Skip to content
Log In

SLES 12 Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • The SUSE operating system must employ user passwords with a maximum lifetime of 60 days.

    Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the SUSE operating system does not limit the lifetime of passwords and force...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00225

    Group
    Show

  • The SUSE operating system must prevent the use of dictionary words for passwords.

    If the SUSE operating system allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses an...
    Rule Medium Severity
    Show

  • SRG-OS-000123-GPOS-00064

    Group
    Show

  • SRG-OS-000118-GPOS-00060

    Group
    Show

  • The SUSE operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity after password expiration.

    Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00226

    Group
    Show

  • The SUSE operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.

    Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00229

    Group
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The SUSE operating system must display the date and time of the last successful account logon upon logon.

    Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.
    Rule Low Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • There must be no .shosts files on the SUSE operating system.

    The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the s...
    Rule High Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • There must be no shosts.equiv files on the SUSE operating system.

    The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it do...
    Rule High Severity
    Show

  • SRG-OS-000478-GPOS-00223

    Group
    Show

  • FIPS 140-2 mode must be enabled on the SUSE operating system.

    Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The SUSE operating system must implement cryptographic modules adhering to the higher stan...
    Rule Medium Severity
    Show

  • SRG-OS-000080-GPOS-00048

    Group
    Show

  • SRG-OS-000080-GPOS-00048

    Group
    Show

  • SRG-OS-000185-GPOS-00079

    Group
    Show

  • SRG-OS-000138-GPOS-00069

    Group
    Show

  • The sticky bit must be set on all SUSE operating system world-writable directories.

    Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of ...
    Rule Medium Severity
    Show

  • SRG-OS-000363-GPOS-00150

    Group
    Show

  • SRG-OS-000447-GPOS-00201

    Group
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The SUSE operating system file integrity tool must be configured to verify Access Control Lists (ACLs).

    ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools.
    Rule Low Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The SUSE operating system file integrity tool must be configured to verify extended attributes.

    Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.
    Rule Low Severity
    Show

  • SRG-OS-000278-GPOS-00108

    Group
    Show

  • The SUSE operating system file integrity tool must be configured to protect the integrity of the audit tools.

    Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit recor...
    Rule Medium Severity
    Show

  • SRG-OS-000366-GPOS-00153

    Group
    Show

  • The SUSE operating system tool zypper must have gpgcheck enabled.

    Changes to any software components can have significant effects on the overall security of the SUSE operating system. This requirement ensures the software has not been tampered with and has been p...
    Rule Medium Severity
    Show

  • SRG-OS-000437-GPOS-00194

    Group
    Show

  • SRG-OS-000378-GPOS-00163

    Group
    Show

  • The SUSE operating system must disable the USB mass storage kernel module.

    Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Peripherals include but are not limited to such devices as flash drives, ex...
    Rule Medium Severity
    Show

  • SRG-OS-000114-GPOS-00059

    Group
    Show

  • The SUSE operating system must disable the file system automounter unless required.

    Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000...
    Rule Medium Severity
    Show

  • SRG-OS-000312-GPOS-00122

    Group
    Show

  • The SUSE operating system Apparmor tool must be configured to control whitelisted applications and user home directory access control.

    Using a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potentia...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence.

    A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the...
    Rule High Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence for Graphical User Interfaces.

    A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the...
    Rule High Severity
    Show

  • SRG-OS-000480-GPOS-00228

    Group
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The SUSE operating system must not have unnecessary accounts.

    Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and a...
    Rule Medium Severity
    Show

  • SRG-OS-000104-GPOS-00051

    Group
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The SUSE operating system root account must be the only account having unrestricted access to the system.

    If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricted access to the entire SUSE operating system. Multiple accounts with a U...
    Rule High Severity
    Show

  • SRG-OS-000383-GPOS-00166

    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules