network parameter ipv6.conf.all.forwarding is not equal to "0", or nothing is returned, this is a finding.

Verify KubeOS is not performing IPv6 packet forwarding by default, unless the system is a router with the following command:

sudo sysctl net.ipv6.conf.default.forwarding

     net.ipv6.conf.default.forwarding = 0

If the network parameter ipv6.conf.default.forwarding is not equal to "0", or nothing is returned, this is a finding.

Verify the SSH package is installed by using the following command:

find / -name ssh-keygen

     /usr/bin/ssh-keygen

If the openssh package is not installed, this is a finding.

Verify sshd.service is enabled and active by using the following command:

systemctl status sshd.service | grep -i active

     Active: active (running) since Wed 2023-11-29 09:49:45 MST; 2 months 23 days ago

If openssh.service is not active, this is a finding.

Verify KubeOS disables unattended or automatic logon via SSH with the following command:

grep -w "^PermitEmptyPasswords no" /etc/ssh/sshd_config
     PermitEmptyPasswords no

grep -w "^PermitUserEnvironment no" /etc/ssh/sshd_config
     PermitUserEnvironment no

If PermitEmptyPasswords or PermitUserEnvironment keywords are not set to no, are commented out, or are missing completely, this is a finding.

Verify the SSH server automatically terminates a user session after the SSH client has become unresponsive by using the following command:

# sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*clientalivecountmax'
/etc/ssh/sshd_config:ClientAliveCountMax 1

If ClientAliveCountMax is not set to 1, is commented out, missing, or conflicting results are returned, this is a finding.

Verify the SSH server automatically terminates a user session after the SSH client has been unresponsive for 10 minutes by using the following command:

# sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*clientaliveinterval'
/etc/ssh/sshd_config:ClientAliveInterval 600

If ClientAliveInterval is not set to 600 or less, is commented out, missing, or conflicting results are returned, this is a finding.

Verify KubeOS SSH daemon remote X forwarded connections for interactive users are disabled with the following command:

# sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*x11forwarding'
/etc/ssh/sshd_config:X11Forwarding no

If the X11Forwarding keyword is set to yes and is not documented with the information system security officer (ISSO) as an operational requirement, is commented out, or the line is missing, this is a finding.

Verify that KubeOS implements DOD-approved encryption to protect the confidentiality of SSH remote connections with the following command:

grep -w "^Ciphers aes256-ctr,aes192-ctr,aes128-ctr" /etc/ssh/sshd_config
     Ciphers aes256-ctr,aes192-ctr,aes128-ctr

If any ciphers other than aes256-ctr, aes192-ctr, or aes128-ctr are listed, the order differs from the example above, the line is commented out, or the Ciphers keyword is missing, or conflicting results are returned, this is a finding.

Verify KubeOS SSH daemon is configured to only use MACs that employ FIPS 140-2/140-3 approved hashes with the following command:

grep -w "^MACs hmac-sha2-512,hmac-sha2-256" /etc/ssh/sshd_config
     MACs hmac-sha2-512,hmac-sha2-256

If any ciphers other than hmac-sha2-512 or hmac-sha2-256 are listed, the order differs from the example above, is commented out, missing, or conflicting results are returned, this is a finding.

Verify that the SSH server is configured to use only FIPS 140-2/140-3 validated key exchange algorithms with the following command:

grep -w "^KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256" /etc/ssh/sshd_config
     KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256

If KexAlgorithms does not contain the list of algorithms in the exact order, is commented out, missing, or conflicting results are returned, this is a finding.

Verify KubeOS denies direct logons to the root account using remote access via SSH with the following command:

# sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*permitrootlogin'
/etc/ssh/sshd_config:PermitRootLogin no

If the PermitRootLogin keyword is set to yes, is commented out, missing, or conflicting results are returned, this is a finding.

Verify SSH is configured to verbosely log connection attempts and failed logon attempts to KubeOS with the following command:

# sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*loglevel'
/etc/ssh/sshd_config:LogLevel VERBOSE

If LogLevel is not set to VERBOSE, is commented out, missing, or conflicting results are returned, this is a finding.

Verify all remote connections via SSH to KubeOS display feedback on when account accesses last occurred with the following command:

# sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*printlastlog'
/etc/ssh/sshd_config:PrintLastLog yes

If the PrintLastLog is not set to yes, is commented out, missing, or conflicting results are returned, this is a finding.

Verify KubeOS SSH daemon is configured to not allow authentication using known hosts authentication with the following command:

# sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*ignoreuserknownhosts'
/etc/ssh/sshd_config:IgnoreUserKnownHosts yes

If IgnoreUserKnownHosts is not set to no, is commented out, missing, or conflicting results are returned, this is a finding.

Verify KubeOS SSH daemon performs strict mode checking of home directory configuration files with the following command:

# sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*strictmodes'
/etc/ssh/sshd_config:StrictModes yes

If StrictModes is not set to yes, is commented out, missing, or conflicting results are returned, this is a finding.

Verify the SSH private key files have a passcode.

For each private key stored on the system, use the following command (with the example of "/etc/ssh/ssh_host_dsa_key"):

ssh-keygen -y -f /etc/ssh/ssh_host_dsa_key
     Load key "/etc/ssh/ssh_host_dsa_key": Permission denied

If the contents of any key are displayed, this is a finding.

Verify there are no ".shosts" files on KubeOS with the following command:

find / \( -path /.snapshots -o -path /sys -o -path /proc \) -prune -o -name '.shosts' -print

If any ".shosts" files are found on the system, this is a finding.

Verify there are no shosts.equiv files on KubeOS with the following command:

find /etc -name shosts.equiv

If any shosts.equiv files are found on the system, this is a finding.

Verify that KubeOS has no wireless network adapters enabled with the following command:

sudo wicked show all
     ...
     wlan0 up
     link: #3, state up, mtu 1500
     type: wireless, hwaddr 06:00:00:00:00:02
     config: wicked:xml:/etc/wicked/ifconfig/wlan0.xml
     leases: ipv4 dhcp granted
     addr: ipv4 10.0.0.101/16 [dhcp]
     route: ipv4 default via 10.0.0.1 proto dhcp

If a wireless interface is configured and has not been documented and approved by the AO, this is a finding.

Verify KubeOS does not automount USB mass storage devices when connected to the host with the following command:

grep usb-storage /etc/modprobe.d/50-blacklist.conf
     blacklist usb-storage

If the line is commented out or the line is missing, this is a finding.

Verify all KubeOS local interactive users on the system are assigned a home directory upon creation with the following command:

grep -i "^CREATE_HOME yes" /etc/login.defs
     CREATE_HOME yes

If the CREATE_HOME parameter is not set to yes, the line is commented out, or the line is missing, this is a finding.

Verify KubeOS defines default permissions for all authenticated users in such a way that the users can only read and modify their own files with the following command:

grep -i "^UMASK 077" /etc/login.defs
     UMASK 077

If the UMASK variable is set to "000", the severity is raised to a CAT I and this is a finding.

If the value of UMASK is not set to "077", the line is commented out, or the line is missing, this is a finding.

Verify KubeOS enforces a delay of at least five seconds between logon prompts following a failed logon attempt with the following command:

grep -wi "^fail_delay 5" /etc/login.defs
     FAIL_DELAY 5

If the value of FAIL_DELAY is not set to "5" or greater, the line is commented out, or the line is missing, this is a finding.

Verify KubeOS local interactive users on the system have a home directory assigned with the following command:

getent passwd | while IFS=: read user _ _ _ _ homedir shell; do

if grep -qxF "$shell" /etc/shells 2>/dev/null; then

if [ ! -d "$homedir" ]; then

echo "$user: fail"

fi

fi

done

If any interactive users do not have a home directory assigned, this is a finding.

Verify the assigned home directory of all KubeOS local interactive users on the system exists.

Check the home directory assignment for all local interactive nonprivileged users on the system with the following command:

# awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $6}' /etc/passwd
smithj /home/smithj

Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information.

Check that all referenced home directories exist with the following command:

# sudo pwck -r
user 'smithj': directory '/home/smithj' does not exist

If any home directories referenced in /etc/passwd are returned as not defined, this is a finding.

Verify that all KubeOS local interactive user initialization files executable search path statements do not contain statements that will reference a working directory other than the user's home directory with the following command:

Note: The example will be for the user smithj, who has a home directory of /home/smithj.

# grep -i path= /home/<username>/.*
/home/<username>/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin

If any local interactive user initialization files have executable search path statements that include directories outside of their home directory, and the additional path statements are not documented with the ISSO as an operational requirement, this is a finding.

Verify that KubeOS local initialization files do not execute world-writable programs with the following command:

find / -xdev -perm -002 -type f -exec ls -ld {} \;

If any local initialization files are found to reference world-writable files, this is a finding.

Verify temporary accounts have been provisioned with an expiration date of 72 hours with the following command:

# chage -l <temporary_account_name> | grep -E '(Password|Account) expires'

If any temporary accounts have no expiration date set or do not expire within 72 hours, this is a finding.

Verify KubeOS is configured such that emergency administrator accounts are never automatically removed or disabled with the following command:

Note: Root is typically the account of last resort on a system and is also used as the example emergency administrator account. If another account is being used as the emergency administrator account, the command should be used against that account.

# sudo chage -l <emergency_administrator_account_name> | grep -E '(Password|Account) expires'
Password expires: never
Account expires: never

If Password expires or Account expires is set to anything other than never, this is a finding.

Verify all KubeOS accounts are assigned to an active system, application, or user account with the following command:

more /etc/passwd
     root:x:0:0:root:/root:/bin/bash
     ...
     games:x:12:100:Games account:/var/games:/bin/bash

Obtain the list of authorized system accounts from the information system security officer.

If the accounts on the system do not match the provided documentation, this is a finding.

Verify all noninteractive KubeOS accounts do not have an interactive shell assigned to them with the following command:

Check the system accounts on the system.

# awk -F: 'NR==FNR { shells[$1]=1; next } $3 > 1000 && ($7 in shells) ' /etc/shells /etc/passwd

If noninteractive accounts such as games or nobody are listed with an interactive shell, this is a finding.

Verify that KubeOS root account is the only account with unrestricted access to the system with the following command:

awk -F: '$3 == 0 {print $1}' /etc/passwd
     root

If any accounts other than root are listed, this is a finding.

Verify KubeOS disables account identifiers after 35 days of inactivity after the password expiration with the following command:

grep -i '^INACTIVE=35' /etc/default/useradd
     INACTIVE=35

If the value for INACTIVE is not set to a value greater than "0" and less than or equal to "35", if the line is commented out, or the line is missing, this is a finding.

Verify KubeOS contains no duplicate UIDs for interactive users with the following command:

awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd

If output is produced, this is a finding.

Verify KubeOS users are provided with feedback on when account accesses last occurred with the following command:

grep "session required pam_lastlog.so showfailed" /etc/pam.d/login

If pam_lastlog is missing from "/etc/pam.d/login" file, the silent option is present, the second column value different from requisite, or the returned line is commented out, this is a finding.

Verify KubeOS must initiate a session logout after a 15-minute period of inactivity for all connection type with the following command:

grep -w "^TMOUT=900" /etc/profile.d/autologout.sh
grep -w "^readonly TMOUT" /etc/profile.d/autologout.sh
grep -w "^export TMOUT" /etc/profile.d/autologout.sh

If the file "/etc/profile.d/autologout.sh" does not exist or has no return value, this is a finding.

Verify KubeOS locks a user account after three consecutive failed access attempts until the locked account is released by an administrator with the following command:

grep -w "^auth required pam_faillock.so onerr=fail silent audit deny=3" /etc/pam.d/common-auth
grep -w "^account required pam_faillock.so" /etc/pam.d/common-account

If deny set to a value other than "1", "2", or "3", if "onerr=fail" is missing, if the line is commented out, or the line is missing, this is a finding.

Verify KubeOS enforces a delay of at least five seconds between logon prompts following a failed logon attempt with the following command:

grep “auth required pam_faildelay.so delay=5000000“ /etc/pam.d/common-auth

If the value of delay is not set to "5000000" or greater, delay is missing, the line is commented out, or the pam_faildelay line is missing completely, this is a finding.

Verify KubeOS limits the number of concurrent sessions to 10 for all accounts and/or account types with the following command:

grep -w "* hard maxlogins 10" /etc/security/limits.conf
     * hard maxlogins 10

If the maxlogins does not have a value of "10" or less, is commented out, or is missing, this is a finding.

Verify KubeOS has the policycoreutils package installed with the following command:

sestatus -v
     SELinux status:                 enabled
     SELinuxfs mount:                /sys/fs/selinux
     SELinux root directory:         /etc/selinux
     ...

If the policycoreutils package is not installed, this is a finding.

Verify SELinux is active and in Enforcing mode with the following command:

getenforce
     Enforcing

If SELinux is not in Enforcing mode, this is a finding.

Verify SELinux is active and enforcing the targeted policy with the following command:

grep -i "SELINUXTYPE=targeted" /etc/selinux/config

If the "Loaded policy name" is not set to targeted, this is a finding.

Verify KubeOS prevents nonprivileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures.

Obtain a list of authorized users (other than system administrator and guest accounts) for the system.

Check the list against the system with the following command:

sudo semanage login -l | more
     Login Name SELinux User MLS/MCS Range Service
     __default__ user_u s0-s0:c0.c1023 *
     root unconfined_u s0-s0:c0.c1023 *
     system_u system_u s0-s0:c0.c1023 *
     joe staff_u s0-s0:c0.c1023 *

All administrators must be mapped to the sysadm_u, staff_u, or an appropriately tailored confined role as defined by the organization.

All authorized nonadministrative users must be mapped to the user_u role.

If any interactive users are not mapped in this way, this is a finding.

Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation with the following command:

grep -rE '^Defaults !(targetpw|rootpw|runaspw)$' /etc/sudoers /etc/sudoers.d/
     Defaults !targetpw
     Defaults !rootpw
     Defaults !runaspw

If Defaults types are not defined for "!targetpw", "!rootpw", and "!runaspw", there are conflicting results between files, this is a finding.

Verify that KubeOS requires reauthentication when changing authenticators, roles, or escalating privileges with the following command:

grep -i "^nopasswd" /etc/sudoers
grep -i "^!authenticate" /etc/sudoers

If any uncommented lines containing "!authenticate", or NOPASSWD are returned and active accounts on the system have valid passwords, this is a finding.

Verify KubeOS requires reauthentication when using the sudo command to elevate privileges with the following command:

sudo grep -ir 'timestamp_timeout' /etc/sudoers /etc/sudoers.d
     /etc/sudoers:Defaults timestamp_timeout=0

If timestamp_timeout is set to a negative number, is commented out, conflicting results are returned, or no results are returned, this is a finding.

Verify the sudoers file restricts sudo access to authorized personnel with the following command:

sudo grep -iw 'ALL' /etc/sudoers /etc/sudoers.d/*
     root ALL=(ALL) ALL

If "ALL ALL=(ALL) ALL" or "ALL ALL=(ALL:ALL) ALL" entries are returned, this is a finding.

Verify KubeOS specifies only the default include directory for the /etc/sudoers file, and does not have nested include files or directories within the /etc/sudoers.d directory with the following command:

Note: If the include and includedir directives are not present in the /etc/sudoers file, this requirement is not applicable.

grep -w "^#includedir /etc/sudoers.d" /etc/sudoers
#includedir /etc/sudoers.d

If the results are not "/etc/sudoers.d" or additional files or directories are specified, this is a finding.

Verify KubeOS enforces password complexity by requiring at least one uppercase character with the following command:

grep -w "^password requisite pam_pwquality.so ucredit=-1" /etc/pam.d/common-password

If the value for ucredit is not "-1", if ucredit is missing from the line, the second column value different from requisite, the line is commented out, or the line is missing, this is a finding.

Verify KubeOS enforces password complexity by requiring at least one lower character with the following command:

grep -w "^password requisite pam_pwquality.so lcredit=-1" /etc/pam.d/common-password

If the value for lcredit is not "-1", if lcredit is missing from the line, the second column value different from requisite, the line is commented out, or the line is missing, this is a finding.

Verify KubeOS enforces password complexity by requiring at least one numeric character with the following command:

grep -w "^password requisite pam_pwquality.so dcredit=-1" /etc/pam.d/common-password

If the value for dcredit is not "-1", if dcredit is missing from the line, the second column value different from requisite, the line is commented out, or the line is missing, this is a finding.

Verify KubeOS enforces password complexity by requiring at least one special character with the following command:

grep -w "^password requisite pam_pwquality.so ocredit=-1" /etc/pam.d/common-password

If the value for ocredit is not "-1", if ucredit is missing from the line, the second column value different from requisite, the line is commented out, or the line is missing, this is a finding.

Verify KubeOS prevents the use of dictionary words for passwords with the following command:

grep -w "^password requisite pam_pwquality.so" /etc/pam.d/common-password

If the second column value is different from requisite, the line is commented out, or the line is missing, this is a finding.

Verify KubeOS enforces a minimum 15-character password length with the following command:

grep -w "^password requisite pam_pwquality.so minlen=15" /etc/pam.d/common-password

If the value for minlen is not "15" or greater, the minlen option is missing from the line, the second column has a value different from requisite, the line is commented out, or the line is missing, this is a finding.

Verify KubeOS requires at least eight characters be changed between the old and new passwords during a password change with the following command:

grep -w "^password requisite pam_pwquality.so difok=8" /etc/pam.d/common-password

If the value for difok is not "8" or greater, if difok is missing from the line, the second column value different from requisite, the line is commented out, or the line is missing, this is a finding.

Verify KubeOS prohibits the reuse of a password for a minimum of five generations with the following command:

grep -w "^password requisite pam_pwhistory.so remember=5 use_authtok" /etc/pam.d/common-password

If the value for remember is not "5" or greater, if the remember option is missing from the line, if the use_authtok option is missing, if the second column has a value different from requisite, if the line is commented out, or the line is missing, this is a finding.

Verify KubeOS configures the Linux PAM to only store encrypted representations of passwords with the following command:

grep -w "^password required pam_unix.so sha512" /etc/pam.d/common-password

If the value sha512 is not present in the line, the second column value is different from requisite, the line is commented out, or the line is missing, this is a finding.

Verify KubeOS is not configured to allow blank or null passwords with the following command:

grep pam_unix.so /etc/pam.d/* | grep nullok

If this produces any output, this is a finding.

Check the "/etc/shadow" file for blank passwords with the following command:

awk -F: '!$2 {print $1}' /etc/shadow

If the command returns any results, this is a finding.

Verify KubeOS enforces a minimum time period between password changes for each user account of one day or greater with the following command:

# awk -F: '$4 < 1 {print $1 ":" $4}' /etc/shadow

If any results are returned that are not associated with a system account, this is a finding.

Verify that KubeOS enforces a maximum user password age of 60 days or less with the following command:

sudo awk -F: '$5 > 60 || $5 == "" {print $1 ":" $5}' /etc/shadow

If any results are returned that are not associated with a system account, this is a finding.

Verify the password history file exists on KubeOS with the following command:

find /etc/security -name opasswd

If the opasswd file does not exist, this is a finding.

Use the following command to verify that the KubeOS user password should use the SHA512 algorithm.

grep -w "^ENCRYPT_METHOD SHA512" /etc/login.defs
     ENCRYPT_METHOD SHA512

If ENCRYPT_METHOD is not set to SHA512, or is commented out, this is a finding.

Verify KubeOS shadow password suite is configured to encrypt passwords using sufficient number of hashing rounds.

grep -i "^SHA_CRYPT_" /etc/login.defs
     SHA_CRYPT_MIN_ROUNDS 5000
     SHA_CRYPT_MAX_ROUNDS 5000

If only one of SHA_CRYPT_MIN_ROUNDS or SHA_CRYPT_MAX_ROUNDS is set, and this value is below "5000", this is a finding.

If both SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS are set, and the highest value for either is below "5000", this is a finding.

Verify that the shadow password suite configuration is set to encrypt password with a FIPS 140-2/140-3 approved cryptographic hashing algorithm with the following command:

grep "^ENCRYPT_METHOD " /etc/login.defs
     ENCRYPT_METHOD SHA512

If ENCRYPT_METHOD is not set to SHA512, if any values other that SHA512 are configured, or if no output is produced, this is a finding.

Verify KubeOS creates or updates passwords with minimum password age of one day or greater with the following command:

grep -w "^PASS_MIN_DAYS " /etc/login.defs

If PASS_MIN_DAYS does not have a value of "1" or greater, the line is commented out, or no line is returned, this is a finding.

Verify that KubeOS is configured to create or update passwords with a maximum password age of 60 days or less with the following command:

grep -w "^PASS_MAX_DAYS   7 " /etc/login.defs

If PASS_MAX_DAYS is not set to a value of "7" , this is a finding.

Configure KubeOS to implement multi-factor authentication by installing the required software packages.

Use the following commands to verify the software packages necessary for supporting multi-factor authentication are installed:

find /usr/lib64 -name libnss3.so
find /usr/lib64 -name libnssutil3.so
find /usr/lib64 -name libccid.so
find /usr/lib64 -name libpcsclite.so.1
find /usr/lib64 -name pam_pkcs11
find /usr/bin -name pcsc_scan
find /usr/lib64 -name libopensc.*

Verify KubeOS implements multifactor authentication for remote access to privileged accounts via PAM with the following command:

grep pam_pkcs11.so /etc/pam.d/common-auth
     auth sufficient pam_pkcs11.so

If pam_pkcs11.so is not set in "/etc/pam.d/common-auth", or the line is commented out, this is a finding.

Verify KubeOS implements certificate status checking for multifactor authentication with the following command:

grep -w cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep ocsp_on

If cert_policy is not set to include ocsp, this is a finding.

If NSS is used by KubeOS, verify it prohibits the use of cached authentications after one day with the following command:

Note: If NSS is not used on the operating system, this is not applicable.

grep -i "^memcache_timeout" /etc/sssd/sssd.conf
     memcache_timeout = 86400

If memcache_timeout has a value greater than "86400", the line is commented out, or the line is missing, this is a finding.

Verify that KubeOS PAM prohibits the use of cached off line authentications after one day with the following command:

Note: If SSSD is not being used on the operating system, this is not applicable.

grep "offline_credentials_expiration" /etc/sssd/sssd.conf
     offline_credentials_expiration = 1

If offline_credentials_expiration is not set to a value of "1", the line is commented out, or the line is missing, this is a finding.

Verify KubeOS for PKI-based authentication had valid certificates by constructing a certification path (which includes status information) to an accepted trust anchor with the following command:

grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf
     cert_policy = ca,oscp_on,signature,crl_auto;

If cert_policy is not set to include ca on all returned lines, this is a finding.

Verify KubeOS is configured to not overwrite PAM configuration on package changes with the following command:

find /etc/pam.d/ -type l -iname "common-*"

If any results are returned, this is a finding.

Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the correct operation of all security functions with the following command:

/usr/sbin/aide -h| grep "Usage: aide \[options\] command"

If the output shows "File not found", then this is a finding.

Verify that KubeOS file integrity tool is configured to verify extended attributes.

grep "^FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256" /etc/aide.conf
grep "^DIR = p+i+n+u+g+acl+selinux+xattrs" /etc/aide.conf
grep "^PERMS = p+i+u+g+acl+selinux" /etc/aide.conf
grep "^DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+sha256" /etc/aide.conf

If the acl rule is not being used on all selection lines in the "/etc/aide.conf" file, or extended attributes are not being checked by another file integrity tool, this is a finding.

Verify that KubeOS file integrity tool is configured to verify extended attributes.

grep "^FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256" /etc/aide.conf
grep "^DIR = p+i+n+u+g+acl+selinux+xattrs" /etc/aide.conf
grep "^DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+sha256" /etc/aide.conf

If the xattrs rule is not being used on all selection lines in the "/etc/aide.conf" file, or extended attributes are not being checked by another file integrity tool, this is a finding.

Verify that KubeOS file integrity tool is configured to protect the integrity of the audit tools.

Check that AIDE is properly configured to protect the integrity of the audit tools by running the following command:

sudo grep /usr/sbin/au /etc/aide.conf
     /usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
     /usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
     /usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
     /usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
     /usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
     /usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
     /usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512

If any of the seven lines do not appear as shown, are commented out, or are missing, this is a finding.

Verify KubeOS checks the baseline configuration using AIDE for unauthorized changes at least once weekly with the following command:

Note: A file integrity tool other than AIDE may be used, but the tool must be executed at least once per week.

sudo grep -R aide /etc/crontab /etc/cron.*
     /etc/crontab: 30 04 * * * root /usr/sbin/aide

If the file integrity application does not exist, or a crontab file does not exist in "/etc/crontab", the "/etc/cron.daily" subdirectory, or "/etc/cron.weekly" subdirectory, this is a finding.

Verify KubeOS notifies the SA when AIDE discovers anomalies in the operation of any security functions.

Note: A file integrity tool other than AIDE may be used, but the tool must be configured to notify the system administrator and/or ISSO if there is an anomaly.

Verify the aide cron job sends an email when executed with the following command:

grep -i "aide" /etc/cron.*/aide

0 0 * * * /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily AIDE integrity check run" root@example_server_name.mil

If the aide file does not exist under the "/etc/cron" directory structure or the cron job is not configured to execute a binary to send an email (such as "/bin/mail"), this is a finding.

Verify that KubeOS must offload syslog-ng messages for networked systems in real time and offload standalone systems at least weekly.

For standalone hosts, verify with the system administrator that the log files are offloaded at least weekly.

For networked systems, check that syslog-ng is sending log messages to a remote server with the following command:

# sudo grep -i "^*.* @<IP>:514" /etc/rsyslog.conf
# sudo grep -i "^*.* @@<IP>:514" /etc/rsyslog.conf

If any active message labels in the file do not have a line to send log messages to a remote server, this is a finding.

Verify KubeOS auditing package is installed with the following command:

auditctl -v
auditctl version 3.1.2

If the package audit is not installed on the system, this is a finding.

Verify KubeOS produces audit records with the following commands:

systemctl is-active auditd.service
     active

systemctl is-enabled auditd.service
     enabled

If the service is not active or not enabled, this is a finding.

