SLES 12 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
If Network Security Services (NSS) is being used by the SUSE operating system it must prohibit the use of cached authentications after one day.
If cached authentication information is out of date, the validity of the authentication information may be questionable.Rule Medium Severity -
SRG-OS-000383-GPOS-00166
Group -
The SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to prohibit the use of cached offline authentications after one day.
If cached authentication information is out of date, the validity of the authentication information may be questionable.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
SRG-OS-000480-GPOS-00227
Group -
All SUSE operating system files and directories must have a valid group owner.
Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group Identifier (GID) as the GID of the files without a valid group owner.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
All SUSE operating system local interactive users must have a home directory assigned in the /etc/passwd file.
If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
All SUSE operating system local interactive user accounts, upon creation, must be assigned a home directory.
If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
SRG-OS-000480-GPOS-00227
Group -
All SUSE operating system local interactive user home directories must have mode 0750 or less permissive.
Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
All SUSE operating system local interactive user home directories must be group-owned by the home directory owners primary group.
If the Group Identifier (GID) of a local interactive user’s home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user’s files, and users that s...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
All SUSE operating system local initialization files must have mode 0740 or less permissive.
Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
All SUSE operating system local interactive user initialization files executable search paths must contain only paths that resolve to the users home directory.
The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory ...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
SRG-OS-000480-GPOS-00227
Group -
SRG-OS-000480-GPOS-00227
Group -
SUSE operating system file systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed.
The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" ...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
SRG-OS-000480-GPOS-00227
Group -
SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed.
The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Exec...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
All SUSE operating system world-writable directories must be group-owned by root, sys, bin, or an application group.
If a world-writable directory has the sticky bit set and is not group-owned by a privileged Group Identifier (GID), unauthorized users may be able to modify files created by others. The only autho...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
SRG-OS-000480-GPOS-00227
Group -
A separate file system must be used for SUSE operating system user home directories (such as /home or an equivalent).
The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.Rule Low Severity -
SRG-OS-000480-GPOS-00227
Group -
The SUSE operating system must use a separate file system for /var.
The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.Rule Low Severity -
SRG-OS-000480-GPOS-00227
Group -
The SUSE operating system must use a separate file system for the system audit data path.
The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.Rule Low Severity -
SRG-OS-000206-GPOS-00084
Group -
SRG-OS-000480-GPOS-00227
Group -
The SUSE operating system must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes.
"pam-config" is a command line utility that automatically generates a system PAM configuration as packages are installed, updated or removed from the system. "pam-config" removes configurations for...Rule Medium Severity -
SRG-OS-000337-GPOS-00129
Group -
SRG-OS-000037-GPOS-00015
Group -
SUSE operating system audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.
Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events ...Rule Medium Severity -
SRG-OS-000341-GPOS-00132
Group -
The SUSE operating system must allocate audit record storage capacity to store at least one weeks worth of audit records when audit records are not immediately sent to a central audit record storage facility.
To ensure SUSE operating systems have a sufficient storage capacity in which to write the audit logs, SUSE operating systems need to be able to allocate audit record storage capacity. The task of ...Rule Medium Severity -
SRG-OS-000343-GPOS-00134
Group -
The SUSE operating system auditd service must notify the System Administrator (SA) and Information System Security Officer (ISSO) immediately when audit storage capacity is 75 percent full.
If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.Rule Medium Severity -
SRG-OS-000046-GPOS-00022
Group -
SRG-OS-000046-GPOS-00022
Group -
The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must have mail aliases to be notified of a SUSE operating system audit processing failure.
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an ...Rule Medium Severity -
SRG-OS-000047-GPOS-00023
Group -
SRG-OS-000342-GPOS-00133
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.