Guide to the Secure Configuration of SUSE Linux Enterprise Micro 5
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Verify File Permissions Within Some Important Directories
Some directories contain files whose confidentiality or integrity is notably important and may also be susceptible to misconfiguration over time, particularly if unpackaged software is installed. A...Group -
Verify that Shared Library Directories Have Root Group Ownership
System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: <pre>/lib /lib64 /usr/lib /usr/lib64 </pr...Rule Medium Severity -
Verify that Shared Library Directories Have Root Ownership
System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: <pre>/lib /lib64 /usr/lib /usr/lib64 </pr...Rule Medium Severity -
Verify that System Executable Directories Have Restrictive Permissions
System executables are stored in the following directories by default: <pre>/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin</pre> These directories should not be group-writable or worl...Rule Medium Severity -
Verify that Shared Library Directories Have Restrictive Permissions
System-wide shared library directories, which contain are linked to executables during process load time or run time, are stored in the following directories by default: <pre>/lib /lib64 /usr/lib /...Rule Medium Severity -
Verify that system commands files are group owned by root or a system account
System commands files are stored in the following directories by default: <pre>/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin </pre> All files in these directories should be owned by ...Rule Medium Severity -
Verify that System Executables Have Root Ownership
System executables are stored in the following directories by default: <pre>/bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sbin</pre> All files in these directories should be ...Rule Medium Severity -
Verify that Shared Library Files Have Root Ownership
System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: <pre>/lib /lib64 /usr/lib /usr/lib64 </pr...Rule Medium Severity -
Verify that System Executables Have Restrictive Permissions
System executables are stored in the following directories by default: <pre>/bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sbin</pre> All files in these directories should not...Rule Medium Severity -
Verify that Shared Library Files Have Restrictive Permissions
System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: <pre>/lib /lib64 /usr/lib /usr/lib64 </pr...Rule Medium Severity -
Verify the system-wide library files in directories "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root.
System-wide library files are stored in the following directories by default: <pre>/lib /lib64 /usr/lib /usr/lib64 </pre> All system-wide shared library files should be protected from unauthorised ...Rule Medium Severity -
Restrict Dynamic Mounting and Unmounting of Filesystems
Linux includes a number of facilities for the automated addition and removal of filesystems on a running system. These facilities may be necessary in many environments, but this capability also ca...Group -
Disable the Automounter
The <code>autofs</code> daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default c...Rule Medium Severity -
Disable Modprobe Loading of USB Storage Driver
To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the <code>usb-...Rule Medium Severity -
Restrict Partition Mount Options
System partitions can be mounted with certain options that limit what files on those partitions can do. These options are set in the <code>/etc/fstab</code> configuration file, and can be used to m...Group -
Removable Partition
This value is used by the checks mount_option_nodev_removable_partitions, mount_option_nodev_removable_partitions, and mount_option_nodev_removable_partitions to ensure that the correct mount optio...Value -
Add nosuid Option to /home
The <code>nosuid</code> mount option can be used to prevent execution of setuid programs in <code>/home</code>. The SUID and SGID permissions should not be required in these user data directories. ...Rule Medium Severity -
Add nosuid Option to Removable Media Partitions
The <code>nosuid</code> mount option prevents set-user-identifier (SUID) and set-group-identifier (SGID) permissions from taking effect. These permissions allow users to execute binaries with the s...Rule Medium Severity -
Verify Permissions on Important Files and Directories Are Configured in /etc/permissions.local
Permissions for many files on a system must be set restrictively to ensure sensitive information is properly protected. This section discusses the <code>/etc/permissions.local</code> file, where ex...Group -
Verify that local /var/log/messages is not world-readable
Files containing sensitive informations should be protected by restrictive permissions. Most of the time, there is no need that these files need to be read by any non-root user To properly set the...Rule Medium Severity -
Verify Permissions of Local Logs of audit Tools
The SUSE operating system audit tools must have the proper permissions configured to protect against unauthorized access. Check that "permissions.local" file contains the correct permissions rules...Rule Medium Severity -
Verify that Local Logs of the audit Daemon are not World-Readable
