SLES 12 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access to the local graphical user interface.
Display of a standardized and approved use notification before granting access to the SUSE operating system ensures privacy and security notification verbiage used is consistent with applicable fed...Rule Medium Severity -
The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access via local console.
Display of a standardized and approved use notification before granting access to the SUSE operating system ensures privacy and security notification verbiage used is consistent with applicable fed...Rule Medium Severity -
The SUSE operating system must utilize vlock to allow for session locking.
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary...Rule Low Severity -
The SUSE operating system must conceal, via the session lock, information previously visible on the display with a publicly viewable image in the graphical user interface.
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature ...Rule Low Severity -
The SUSE operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.
SUSE operating system management includes the ability to control the number of users and user sessions that utilize a SUSE operating system. Limiting the number of allowed users and sessions per us...Rule Low Severity -
The SUSE operating system must enforce passwords that contain at least one numeric character.
Use of a complex password helps increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting a...Rule Medium Severity -
The SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to only store encrypted representations of passwords.
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily c...Rule Medium Severity -
The SUSE operating system must be configured to create or update passwords with a maximum lifetime of 60 days.
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the SUSE operating system does not limit the lifetime of passwords and force...Rule Medium Severity -
The SUSE operating system must never automatically remove or disable emergency administrator accounts.
Emergency accounts are privileged accounts that are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may...Rule Medium Severity -
The SUSE operating system must not allow unattended or automatic logon via the graphical user interface.
Failure to restrict system access to authenticated users negatively impacts SUSE operating system security.Rule High Severity -
SUSE operating systems with a basic input/output system (BIOS) must require authentication upon booting into single-user and maintenance modes.
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be...Rule Medium Severity -
SUSE operating systems with Unified Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.
If the system allows a user to boot into single-user or maintenance mode without authentication, any user that invokes single-user or maintenance mode is granted privileged access to all system inf...Rule Medium Severity -
All SUSE operating system persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.
SUSE operating systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. Selec...Rule High Severity -
Advanced Intrusion Detection Environment (AIDE) must verify the baseline SUSE operating system configuration at least weekly.
Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the SUSE operating system. Changes to SUSE operating system co...Rule Medium Severity -
The SUSE operating system must notify the System Administrator (SA) when AIDE discovers anomalies in the operation of any security functions.
If anomalies are not acted on, security functions may fail to secure the system. Security function is defined as the hardware, software, and/or firmware of the information system responsible for ...Rule Medium Severity -
The SUSE operating system must remove all outdated software components after updated versions have been installed.
Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may...Rule Medium Severity -
The SUSE operating system default permissions must be defined in such a way that all authenticated users can only read and modify their own files.
Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.Rule Medium Severity -
The SUSE operating system must not have duplicate User IDs (UIDs) for interactive users.
To assure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system. Interactive users incl...Rule Medium Severity -
All SUSE operating system files and directories must have a valid owner.
Unowned files and directories may be unintentionally inherited if a user is assigned the same User Identifier (UID) as the UID of the unowned files.Rule Medium Severity -
All SUSE operating system local interactive user home directories defined in the /etc/passwd file must exist.
If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial...Rule Medium Severity -
All SUSE operating system local initialization files must not execute world-writable programs.
If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the use...Rule Medium Severity -
SUSE operating system file systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed.
The "nosuid" mount option causes the system to not execute setuid and setgid files with owner privileges. This option must be used for mounting any file system not containing approved setuid and se...Rule Medium Severity -
SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed.
The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" ...Rule Medium Severity -
SUSE operating system kernel core dumps must be disabled unless needed.
Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by e...Rule Medium Severity -
The SUSE operating system must prevent unauthorized users from accessing system error messages.
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SUSE operating system o...Rule Medium Severity -
The SUSE operating system must have the auditing package installed.
Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events ...Rule Medium Severity -
The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must be alerted of a SUSE operating system audit processing failure event.
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an ...Rule Medium Severity -
The SUSE operating system audit system must take appropriate action when the audit storage volume is full.
It is critical that when the SUSE operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardw...Rule Medium Severity -
Audispd must off-load audit records onto a different system or media from the SUSE operating system being audited.
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.Rule Low Severity -
The SUSE operating system must protect audit rules from unauthorized modification.
Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audi...Rule Medium Severity -
The SUSE operating system must not disable syscall auditing.
By default, the SUSE operating system includes the "-a task,never" audit rule as a default. This rule suppresses syscall auditing for all tasks started with this rule in effect. Because the audit d...Rule Medium Severity -
The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply...Rule Medium Severity -
The SUSE operating system must generate audit records for all uses of the su command.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
The SUSE operating system must generate audit records for all uses of the chfn command.
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privi...Rule Low Severity -
The SUSE operating system must generate audit records for all uses of the ssh-agent command.
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privi...Rule Low Severity -
The SUSE operating system must generate audit records for all uses of the kmod command.
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit rec...Rule Medium Severity -
The SUSE operating system must generate audit records for all uses of the chown, fchown, fchownat, and lchown syscalls.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
The SUSE operating system must generate audit records for all uses of the chmod, fchmod, and fchmodat system calls.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
The SUSE operating system must generate audit records for all uses of the passwd command.
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privi...Rule Low Severity -
The SUSE operating system must generate audit records for all uses of the newgrp command.
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privi...Rule Low Severity -
The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply...Rule Medium Severity -
The SUSE operating system must generate audit records for all uses of the chacl command.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
The SUSE operating system must generate audit records for all uses of the rm command.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
The SUSE operating system must generate audit records for all uses of the passmass command.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
The SUSE operating system must generate audit records for all uses of the chage command.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
The SUSE operating system must generate audit records for all uses of the pam_timestamp_check command.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
The SUSE operating system must generate audit records for all uses of the init_module and finit_module syscalls.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
The SUSE operating system file /etc/gdm/banner must contain the Standard Mandatory DoD Notice and Consent banner text.
The banner must be acknowledged by the user prior to allowing the user access to the SUSE operating system. This provides assurance that the user has seen the message and accepted the conditions fo...Rule Medium Severity -
SuSEfirewall2 must protect against or limit the effects of Denial-of-Service (DoS) attacks on the SUSE operating system by implementing rate-limiting measures on impacted network interfaces.
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. This require...Rule High Severity -
All networked SUSE operating systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.
Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. This requirem...Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.