Verify that the audit-audispd-plugins package is installed on KubeOS with the following command:

grep -iw "^active = yes " /etc/audit/plugins.d/au-remote.conf
     active = yes

If active is not set to yes, is commented out, or is missing, this is a finding.

Verify KubeOS allocates audit record storage capacity to store at least one week of audit records when audit records are not immediately sent to a central audit record storage facility.

Check the size of the partition that audit records are written to (with the example being /var/log/audit/) with the following command:

df -h /var/log/audit/
     Filesystem    Size    Used   Avail  Use%  Mounted on
     /dev/sda2     24G  10.4G 13.6G    43% /var

If the audit record partition is not allocated sufficient storage capacity, this is a finding.

Determine if KubeOS auditd is configured to notify the SA and ISSO when the audit record storage volume reaches 75 percent of the storage capacity with the following command:

sudo grep -iw space_left /etc/audit/auditd.conf
     space_left = 25%

If space_left is not set to "25%" or greater, this is a finding.

Verify KubeOS takes the appropriate action when the audit storage volume is full using the following command:

sudo grep disk_full_action /etc/audit/auditd.conf
     disk_full_action = HALT

If disk_full_action is not set to HALT, SYSLOG, or SINGLE, is commented out, or is missing, this is a finding.

Verify what action the audit system takes if it cannot offload audit records to a different system or storage media from KubeOS being audited.

Check the action that the audit system takes in the event of a network failure with the following command:

sudo grep -i "network_failure_action" /etc/audisp/audisp-remote.conf
     network_failure_action = syslog

If the network_failure_action option is not set to syslog, single, or halt or the line is commented out, this is a finding.

Verify the audit system offloads audit records if KubeOS storage volume becomes full.

Check that the records are properly offloaded to a remote server with the following command:

grep -i "^disk_full_action = syslog" /etc/audisp/audisp-remote.conf
     disk_full_action = syslog

If disk_full_action is not set to syslog, single, or halt or the line is commented out, this is a finding.

Verify that KubeOS protects audit rules from unauthorized modification with the following command:

stat -c "%n %U:%G %a" /var/log/audit
     /var/log/audit root:root 600
stat -c "%n %U:%G %a" /var/log/audit/audit.log
     /var/log/audit/audit.log root:root 600
stat -c "%n %U:%G %a" /etc/audit/audit.rules
     /etc/audit/audit.rules root:root 640
stat -c "%n %U:%G %a" /etc/audit/rules.d/audit.rules
     /etc/audit/rules.d/audit.rules root:root 640

If the command does not return any output or permission is insufficient, this is a finding.

To protect from unauthorized access verify that KubeOS audit tools have the proper permissions configured in the permissions profile by using the following command:

stat -c "%n %U:%G %a" /usr/sbin/auditctl
     /usr/sbin/auditctl root:root 750
stat -c "%n %U:%G %a" /usr/sbin/auditd
     /usr/sbin/auditd root:root 750
stat -c "%n %U:%G %a" /usr/sbin/ausearch
     /usr/sbin/ausearch root:root 755
stat -c "%n %U:%G %a" /usr/sbin/autrace
     /usr/sbin/autrace root:root 750
stat -c "%n %U:%G %a" /usr/sbin/aureport
     /usr/sbin/aureport root:root 755
stat -c "%n %U:%G %a" /usr/sbin/augenrules
     /usr/sbin/augenrules root:root 750

If the command does not return any output or permission is insufficient, this is a finding.

Determine if KubeOS audit event multiplexor is configured to use Kerberos by running the following command:

grep enable_krb5 /etc/audisp/audisp-remote.conf
     enable_krb5 = yes

If enable_krb5 is not set to yes, or is commented out, this is a finding.

Verify audispd offloads audit records onto a different system or media from KubeOS being audited with the following command:

grep remote_server /etc/audisp/audisp-remote.conf
     remote_server = 240.9.19.81

If remote_server is not set to an external server or media, or is commented out, this is a finding.

Verify the administrators are notified in the event of a KubeOS audit processing failure with the following commands:

grep -i "^postmaster:" /etc/aliases
     postmaster: root

If the above command does not return a value of root, or the output is commented out, this is a finding.

Verify the alias for root forwards to a monitored e-mail account:

grep -i "^root:" /etc/aliases
     root: person@server.mil

If the alias for root does not forward to a monitored e-mail account, or the output is commented out, this is a finding.