Files containing sensitive informations should be protected by restrictive permissions. Most of the time, there is no need that these files need to be read by any non-root user. Check that "permis...Rule Medium Severity -
Restrict Programs from Dangerous Execution Patterns
The recommendations in this section are designed to ensure that the system's features to protect against potentially dangerous program execution are activated. These protections are applied at the ...Group -
Restrict Access to Kernel Message Buffer
To set the runtime status of the <code>kernel.dmesg_restrict</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.dmesg_restrict=1</pre> To make sure that the setting is...Rule Low Severity -
Enable ExecShield
ExecShield describes kernel features that provide protection against exploitation of memory corruption errors such as buffer overflows. These features include random placement of the stack and othe...Group -
kernel.kptr_restrict
Configure exposition of kernel pointer addressesValue -
Restrict Exposed Kernel Pointer Addresses Access
To set the runtime status of the <code>kernel.kptr_restrict</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.kptr_restrict=<xccdf-1.2:sub idref="xccdf_org.ssgproject...Rule Medium Severity -
Enable Randomized Layout of Virtual Address Space
To set the runtime status of the <code>kernel.randomize_va_space</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.randomize_va_space=2</pre> To make sure that the se...Rule Medium Severity -
Ensure SELinux State is Enforcing
The SELinux state should be set to <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_selinux_state" use="legacy"></xccdf-1.2:sub></code> at system boot time. In the file <code>/et...Rule High Severity -
Map System Users To The Appropriate SELinux Role
Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. ...Rule Medium Severity -
Services
The best protection against vulnerable software is running less software. This section describes how to review the software which SUSE Linux Enterprise Micro 5 installs on a system and disable soft...Group -
Base Services
This section addresses the base services that are installed on a SUSE Linux Enterprise Micro 5 default installation which are not covered in other sections. Some of these services listen on the net...Group -
Disable KDump Kernel Crash Analyzer (kdump)
The <code>kdump</code> service provides a kernel crash dump analyzer. It uses the <code>kexec</code> system call to boot a secondary kernel ("capture" kernel) following a system crash, which can lo...Rule Medium Severity -
Mail Server Software
Mail servers are used to send and receive email over the network. Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious targets of network attack. Ensure that systems are not r...Group -
Configure SMTP For Mail Clients
This section discusses settings for Postfix in a submission-only e-mail configuration.Group -
Postfix Root Mail Alias
Specify an email address (string) for a root mail alias.Value -
Configure System to Forward All Mail For The Root Account
Make sure that mails delivered to root user are forwarded to a monitored email address. Make sure that the address <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_postfix_root_mail_ali...Rule Medium Severity -
NFS and RPC
The Network File System is a popular distributed filesystem for the Unix environment, and is very widely deployed. This section discusses the circumstances under which it is possible to disable NF...Group -
Configure NFS Clients
The steps in this section are appropriate for systems which operate as NFS clients.Group -
Mount Remote Filesystems with Restrictive Options
Edit the file <code>/etc/fstab</code>. For each filesystem whose type (column 3) is <code>nfs</code> or <code>nfs4</code>, add the text <code>,nodev,nosuid</code> to the list of mount options in co...Group -
Mount Remote Filesystems with noexec
Add thenoexecoption to the fourth column of/etc/fstabfor the line which controls mounting of any NFS mounts.Rule Medium Severity -
Mount Remote Filesystems with nosuid
Add thenosuidoption to the fourth column of/etc/fstabfor the line which controls mounting of any NFS mounts.Rule Medium Severity -
Network Time Protocol
The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictably on unmanaged systems. Central time protocols can...Group -
Vendor Approved Time Servers
The list of vendor-approved time serversValue -
Maximum NTP or Chrony Poll
The maximum NTP or Chrony poll interval number in seconds specified as a power of two.Value -
A remote time server for Chrony is configured
<code>Chrony</code> is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. M...Rule Medium Severity -
Configure Time Service Maxpoll Interval
The <code>maxpoll</code> should be configured to <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_time_service_set_maxpoll" use="legacy"></xccdf-1.2:sub> in <code>/etc/ntp.conf</code> o...Rule Medium Severity -
Obsolete Services
This section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or severely limiting the service has been the best a...Group -
Rlogin, Rsh, and Rexec
The Berkeley r-commands are legacy services which allow cleartext remote access and have an insecure trust model.Group -
Remove Host-Based Authentication Files
The <code>shosts.equiv</code> file lists remote hosts and users that are trusted by the local system. To remove these files, run the following command to delete them from any location: <pre>$ sudo ...Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules