SLES 12 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The SUSE operating system must implement DoD-approved encryption to protect the confidentiality of SSH remote connections.
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information s...Rule Medium Severity -
The SUSE operating system SSH daemon must be configured with a timeout interval.
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port th...Rule Medium Severity -
The SUSE operating system for all network connections associated with SSH traffic must immediately terminate at the end of the session or after 10 minutes of inactivity.
Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i....Rule Medium Severity -
The SUSE operating system SSH daemon private host key files must have mode 0640 or less permissive.
If an unauthorized user obtains the private SSH host key file, the host could be impersonated.Rule Medium Severity -
The SUSE operating system SSH daemon must not allow compression or must only allow compression after successful authentication.
If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, pote...Rule Medium Severity -
Address space layout randomization (ASLR) must be implemented by the SUSE operating system to protect memory from unauthorized code execution.
Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory inclu...Rule Medium Severity -
The SUSE operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.Rule Medium Severity -
The SUSE operating system must not be performing Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router.
Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unn...Rule Medium Severity -
The SUSE operating system must not have network interfaces in promiscuous mode unless approved and documented.
Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow then to collect in...Rule Medium Severity -
The SUSE operating system must have the packages required for multifactor authentication to be installed.
Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect cred...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.