Verify the system is configured to send email to an account when it needs to notify an administrator with the following command:

sudo grep action_mail /etc/audit/auditd.conf
     action_mail_acct = root

If the value of the action_mail_acct keyword is not set to root and/or other accounts for security personnel, the returned line is commented out, or the action_mail_acct keyword is missing, this is a finding.

Verify KubeOS generates an audit record for all uses of the chacl command with the following command:

grep -w /usr/bin/chacl /etc/audit/rules.d/audit.rules

If the command does not return a line that matches the example or the line is commented out, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Verify KubeOS generates an audit record for any use of the chage command with the following command:

grep -w /usr/bin/chage /etc/audit/rules.d/audit.rules

If the command does not return any output, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Verify KubeOS generates an audit record for all uses of the chcon command with the following command:

grep -w /usr/bin/chcon /etc/audit/rules.d/audit.rules
     -a always,exit -S all -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -F key=prim_mod

If the command does not return any output, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Verify KubeOS generates an audit record for all uses of the chfn command with the following command:

grep -w /usr/bin/chfn /etc/audit/rules.d/audit.rules
     -a always,exit -S all -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-chfn

If the command does not return any output or the returned line is commented out, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Verify KubeOS generates an audit record for all uses of the chmod command with the following command:

grep -w /usr/bin/chmod /etc/audit/rules.d/audit.rules
     -a always,exit -S all -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=-1 -F key=prim_mod

If the command does not return any output, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Verify KubeOS generates an audit record for all uses of the chsh command with the following command:

grep -w /usr/bin/chsh /etc/audit/rules.d/audit.rules
     -a always,exit -S all -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-chsh

If the command does not return any output, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Verify KubeOS generates an audit record for any use of the crontab command with the following command:

grep -w /usr/bin/crontab /etc/audit/rules.d/audit.rules
     -a always,exit -S all -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-crontab

If the command does not return any output, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Verify KubeOS generates an audit record for all uses of the gpasswd command with the following command:

grep -w /usr/bin/gpasswd /etc/audit/rules.d/audit.rules
     -a always,exit -S all -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-gpasswd

If the command does not return any output, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Verify KubeOS is generates an audit record for all uses of the insmod command with the following command:

grep -w /sbin/insmod /etc/audit/rules.d/audit.rules
     -w /sbin/insmod -p x -k modules

If the system is configured to audit the execution of the module management program insmod, the command will return a line.

If the command does not return a line that matches the example or the line is commented out, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Verify KubeOS generates an audit record for all uses of the kmod command with the following command:

grep -w /usr/bin/kmod /etc/audit/rules.d/audit.rules
     -w /usr/bin/kmod -p x -k modules

If the system is configured to audit the execution of the module management program kmod, the command will return a line.

If the command does not return a line that matches the example or the line is commented out, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Verify KubeOS generates an audit record for all uses of the modprobe command with the following command:

grep -w /sbin/modprobe /etc/audit/rules.d/audit.rules
     -w /sbin/modprobe -p x -k modules

If the command does not return a line that matches the example or the line is commented out, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Verify KubeOS generates an audit record for all uses of the newgrp command with the following command:

grep -w /usr/bin/newgrp /etc/audit/rules.d/audit.rules
     -a always,exit -S all -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-newgrp

If the command does not return any output, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Verify KubeOS generates an audit record for any use of the pam_timestamp_check command with the following command:

grep -w /sbin/pam_timestamp_check /etc/audit/rules.d/audit.rules
     -a always,exit -S all -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-pam_timestamp_check

If the command does not return any output, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Verify KubeOS generates an audit record for all uses of the passwd command with the following command:

grep -w /usr/bin/passwd /etc/audit/rules.d/audit.rules
     -a always,exit -S all -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-passwd

If the command does not return any output, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Verify KubeOS generates an audit record for all uses of the rm command with the following command:

grep -w /usr/bin/rm /etc/audit/rules.d/audit.rules
     -a always,exit -S all -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=-1 -F key=prim_mod

If the command does not return any output, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Verify KubeOS generates an audit record for all uses of the rmmod command with the following command:

grep -w /sbin/rmmod /etc/audit/rules.d/audit.rules
     -w /sbin/rmmod -p x -k modules

If the system is configured to audit the execution of the module management program rmmod, the command will return a line.

If the command does not return a line that matches the example or the line is commented out, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Verify KubeOS generates an audit record for all uses of the setfacl command with the following command:

grep -w /usr/bin/setfacl /etc/audit/rules.d/audit.rules
     -a always,exit -S all -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -F key=prim_mod

If the command does not return any output, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.